Customer story - George Washington University

[AUDIO LOGO] Thank you very much. Good afternoon, everyone, and welcome to the George Washington journey to-- I keep wanting to say SunGard, but that's the wrong group. So we'll say-- [LAUGHTER] --we're going to talk about how we-- a little bit about the University. We're going to talk a little bit about the team. I'm using PAG and PAM as the same thing, so please don't be offended if I use the wrong term for the wrong thing. So we're going to talk about that, our platform, heading into the PAG, the PAM solution, how we implement our platform, some benefits we received from that, and then our path forward. So without further ado, let the journey begin. George Washington University-- we are a private university located in the heart of the nation's capital. Our main campus, Foggy Bottom, is in the Northwest sector of the city. And I've been told that we're the third largest property owner within the district after the local and federal government. Our property starts at-- if you're familiar with DC and the metro, when you exit the Foggy Bottom metro station, you're on our campus. And it runs the whole way down 17th Street and butts against the White House. And part of our campus is actually in the security circle of the White House. We are a NCAA D1 school. Our campuses are Foggy Bottom. We have a smaller campus-- Mount Vernon, we call it. It's about two miles to the north and west of the main campus, where we have our soccer, our soccer field, and some resident halls, and some other classrooms. Then, we have a large campus about 35 miles to the west of DC in Ashburn, Virginia, which is our-- we call our Virginia Science and Technology Center. That's where IT lives-- main IT-- our finance folks live, and some other our nursing programs there. And some other programs are out in the VSTC space. So like I said, we're a D1 school-- NCAA, D1. We have about 20 sports teams that we field. We are an R1 research institution. We have about 75 programs-- 75 majors that we support. We have about 200,000 identities that we manage. And that's faculty, staff, students, alumni. And we have a group called affiliates or sponsored users. That's like the cats and dogs of identity. We have consultants in there, grounds crew, guest lecturers, guest researchers, all kind of friends of the University. If you live near the campus, you can use our library, our fitness centers, and things like that. So you actually have an identity in the system as an affiliate. So that's what the University looks like at a high level. The identity team, we are seven strong. And I'm blessed to have-- that's 8, and counting me. But I don't count myself as one of the technical folks. I'm just the manager. But we have seven people in the team. Three senior identity developers. Two of them are here with me today. You've probably seen Shima running around at the Lunch for Women lunch. And Josh Van Nuys is with me today. I have two junior identity analysts, and I have two systems engineers who are responsible for maintaining and managing our domains and our directory services. Some of the services that we offer-- typical provisioning, deprovisioning, single sign-on, two-factor authentication. We have a federated identity with the internet 2 in common. We run the Shibboleth framework. And we're an IDP and a service provider in Shibboleth. And we offer services mainly to the research community. We do group management, VPN management, Active Directory, Azure, password management, role-based access control. And recently, we just brought in our privileged access management as our newest service. We're also looking to bring on identity verification service in the very near future. We're getting ready to launch that effort shortly here. So that's the services that we offer. Why privileged access management? So part of our five-year roadmap-- in 2000, we put down identity manager in '21, privileged access management in '23, cloud '25. And when I put PAM on the roadmap, I-- just surprised me. One of my leaders-- one of our IT leadership team asked me, do we really need that? Isn't a strong password and two-factor enough? So I paused for a second, and I was trying to think of a nice way to say it. But the only thing I could think of was, nope. [LAUGHTER] It's just not enough. When you look at what's happening in industry today-- we just heard earlier a couple of different sessions how the hacking community is getting more and more aggressive. At one time, when you got a phishing email, it came from offshore somewhere. There were typos, and spelling errors, grammar errors, and whatnot, and it was kind of obvious. But they're using AI to sharpen their skills. So those come in now. They're perfectly formatted, and they look really, really real. So you have to really look and know what you're looking for. Lately, I've been getting text messages about once a week from the post office telling me that I have a package waiting, and if I don't go to this link-- what's that? I get them to. It's like, please. I mean, every week I get one. And I don't-- whatever. But we get those, and we see them, we report them as spam and delete them. And I also get about once a week an email saying I have-- my PayPal account needs more information. And it's like, please. But they're getting more and