Our fall semester marches onward, and Thanksgiving break will be here before we know it. As we take a moment to focus on our work in cybersecurity, we also take time to remember Veterans Day and recognize the courage and dedication of our military veterans, including those who serve within our own university community. I encourage everyone to reflect on the sacrifices made by these brave individuals, and to learn more about veterans’ contributions. The VA has many educational benefits and support services available to veterans on campus and beyond.

Securing identities and effective management of access control is a cornerstone for all our broader IT and security objectives. With the advent of zero trust security architectures, identity is the new security boundary, and has become the primary target for most threat actors. In fact, attacks against our identities—credential phishing, privilege escalation and exploitation, session hijacking, etc—are by far the largest that we see by volume. In this respect, identity security is the foundation for all our other efforts at improving our security posture.

Modernizing our campus identity and access is currently focused on three significant projects: SailPoint (which is replacing the legacy NetID code and infrastructure with a modern, enterprise-grade solution), SSO (which is replacing legacy authentication protocols like Shibboleth and CAS with Microsoft Entra ID), and Email security (which is working towards using DMARC and DKIM to enforce the highest level of security across our email sender infrastructure, including for third-party senders). There are a lot of other things that the Identity Security office has to worry about—Duo MFA, certificates, machine and service accounts, shared and group access—but those three large-scale projects have the biggest impact on our resources, and will have the biggest impact on our security and risk posture. 

SailPoint is likely the project that you’ve heard the most about. We are almost two years into a multi-year implementation, and are very close to the completion of phase I, which was intended to directly recreate the NetID lifecycle management with SailPoint. The primary benefit we are realizing from this phase of the project is reliability and scalability: through the months-long process of validating and recreating the business logic embedded in legacy code, we have been able to make some critical simplifications, greatly reducing the fragility of the infrastructure. This focus on stability sets the stage for the benefits we expect to achieve in phase II: this is when we will be able to use the advanced features in SailPoint to better manage roles and entitlements for our users, and make use of novel new AI features to ensure that individuals have the right access to the resources needed to do their jobs, and no more.

The SSO project has been moving forward in parallel with SailPoint. Over a year ago we announced that CAS and Shibboleth were deprecated protocols, and all new applications should use Entra ID for authentication. Since then, we have been slowly moving major systems over to Entra, and now the only high-volume application left is Howdy. As you can imagine, Howdy has complexities that most applications don’t have to consider, like supporting parent access to student accounts. We have an ongoing project with EIS developers to refactor how parent access is supported in Howdy, which means that we will no longer need to generate NetIDs for parents—a significant step forward in security.

Email security is the other ongoing effort that will have a lasting impact on identity security. Earlier this year Google, Yahoo, and other major email providers significantly heightened their security measures around email, and increased the expectations they placed on other email senders regarding spam, deliverability, and domain reputation. If we want to be able to ensure timely deliverability of mail that we send, we have no choice but to conform to these new guidelines. Primarily, this is about moving away from older DNS protocols like SPF, and towards newer protocols like DKIM. This is particularly important for applications (or third-party senders) that send mail on behalf of a tamu.edu domain. The modern protocols ensure that a third-party can impersonate our domain in a secure manner, and without risking our domain reputation on the Internet. 

Each of these foundational projects—SailPoint, SSO, and Email security—will improve our overall security posture and operational resilience. With identity security as the cornerstone, we are setting the foundation for a more secure, reliable, and adaptable IT environment. This work will help protect our organization from the ever-growing landscape of identity-related threats and ensure that our users have the right access, at the right time, with the highest level of security.

• There have been several major wins for the Elastic project. We are now ingesting 5.8 billion log entries per day, and have over 20,000 devices reporting into the Elastic stack. This has been a phenomenal effort from several teams across Security & the organization, and the scale that we have grown into with Elastic is impressive.
  
  
• Identity Security has created an attribute matrix diagram to follow the flow of attributes from upstream systems (Workday & Banner) all the way to downstream targets (like accounts provisioned in Google, Duo, and M365). Student employee Chandler Brooks led the charge on this, and the work is already paying off. 
  
  
• The Cloud & Platform team is working with ProofPoint to implement their newest AI-driven email security tools within our environment; this will identify advanced attack patterns using machine learning & behavioral analysis. We are the first public customer to receive this new product, and we are partnering with ProofPoint to provide feedback based on our unique mail environment.

📈 Just in the last month:

• 5.8B log events collected per day
• 13.76 petabytes of network data scanned
• 130.2M mail messages scanned for spam, phishing, viruses; 91.3M messages blocked at gateway
• 7.3M Entra authentication events
• 2.84M Duo auth events across 187k active NetIDs
• 170k devices tracked in the IT asset management system

Security Agent Standardization: The project is now in full swing, with departments coordinating the deployment of the Elastic agent to replace CrowdStrike. Work is ongoing with the Endpoint Security Team to ensure that embedded IT groups receive adequate support during this transition: new tools and docs are added to the Endpoint Security documentation site weekly. As of early November, we have >20,000 total Elastic agents deployed across campus. 

Identity Security: The SailPoint project is nearing completion of Phase 1, and a new Identity Governance Advisory Board has been formed to better communicate upcoming changes to stakeholders, and to enable shared technical governance over identity security. Stability and uptime are two of the most important characteristics of identity infrastructure, so we are being extra cautious as we make final changes towards full lifecycle management. CRs are scheduled throughout November and December; more detailed information is available via the Identity Security mailing list.

Endpoint Privilege Management (EPM): Usually referred to as the “Admin by Request” project, this aims to provide a standardized method for faculty and staff to obtain temporary administrative rights on their assigned devices. We hosted a Technically Speaking in October that talked about how engaging our users with trust and respect will enable us to build a positive working relationship, and increase our ability to meet our security goals. We specifically addressed questions related to Admin By Request, and the new models and policies by which administrative rights will be granted.

Annual Risk Assessments: The annual risk assessment process is well underway. This year, the assessments are conducted within the new OneTrust platform. Phase 2, which includes the assessment and review of information resources, is set to close on Nov 22. This year, we are focused on findings that present the highest risk to the university, and will be concentrating on reviewing and remediating those findings first. You may receive email in the coming weeks regarding risk assessment; please do your best to respond promptly!

1Password: The 1Password password and secrets manager has been available for all employees in Technology Services for several months, and we have seen substantial adoption (contact password-management@tamu.edu if you need an account). As a benefit of our site license, 1Password is available to all Texas A&M students for personal use. Starting this month, communications will be going out to students to promote this benefit, and encourage them to improve their personal security posture by using a password manager.

Speaking of 1Password, if you’re not already taking advantage of the free family account that is available to you as a Texas A&M employee, I encourage you to do so. Over and over again, using strong, unique passwords for different systems and accounts is shown to be one of the best cyber hygiene practices available to organizations and individuals. With the multitude of different computer accounts that each of us has to maintain, an effective password manager application is necessary. Using one in your personal life not only protects your personal data, it also establishes good habits that will hopefully carry over into your work life, also.

Adam Mikeal

Associate Vice President and Chief Information Security Officer