Source: Freepik
Universities are increasingly becoming the target of cyber attacks. According to the Federal Office for Information Security (BSI), the current threat level is higher than ever before [1]. In view of this growing threat and the increasing number of corresponding attacks, the Ministry of Culture and Science (MKW) of the state of North Rhine-Westphalia (NRW) published an Agreement on Cyber Security at Universities (VzC) at the end of 2023. With a total of 12 measures, this serves as a basis for securing university networks. At the same time, the BSI regularly recommends targeted measures to defend against threats.
Against this backdrop, the specific protection of RWTH Aachen University’s IT infrastructure is increasingly indispensable.
Agreement on Cyber Security
The Agreement on Cyber Security exists between universities of NRW as well as the University Library Centre of NRW (hbz) and the MKW in cooperation with the Digital University NRW (DH.NRW) [2]. The primary goal is to protect the universities and the hbz more effectively against cyber attacks with the specified measures and to be able to restore the IT systems quickly and, if possible, without data loss in the event of damage. To this end, the state of NRW has provided the universities with a total of 41.15 million euros from the special fund for crisis management in 2023.
One of the measures manifested there is the gradual introduction of two-factor or multifactor-authentication (MFA). This means that employees, students, and members of the RWTH require an additional security code in addition to their existing login details in order to access IT services.
In the following part of the blog post, we explain how the step-by-step introduction at RWTH has taken place for various services.
What is MFA?
But first, back to the beginning: What is MFA anyway? It is a security procedure that requires you to enter an additional security code in addition to your normal login details such as username and password. Only then can you access your digital resources such as devices, networks, or online services.
This code is generated by a separate device or app. You are probably already familiar with this procedure from online banking or using your health insurance app. You can find more information and a detailed explanation of general MFA mechanisms in our blog post “Security Mechanisms Unravelled: MFA“.
MFA on the Cluster
Since 2020, several supercomputers and high-performance computers in Europe have fallen victim to hacker attacks. To prevent such attacks, the pilot phase for multifactor-authentication was successfully implemented on a login node of the HPC cluster last year.
On January 15, 2024, MFA was made mandatory for the security of the cluster, meaning that access to each dialog/frontend node is now only possible with a second factor. Access to our HPC systems is protected against misuse by third parties by the MFA, which is particularly relevant with regard to the protection of your research data.
MFA for the VPN
The introduction of MFA for VPN started on February 1, 2024. From then on, you had the opportunity to test the use of MFA when dialing into the VPN. You could continue to use the VPN even without having previously selected another factor or token. The mandatory introduction came after a six-week test phase on March 19, 2024. Since then, you always need a token to use the RWTH VPN.
MFA for the SSO
The introduction of the MFA for the RWTH Single Sign-On (SSO) was particularly far-reaching. After all, employees, students, and other members use it several times a day to access their desired services such as RWTHonline, RWTHmoodle, SAP Fiori, GigaMove, and many more.
The first steps in this direction were already taken last year. The IdM Selfservice was equipped with the Token Manager. At that time, it was already possible to access it without a token if you had not yet set one up. Once the first token had been set up, the token manager was and still is secured and cannot be accessed without a token.
However, a test phase for the SSO, as was the case with the VPN, was technically not possible. However, a test website was developed as an alternative and activated on May 2, 2024, which you could use to test your generated tokens. On July 2, 2024, MFA was finally made mandatory for all services that are protected with SSO.
Conclusion and Assistance
MFA significantly increases security: even if an authentication factor is compromised, access is still protected by another factor. You can find a more detailed explanation in the video from the BSI.
Despite some challenges, the MFA was introduced at RWTH as planned to increase cyber security. We are all adjusting to the new processes and have made progress in terms of security and the MKW agreement. Nevertheless, there is still a lot to do – we will keep at it!
Instructions for setting up your first token, MFA for VPN, and MFA for SSO can be found on our documentation portal IT Center Help. You can also find a playlist with various tutorials on setting up MFA on our YouTube channel. Take a look!
Responsible for the content of this article are Jelena Nikolic, Nicole Wießner, and Tanja Wittpoth-Richter.
The following sources served as the basis for this article:
[1] https://www.mkw.nrw/hochschule-und-forschung/digitalisierung-hochschule-und-wissenschaft/cybersicherheit
[2] https://www.mkw.nrw/system/files/media/document/file/vereinbarung_zur_cybersicherheit_vzc.pdf
Leave a Reply