more aggressive. And AI is helping with that. So I put up here a couple of things that are kind of-- I watch. One of those is quantum computing and high speed computing. You don't hear much about the quantum computing concept, but they talked earlier in some of the sessions about those tipping points, inflection points in technology. And they were talking about AI being one of those. I want to challenge that a little bit. I think AI is a component of it, but once we get to that point where quantum computing and high speed computing is computing is here, and you add that robotics concept on top of that, that'll be the inflection point. We're a Blade Runner. So we're not far from that. We're seeing things like that happening really fast. Technology is moving real fast, and things are happening real fast. So that'll be interesting. I'm going to talk a little bit about digital identity in a second and some of the reasons for privileged access. Compliance. Cyber insurance-- a lot of questions in cyber insurance about privileged access management. The cost of a compromise. Inflation's up. Food, housing, gas, everything's up. Compromises aren't immune to that. They're up as well. Digital identity. I used to teach at Penn State as an adjunct, and I taught IT courses. And one of the courses I taught was the introduction to cyber security. And one of the first classes, I'd give everyone in the class, one of those inter-departmental envelopes with a number on it. In the first half of this semester, you would take this home and put all the junk mail that comes to your house in this envelope, and take your name off of it. And anything that identifies you or that household, take it off. Just put the junk mail in this envelope. My students used to look at me like I had two heads. They're like, this is cybersecurity. What does this have to do with cybersecurity? So just bear with me and let's go through the exercise. So at the midterm, they'd bring their envelopes back. And I'd mix them up, and I'd give them back to a different student. And part of their final was a 50-minute presentation on what you found out about that household from that envelope. And they're again looking at me like, yeah, this is crazy. But at the end of the semester, every time I did this, they were amazed. They would stand up in front of the class and tell you things about that family that were number of people, gender, age, kind of car, pets you had, things about that family that were just blew them away. And at the end of the exercise, they were like, this is really cool. It puts things in perspective. But the moral of that story is that junk mail is just the tip of the iceberg of your digital identity. So be very careful about what, how, who you share your personal information with. So that's why-- some of the reasons why we want to have some privileged access management. Towards the platform-- so '22, we did the implement 19-- 2021. 1921? Geez. [LAUGHTER] That's a long time ago in a land far away. 2022, we implemented our Identity Manager platform. We moved from-- we customized ARS to be our identity platform and moved it on to One Identity's Identity Manager platform. And we started implementing role-based access control in our ERP systems. We quickly realized that there was-- something wasn't right here. We were hitting with a lot of resistance in trying to figure out how to develop roles inside these ERP systems. And what we come up with was the three legged stool of RBAC. Our ERP system were implemented over 10 years ago. And some of the decisions made back then, RBAC wasn't even part of the concept, wasn't even part of the conversation. So we had systems where there were-- a single user had multiple IDs in the system to be able to do certain things within the system. So we had a choice. We could have started customizing our platform to make it look like the ERP systems, but that violated a couple of my guiding principles. A couple of them are simplify, standardize so we can automate. And the other one is configuration versus customization. If I'm moving to the cloud in '25, I can't customize the hell out of this system to align with the ERP system, because in 2025, I'm going to be dead in the water. So we had some conversations. We had made some adjustments, and now we're moving forward with our role-based access control. 2023, PAM was on the roadmap. And we started getting a lot of questions about protecting elevated access to systems, mainly from auditors. And cybersecurity insurance was a big driver with that. So we made the investment into the SafeGuard solution. We also wanted a platform that was integrated in our system-- automated and integrated. We need something that would help us with our audit attestation reporting. And it had to be sustainable and maintainable. So we went with the SafeGuard solution. Our implementation approach-- so it was a multi-phased approach. The original phase, we purchased it in '23. We stood up the platform on-prem. And the identity team started using it right away. We put our domain controllers in the servers, in the system. And we're using it and testing it out, learning how this thing works. And then not long after that, our research technology team raised their hand and said, hey, can we come to the party? Heck yeah. The more people, the better. And we got