Building a secure learning environment for the future with Cisco Secure Access by Duo
Celebrating over 140 years of educational excellence, DWCLA deployed Cisco Secure Access by Duo to protect students and staff with multi-factor authentication (MFA) and unique policy.
Location: Kyoto, Japan
Size: 8500+ students, faculty, and staff
Doshisha Women's College of Liberal Arts uses a private cloud to host its backbone systems, and, in September 2016, also began using Microsoft 365. On campus, students have access to terminals provided at media centers and computer rooms, and they can use their own computers, smartphones, and tablets. The Department of Media also lends Apple MacBook Air laptops to its students. This hybrid architecture and environment of both managed and unmanaged devices proved a challenge to secure.
Toshihiko Chonan, head of the DWCLA Network Infrastructure of Accounting Department explains why they decided to implement multi-factor authentication (MFA). "There has been an increase in the number of incidents involving unauthorized access to accounts whose password has been stolen or lost, leading to leakage of privacy information and confidential data. We also witness a rapid increase in cybercrimes targeting education institutions inside Japan."
On the challenge of user friction, he added: "Since we started using cloud services for the intranet, applications, and learning management systems, every user had to create a password for each of the services. It is almost impossible to ensure the use of strong passwords for all. So, we were looking into adopting MFA based on the zero trust concept to make sure our users can access terminals securely."
Cisco announced the acquisition of Duo Security in 2018 (now Cisco Secure Access by Duo) and shared information about Duo with DWCLA. A network architecture partner started a full-scale verification, including application setup and testing, before the official service release in the Japanese market. At the end of 2019, the college conducted a proof of concept together with Cisco systems engineers and officially decided to deploy the service across the entire college in 2020.
Kenji Akashi, the team leader of Network Infrastructure, commented, "Duo is a cloud-based solution that is easy to implement and supports a wide variety of operating systems, devices, and authentication methods. Cisco products have proven track records that provide us with peace of mind, and Duo offers features like push notifications and integration with applications enabled by [Security Assertion Markup Language (SAML)]. That's why we chose this service."
“With [Software as a service] and device use increasing in education, security has long been a growing concern, but Duo enabled us to build an environment secure enough for the future.”Toshihiko Chonan, Head of Network Infrastructure, Accounting Department
Duo is a software-as-a-service (SaaS) solution that makes it simple to deploy multi-factor authentication and device visibility, even without mobile device management. In addition to the primary methods of username and password, various factors such as device ownership and biometric authentication via fingerprints and facial recognition can be used as authentication. A combination of multiple methods establishes trust that users who are trying to access your application are who they say they are.
Single Sign-On (SSO) from Duo is a cloud-hosted Security Assertion Markup Language (SAML) 2.0 identity provider that secures access to cloud applications with existing directory credentials. Duo Central acts as a dedicated portal for registering frequently used cloud services and on-premises applications in advance.
With SSO, the user does not need to reauthenticate in individual applications after logging into Duo Central. Mr. Chonan says, "In addition to Microsoft 365, we use various applications such as Adobe Creative Cloud, various [learning management systems], faculty and staff, personnel and payroll systems, [content management systems], etc., and it is expected that the number will increase in the future. It is easy to link them with SAML, assuring smooth future expansions."
One way Duo confirms identity is through sending push notifications to a user's smartphone. With Duo Push enabled, when someone pretending to be a user tries to log in, the user will receive an alert on their smartphone immediately. Chonan says, "Push notifications were the must-have features for our system. Duo offers user-friendly push notifications on the smartphone app, which made it easy to use for all users including those who are not familiar with IT."
Duo comes with multiple modules, providing flexibility for adding multi-factor authentication for systems running on a cloud or accessing devices on premises whether they are Windows or Linux-based servers. Akashi says, "This feature is one of [Duo's] strengths that no other products have, and since system admins will need to access systems remotely in the future, vulnerability control of Duo was especially appealing."
DWCLA uses Duo's IP address-based access control and enforces multi-factor authentication for users only when they access from an off-campus location. "We have strict physical security control upon entry into the campus, so we made the system more convenient by waiving multi-factor authentication for access on campus. This way, students can still attend classes even if they forgot their smartphones."
The network was almost ready in early 2020, with construction proceeding according to plan. However, college-wide deployment and rollout were postponed until Fall 2021. Chonan explains, "the decision was made based on safety reasons. We started giving lectures online since the pandemic started. If we deploy the service while the university staff and students are not physically present on campus, it is difficult to troubleshoot in case there is an issue with access and so on. Therefore, we decided it's best to start rollout when we resume face-to-face classroom lectures."
For college-wide deployment, the network infrastructure team prepared a user guide by extracting instructions needed for users of the network from the manuals provided by Cisco. The team also created a user guide video for device registration and posted it on the university's website to reduce the number of inquiries.
According to Mitsuaki Okuda, a member of the Network Infrastructure team, "Web manuals provided by Cisco were extremely helpful because they were thorough and easy to understand. Gradual rollout from university staff, current students, and then to new students turned out to be successful, as it helped us improve accuracy of the user guide by clarifying the inquiries we received."
Potential user friction was addressed as well: "We were initially concerned about smartphone model change, but by providing a model change form on the website, we minimized workload for operation," he noted. Duo also supports authentication by a hardware token for users without a smartphone. Okuda says, "we prepared a considerable number of tokens, but actual tokens used were only one-tenth of what we anticipated."
Okuda comments on the manageability of Duo: "The intuitive management console is helpful because it makes it easier to find problematic users. Another benefit is that we can request function improvement or an addition of new features from the dashboard." In particular, Akashi emphasizes peace of mind realized with access routes visualized on logs. "When we have access from overseas, Duo can tell us which country the access came from, so we can determine if the access is legitimate or not by verifying whether a user of the terminal is located overseas, either on business or as part of a study abroad program. Also, we enabled settings to notify any access from a location outside Japan to a system admin via email through Duo API and to analyze a trend based on a user ID. Duo helped us clarify ambiguous areas and investigate them further when needed without extra workload. In fact, no serious incidents have occurred since we started using Duo."
As for plans and expectations for Cisco by DWCLA, Chonan concluded as follows: "As SaaS is becoming more common in education, how we ensure security has been a growing concern. However, from now on, we plan to install Duo' s multi-factor authentication into all applications we will use and expand it further. Duo is highly versatile while it provides good integration and visibility. Educational institutions are expected to undergo a drastic transition today. We hope Cisco will continue to provide solutions in consideration of user convenience at competitive pricing."