Multi-factor Authentication for Privileged Accounts

FR: Sam Horowitz, CISSP, CISM, Chief Information Security Officer

Many of our IT staff administer a wide range of computing and network devices on a day-to-day basis that involves assuming root or administrator privileges. These privileged accounts must be protected to ensure the confidentiality, integrity, and availability of the devices and virtual devices that you manage. The best way to do this is to use multi-factor authentication (MFA).

MFA makes a password useless without also having a second factor, usually a smartphone or token device. On our campus, we operate a Duo service to provide MFA capabilities to application developers and system administrators. 

The IS-3 Information Security policy requires MFA anytime protection level P3 or higher or availability level A3 or higher information resources or data is involved. That covers many devices and systems across the campus. Over time I would like to see full utilization of MFA to protect all servers, hypervisors, network devices, administrative cloud accounts, and business-critical applications. Later this year, everyone on campus will have to use MFA to access UC Path and some other campus applications. MFA is becoming ubiquitous in the environment 

Now is the time to start the transition for your privileged accounts to use MFA. ETS has taken the lead with most servers, all hypervisors, most AWS, GCP and Azure administrator accounts, and virtually all of their network backbone devices protected by Duo MFA. ARIT has also adopted MFA in a big way. I want to see adoption across the campus, and I'll be tracking it for major IT shops.

MFA is available now. You can find information about our Duo implementation at it.ucsb.edu/mfa. On the lower right, you'll find a link for "MFA for App Developers & Administrators." There you'll find pointers to information and tutorials to enable MFA for a wide variety of use cases, including logins to Windows, Linux, and Mac devices. Duo works with sudo on Linux servers and with many network devices out-of-the-box. 

MFA is important. The network perimeter is turning more porous over time, and cybercriminals are using footholds to move laterally, making campus network restrictions less effective. MFA is the appropriate way to protect the privileged accounts you use to keep UCSB running. Please take the time to look at the MFA web site and begin your implementation. You can talk about your experiences in the UCSB IT chat room.