a lot of good feedback from those research guys. There's a lot of smart people doing research, and they have a lot of interesting use cases that we were working through with them. And then the next group we brought into the conversation was our server team. Now, our server team, they manage 800,000, 900,000 servers. I don't know-- a whole bunch of servers. And we had a lot of good conversation about the toolset with them. And so we presented, after the end of the pilot, to leadership what our findings were, what our recommendations were. Leadership gave us a thumbs up. Let's do it. Let's go ahead. So our next phase was rolling it out to all of our IT. We have about 275 people in our central IT organization at GW. So we're rolling this out to all of them. At this point in time, they've all been exposed to the application. Their servers are in there. Their accounts are ready to go. And they're using it as an option to use it. Leadership says December 1, mandatory. So we're giving them some time to get used to the toolset, ask questions, make sure they understand how it works. December 1, we're turning the switch. We're making it mandatory. That's music to my ears from a security guy. I like that. Once we're done with that, we're going to expand it across campus. Some other groups, we want to-- when you look at brand recognition and brand protection, we want to make sure our external relations systems and accounts are protected. Public safety-- we have a large alarm management system and a large video surveillance platform. We want to make sure we protect that. Building automation in SCADA systems. A lot of those are primed for compromise, so we want to make sure we put those behind the locked door too. And the research folks, there's a lot-- we do a lot of research-- a lot of federal government grants that have controls, and protection, and requirements around those. So we want to make sure that we capture all of those and bring them into the fold as well. And then going forward, there'll be other systems and applications as they present themselves. Some of the benefits that were realized-- we have that extra layer of security, which is great. The password-- we use it one time, throw it away, and don't reuse it. That's good. The capturing session-- real nice. When something happens, you can go in and see what happened, when it happened, who was in the system, what they did. If it was self-inflicted, we can see that, and it collapses our time to recover. That's a nice feature. Out-of-the-box connector. One thing I like about this unified platform that we're building-- we didn't know they called it that until the other day, but we've been building it one piece at a time. We have ARS. We have Identity Manager. Now, we have Safeguard. But it connects real nice. The out-of-box connectors is a big bonus, big plus. Helps us with our auditing and attestation. Big help there. User ease of use. Security oftentimes is difficult to use, and it doesn't have good adoption because it's hard to get into and use, and it causes a lot of stress and strain on the user community. The feedback I've received from everyone who was introduced to this tool set say the same thing, but it's easy to use. So adoption has been really good, and I think that's one of the reasons the adoption has been so well. And it has lowered our cost of our cyber insurance, which I don't know what that number is, but I hear, yeah, it has been lowering that cost. So it's meeting all the checkboxes that we were looking for in our solution. Path forward. Our server team-- Devolutions remote access, remote desktop toolset. We have a feature request into One Identity to build us an API between Safeguard and it. When you look at the way they do their job-- grabbing a remote desktop session and having to check out a password every time they go in the server-- they're in servers all day, every day, and it's kind of onerous for them. So we wrote a little-- not me, but my team wrote a piece of code that helps with that. So they're not as apprehensive about using it. But we'd like to see something where you can have folders and file structures configured by the user. So if you're working on this group of servers, you can dump all your servers in here, and you don't have to search for them in the big list. So we have a feature requested for that. Password. The diceware password, or a readable password-- this long password is a great thing. And you can copy paste it into a password buffer. But there are some applications that won't allow you to paste a password into the buffer. So the workaround that we have done was we use YubiKey. Yubikey Manager has a buffer. You can copy and paste the password in there, mouse over where you want the password to be, and touch your YubiKey, and it pastes it in there for you. So that's our workaround. But if we had a diceware readable-type password, it would be easier to type. Because to be honest with you, if I had to type one of those passwords in one of those things, I'd never be successful. I'd just give up and go home. But that would help. And also we're looking at-- I talked about the ID verification tool that we're looking at. And 2025, we're heading to the cloud. So I think-- what's my time look like? We're pretty good. Yeah, I think that's it. Thank you. [APPLAUSE] [MUSIC PLAYING]