Friday, February 15, 2013

For those University of Georgia employees who access restricted and sensitive data, a new security tool will soon be deployed over the coming months to further protect that information.

Timothy M. Chester, vice president for information technology, said his office is planning to implement two-factor authentication — a more secure method to protect restricted data from theft and misuse.

“As an institution, we’ve arrived at a point that we understand that usernames and passwords used by themselves are not sufficient to protect restricted, sensitive or confidential information,” he said. “That includes Social Security numbers, credit card numbers and health records.”

Two-factor authentication requires “something you know,” such as a password, and “something you have,” such as a physical device, to access specified restricted information systems. This process requires users to verify their identities by providing both a password and a physical device.

At UGA, the “something you have” will be the ArchPass — a simple device that generates a one-time, six-digit “ArchPass code” that is used in conjunction with a UGA myID password to access a restricted data system. The ArchPass is required to verify the identities of University employees who have authority to access information systems with restricted data, such as Social Security numbers.

The University’s central IT department — Enterprise Information Technology Services (EITS) — has been piloting the ArchPass, along with the Administrative Systems Advisory Council (ASAC). That group is also developing guidelines to outline which information systems at the University will be considered as candidates for two-factor authentication.

For now, the specific information systems, user groups and individual employees who will be required to use the ArchPass to access restricted and sensitive data have not been finalized. However, an initial deployment for information systems that access restricted data is expected to begin in April. Additional systems and employees will later be required to use ArchPass.

Chester pointed out that two-factor and multi-factor authentication have commonly been used by the banking industry and segments of the federal government. As a higher education institution, UGA is probably ahead of the curve of its peers to implement two-factor authentication, he said.

“In higher education, we tend to prefer openness, efficiency and decentralization, while placing a high value on customer satisfaction and ease of use,” he said.

Over the past decade, IT departments in higher education have made it easier to get information, such as the use of single sign-on to access multiple applications with just a username and password.

But for protecting restricted and sensitive information, a more secure method is available with two-factor authentication. Those with a ArchPass will continue to use their UGA myID username and password to access specified information systems, but will be further required to insert a unique, six-digit code generated by the ArchPass each time they access specified systems.

In addition, users will also be required to access those information systems by the University’s secure network — regardless of their location on or off campus.

A special secure VPN (Virtual Private Network) group has been created for those who need to connect to UGA’s restricted information systems. A VPN creates a secure “tunnel” to the campus network, and can be accessed both on and off campus.

EITS will provide technical details on how to use the ArchPass, and using a VPN client on a desktop and mobile device at archpass.uga.edu. Accessing the technical instructions, along with frequently asked questions, will require a current UGA myID and password.

Two-factor authentication is being implemented by the Vice President for Information Technology at UGA as part of its long-term information security improvements.

Chester said the hardware-based ArchPass will keep the University’s costs low.

“ASAC committee members have a clear preference to keep the University’s costs as low as possible, while providing an extra layer of security,” he said.

University Vice President and Controller Holley Schramski spearheads ASAC, which has been leading a transparent process to develop standards to determine which information systems will require two-factor authentication, and its policies and procedures, Chester said.

“I’m very grateful to Holley Schramski and the members of ASAC for their support and encouragement, as we’ve gone down this path,” Chester said. “I’m also thankful for the support of UGA President Michael F. Adams, the senior vice presidents, the vice presidents as we embark on this initiative.”

The members of ASAC and the University areas they represent are: Chris Miller, Office of the Senior Vice President for Academic Affairs and Provost; Cindy Coyle, Office of the Senior Vice President for External Affairs; Holley Schramski (chairperson), Office of the Senior Vice President for Finance and Administration; Laura Jolly, Office of the Vice President for Instruction; Eric McRae, Office of the Vice President for Public Service and Outreach; Robert Scott, Office of the Vice President for Research; Jeffrey Pentz, Office of the Vice President for Student Affairs; Meihua Zhai, Office of Institutional Research; Tim Chester, Office of the Vice President for Information Technology; Danna Gianforte, Enterprise Information Technology Services (EITS); and Larry Malota, EITS.

The EITS Help Desk can assist with technical questions or ArchPass issuance. Contact the EITS Help Desk at 706-542-3106 or helpdesk@uga.edu.