After Successful Launch with HR Direct, University Looks to Expand Duo Security Usage

Members of the university team that launched Duo Security for HR Direct Image by Ed Brennen
Thanks to the efforts of, from left, Hilary Clark, Matthew Frost, Jim Packard, Tony Kolodziej, Ken Kleiner and Nancy Fowler, UMass Lowell was the first school in the UMass system to launch multi-factor authentication for all of its employees.

11/15/2017
By Ed Brennen

Open collaboration and communication, especially online, help make UMass Lowell a successful public research institution.

They also make the university an inviting target for cybercriminals.

To help protect the personal information of students, faculty and staff from the rising threat of cybercrime, the university has begun implementing Multi-Factor Authentication (MFA), an online login method that adds an extra layer of security to the standard username and password credentials. The system-wide initiative is being led by the UMass President’s Office and University Information Technology Services.

“This initiative is critical to prevent unauthorized access to university data,” says Joanne Yestramski, senior vice chancellor for Finance, Operations and Strategic Planning. “It also safeguards sensitive information that an employee might keep on their university computer or send using our e-mail system.”

Yestramski led the initiative at UMass Lowell along with Senior Associate Vice Chancellor for Human Resources and Organizational Strategy & Effectiveness Lauren Turner and Associate Vice Chancellor for Information Technology and Chief Information Officer Michael Cipriano.

Over the summer, UMass Lowell became the first campus in the UMass system to go live with MFA by implementing it with HR Direct, the self-service application available to all current employees to manage their human resource and payroll data. All employees are now automatically required to enroll with Duo Security, the UMass system’s chosen multi-factor authentication security partner.

“Duo is very well established in higher education circles, which was a big factor for us in choosing it,” says Assoc. CIO and Chief Information Security Officer Jim Packard, who is a member of systemwide information security council.

Now, users log in to HR Direct with something they know (their username and password), along with something they have (a mobile phone or landline). This is done through either a push notification on their mobile phone (via the Duo app), a passcode (sent via a text message) or a keypad prompt (via a phone call to either a mobile phone or landline). This second tier of defense makes it more difficult for an unauthorized person to gain access to an employee’s HR Direct account, which could contain social security numbers, bank accounts, and tax forms.

After the Information Security Officers from all five UMass campuses, as well as the President’s Office, came together to decide on the specific requirements for the product, they began fielding bids from nearly a dozen vendors. Each campus established a project team, meanwhile, which at UMass Lowell consisted of Packard, Senior IT Program Manager Nancy Fowler and Director of HR Operations and Payroll Hilary Clark.

The community really embraced the idea that this is a needed protection for their own information, and folks were on board to do it. It puts us in a really good position moving forward. -Director of HR Operations and Payroll Hilary Clark
“Each campus had an HR representative, which was key,” says Packard. “We wanted to make sure their needs were being met.”

While other campuses chose to roll out MFA on a smaller scale this summer by implementing it with a select group of users with access to sensitive information, UMass Lowell elected to dive in on day one with all of its nearly 3,000 employees. The university announced the initiative in mid-May and offered an open enrollment period during the summer, with an official “go live” date of August 1.

“HR thought it was in the university’s best interest to do it sooner rather than later, and we got the support we needed to make that date,” Packard says. “We were the first campus to say, ‘Damn the torpedoes, we’re going live.’ ”

And according to all involved, the move went off without a hitch.

“It was pretty seamless,” Clark says. “The community really embraced the idea that this is a needed protection for their own information, and folks were on board to do it. It puts us in a really good position moving forward.”

When classes started in September, student employees and new adjunct faculty were rolled into the system. Now that everyone is on board with HR Direct, the next application that will receive MFA protection is the university’s virtual private network (VPN) solution. The university currently has about 1,100 VPN users, who use the system to access information on the university network from off-campus locations. Packard notes that Duo had already been tied into the university’s VPN almost a year and a half ago for critical IT infrastructure applications, though now it will be required for all users.

“For experienced VPN users who have some work at home or file shares on campus, they’ll see the Duo prompt and they won’t bat an eye. The functionality is the same as with HR Direct,” Packard says.

The university has a three-year contract with Duo, which includes 20,000 licenses for students, faculty and staff. 

Packard says any application that might contain sensitive information, such as the Student Information System, Finance and UMass BuyWays, can benefit from MFA security. Department servers, which contain sensitive research-related information, can also be protected. In fact, Packard notes, some government systems will soon be requiring MFA.

“You won’t be able to receive funding for a government contract unless you’re able to demonstrate that you have an MFA-protected application,” he says.

One key feature of the system is its ability to synch with the university’s Microsoft Active Directory, which manages the computer accounts. So if someone leaves the university or has a name change in their UML email address, it will automatically change in the system — and keep a check on the total number of licensed users.

If someone tries to access a university account and fails five times, the IT service desk will receive a security alert from the Duo application. IT staff can can then contact the user to see if they are having log-in trouble — or if their account is being targeted. Also, if a user logs in to HR Direct from a typical location, but then is logged in overseas an hour later, it will trigger a Duo alert.

“By building the MFA infrastructure, it now puts us in a really good position to protect other applications down the road,” says Packard, who credits the work of Senior Information Security Engineers Ken Kleiner and Tony Kolodziej and Information Security Engineer Matthew Frost for helping make the initiative so successful.  

While there’s no silver bullet that will completely protect higher education institutions like UMass Lowell from cyber criminals, Packard and his team say MFA is a crucial first line of defense.

“We had solid security before MFA, but this makes it even stronger,” says Packard, who credits UMass leadership for supporting the cyber security initiative. “It helps when all five campuses, and the President’s Office, are on the same page and have the same motivation. I believe that was key in getting it done so successfully.”