Our fall semester marches onward, and Thanksgiving break will be here before we know it. As we take a moment to focus on our work in cybersecurity, we also take time to remember Veterans Day and recognize the courage and dedication of our military veterans, including those who serve within our own university community. I encourage everyone to reflect on the sacrifices made by these brave individuals, and to learn more about veterans’ contributions. The VA has many educational benefits and support services available to veterans on campus and beyond.
At our fall all-hands meeting I introduced our FY25 strategic priorities. In the September newsletter we talked about security agent standardization, and in October we looked at platform and process documentation. This month we’re going to consider what it means to modernize identity and access.Strategic Priority: Modernizing Identity and Access
Securing identities and effective management of access control is a cornerstone for all our broader IT and security objectives. With the advent of zero trust security architectures, identity is the new security boundary, and has become the primary target for most threat actors. In fact, attacks against our identities—credential phishing, privilege escalation and exploitation, session hijacking, etc—are by far the largest that we see by volume. In this respect, identity security is the foundation for all our other efforts at improving our security posture.
Modernizing our campus identity and access is currently focused on three significant projects: SailPoint (which is replacing the legacy NetID code and infrastructure with a modern, enterprise-grade solution), SSO (which is replacing legacy authentication protocols like Shibboleth and CAS with Microsoft Entra ID), and Email security (which is working towards using DMARC and DKIM to enforce the highest level of security across our email sender infrastructure, including for third-party senders). There are a lot of other things that the Identity Security office has to worry about—Duo MFA, certificates, machine and service accounts, shared and group access—but those three large-scale projects have the biggest impact on our resources, and will have the biggest impact on our security and risk posture.
SailPoint is likely the project that you’ve heard the most about. We are almost two years into a multi-year implementation, and are very close to the completion of phase I, which was intended to directly recreate the NetID lifecycle management with SailPoint. The primary benefit we are realizing from this phase of the project is reliability and scalability: through the months-long process of validating and recreating the business logic embedded in legacy code, we have been able to make some critical simplifications, greatly reducing the fragility of the infrastructure. This focus on stability sets the stage for the benefits we expect to achieve in phase II: this is when we will be able to use the advanced features in SailPoint to better manage roles and entitlements for our users, and make use of novel new AI features to ensure that individuals have the right access to the resources needed to do their jobs, and no more.
The SSO project has been moving forward in parallel with SailPoint. Over a year ago we announced that CAS and Shibboleth were deprecated protocols, and all new applications should use Entra ID for authentication. Since then, we have been slowly moving major systems over to Entra, and now the only high-volume application left is Howdy. As you can imagine, Howdy has complexities that most applications don’t have to consider, like supporting parent access to student accounts. We have an ongoing project with EIS developers to refactor how parent access is supported in Howdy, which means that we will no longer need to generate NetIDs for parents—a significant step forward in security.
Email security is the other ongoing effort that will have a lasting impact on identity security. Earlier this year Google, Yahoo, and other major email providers significantly heightened their security measures around email, and increased the expectations they placed on other email senders regarding spam, deliverability, and domain reputation. If we want to be able to ensure timely deliverability of mail that we send, we have no choice but to conform to these new guidelines. Primarily, this is about moving away from older DNS protocols like SPF, and towards newer protocols like DKIM. This is particularly important for applications (or third-party senders) that send mail on behalf of a tamu.edu
domain. The modern protocols ensure that a third-party can impersonate our domain in a secure manner, and without risking our domain reputation on the Internet.
Each of these foundational projects—SailPoint, SSO, and Email security—will improve our overall security posture and operational resilience. With identity security as the cornerstone, we are setting the foundation for a more secure, reliable, and adaptable IT environment. This work will help protect our organization from the ever-growing landscape of identity-related threats and ensure that our users have the right access, at the right time, with the highest level of security.
Wins & Successes
- There have been several major wins for the Elastic project. We are now ingesting 5.8 billion log entries per day, and have over 20,000 devices reporting into the Elastic stack. This has been a phenomenal effort from several teams across Security & the organization, and the scale that we have grown into with Elastic is impressive.
- Identity Security has created an attribute matrix diagram to follow the flow of attributes from upstream systems (Workday & Banner) all the way to downstream targets (like accounts provisioned in Google, Duo, and M365). Student employee Chandler Brooks led the charge on this, and the work is already paying off.
- The Cloud & Platform team is working with ProofPoint to implement their newest AI-driven email security tools within our environment; this will identify advanced attack patterns using machine learning & behavioral analysis. We are the first public customer to receive this new product, and we are partnering with ProofPoint to provide feedback based on our unique mail environment.
Security by the Numbers
📈 Just in the last month:
- 5.8B log events collected per day
- 13.76 petabytes of network data scanned
- 130.2M mail messages scanned for spam, phishing, viruses; 91.3M messages blocked at gateway
- 7.3M Entra authentication events
- 2.84M Duo auth events across 187k active NetIDs
- 170k devices tracked in the IT asset management system
Major Project Updates
Sign in with a NetID to see this content
Wrapping Up & Reminders
Speaking of 1Password, if you’re not already taking advantage of the free family account that is available to you as a Texas A&M employee, I encourage you to do so. Over and over again, using strong, unique passwords for different systems and accounts is shown to be one of the best cyber hygiene practices available to organizations and individuals. With the multitude of different computer accounts that each of us has to maintain, an effective password manager application is necessary. Using one in your personal life not only protects your personal data, it also establishes good habits that will hopefully carry over into your work life, also.
As always, I thank you all for your hard work and dedication. I depend on you to share your ideas and suggestions with me, and I encourage you to schedule a meeting with me at any time if you want to talk.
Adam Mikeal
Associate Vice President and Chief Information Security Officer