Tag: single sign-on

Like all nonprofits, Tech Impact continually struggles to balance cybersecurity against cost, time, and user frustration. Unfortunately, there isn’t a lot of room for error! With access to hundreds of nonprofits’ systems, Tech Impact is an attractive target for criminals, activist hackers, and even government agencies. We take our mission seriously and put as much as we are able to secure our environments.

On the other hand, as security experts ourselves, we are quick to spot the difference between what “they say” you should do and what actually makes us more secure. In this post, I’ll share a subset of our security practices so that you too can do more than check the box.

Policies

You’ve heard it before (probably from us) but having written policies is an essential part of any cybersecurity strategy. The trick is to have a specific goal in mind for every policy and to keep the document itself short and to the point. Here are some of the goals and policies that your organization should likely have:

Goal Policy
Be able to hold staff accountable if they use systems or computers in an inappropriate way. Acceptable Use Policy
Educate staff about how to store and share sensitive information Data Sharing & Storage Policy
Make sure risky data isn’t kept forever Retention Policy
Educate staff about how to create, manage, and share passwords Password Policy
Ensure staff understand the potential ramifications (wiping devices if staff leave) of using a personal device for work activities Bring Your Own Device Policy
Prevent staff from transferring money or data based on impersonated emails. Approval Process for Bank & HR Data Transfer
Limit the number of administrators in our systems Administrative Access Policy

One goal of our policies is to allow us to discipline staff who won’t take security seriously. But generally speaking, we don’t expect our policies to guarantee that our staff stays safe. Instead, we use them to educate staff about how to be safe using the tools available to them.

Training

To get staff actually to be safe, we rely much more on training and awareness. Being secure means making the right decisions dozens of times a day. Every time we email a client or share a file, we have to evaluate the risk and take appropriate safety measures. The high frequency of these decisions means that we can’t expect our staff to look up and follow complex policies.

Instead, we teach folks regularly about who might want to attack us, why those attackers are interested in us, and how those attacks are likely to happen. By educating about our actual threats instead of imagined or possible risks, we keep our staff paying attention. That’s why we focus on password strength, phishing attacks, and impersonation attacks and not on protecting against NSA EMF monitoring.

At Tech Impact, our learning culture doesn’t lend itself to formal training. Besides some mandatory training for staff dealing with sensitive data (like HIPAA-regulated data), we mostly don’t force our staff to sit down for training. Instead, we regularly send emails and chat messages to the team with information about attacks we have intercepted or articles that seem relevant. This constant drip of information keeps folks on their toes.

One formal approach we do recommend is to use a third-party phishing penetration service like KnowBe4. Using the service, you can send your staff simulated phishing emails. Folks who fail the tests (by handing over their username and password) can be required to complete additional security training.

Escalation

Between our policies and constant communication, our staff is definitely paying attention! But paying attention isn’t enough by itself if folks don’t know what to do when they encounter something suspicious. At Tech Impact we’re lucky to have a resident security team. Our staff has been trained to forward emails or send questions to the team anytime they are worried about something that came in. By making it easy to report an issue and get help, we have dramatically increased engagement and often prevent staff from taking risky action.

For your organization, this might mean sending one person to security training, or it might mean sending questions to your support provider. However, you approach this make sure to keep a record of the kinds of questions and issues that come in so that you can identify trends and create better training.

Technology

Only now is it worth talking about technology. In truth, technology is important but not enough. Staff and attackers will always find a way to get around anything you put in place. Your best bet (at least for organizations that aren’t facing activist hackers or hostile governments) is to focus on policies, training, and escalation.

But if you’ve handled the basics, or if you are at particular risk, technology can absolutely help your organization stay safe. There are lots of resources out there about cybersecurity technology, so I’m not going to reinvent the wheel. But I will share with you some of the tools that we use. Note that this is only a portion of the technologies we use at Tech Impact to stay safe.

For Everyone

Some of the cybersecurity tools we use are foundational and should be used by every single nonprofit out there. Nothing listed here is particularly complicated or expensive, so don’t wait!

  • Software Updates & Anti-Malware: You should know this by now, but most malware-based attacks use known issues that have already been patched. Keeping your computers up to date and using Anti-Malware software is a foundational need for every nonprofit.
  • Multi-Factor Authentication (MFA): The single most effective thing you can do to keep your organization safe from account compromise. In addition to a username and password, your staff uses a separate code from an app or SMS text message to log into systems. This will almost eliminate the risk of phishing attacks.
  • Single Sign-On: Use Office 365, Google Apps, Okta, or another cloud identity provider to let your users log into all your systems with a single username and password. This enables you to enforce MFA across all your tools and lock all accounts down from once place. Any software you’re using that supports the SAML standard can be integrated for Single Sign-On
  • Device Encryption: Encrypt your devices so that no one can read data off them even if they are lost or stolen. This is free and easy for Android, iOS, Mac OS, and most Windows computers!

For Many

For organizations that have some compliance needs (HIPPA, etc.) or are dealing with otherwise sensitive information, there are some basic tools that can make a big difference without a considerable cost.

  • End-to-End Encrypted Email: Allows you to send social security numbers, healthcare information, passwords, and other sensitive information via email. You send a standard email, but recipients get a simple email with instructions to use a secure web portal to respond.
  • Data Loss Prevention (DLP) Scanning: Scans outbound email, shared files, or files stored in semi-public locations for sensitive information like social security numbers or bank account information. This is an essential backup to your policies educating folks on how to safely store and transmit data.
  • Device Management: Lets you monitor devices remotely and make sure that they are kept up-to-date, encrypted, and secure. It also allows you to wipe them remotely if they are lost or stolen.

For a Few

There are a lot of things we do at Tech Impact because we are at high risk. These aren’t things I would recommend for everyone.

  • Conditional Access: Prevent devices from downloading files or syncing data if they aren’t enrolled in your device management platform. This keeps the staff from saving data to devices that aren’t encrypted or that you don’t own.
  • Advanced Multi-Factor Authentication: Text-message based multi-factor authentication is not secure against a determined hacker. We use code-based MFA from our mobile phones and are exploring U2F and certificate-based MFA to make ourselves even more secure.
  • Centralized Log Analysis: We send all of our logs to a system that looks for unusual behavior. If someone logs in from an unusual location or downloads more files than usual, our security team gets an alert and can investigate.

Wrapping Up

As a technology nonprofit, we know that there are limits to what technology can do to keep us safe. That’s why we use this multi-layered approach that includes policies, education, escalation, and technology. Staying safe is a constant balancing act, and it’s important to remember that some action is always better than no action.

 
Beyond 12 is a national nonprofit whose mission is to dramatically increase the number of first-generation, low-income, and underrepresented students who graduate from college.

As CTO & Head of Product, I’m responsible for keeping Beyond 12’s technology and data secure. One of my first steps was to implement single sign-on (SSO) and multi-factor authentication (MFA) with Okta.

What is multi-factor authentication (MFA)?

We’re all familiar with the basic process of providing our username and password to “prove” that we are who we say we are. Since usernames are typically known (i.e. not a secret), your password is the single factor that’s used to authenticate your identity. However, in today’s cybersecurity environment, a single factor alone simply can’t be trusted to secure access to sensitive data.

Multi-factor authentication requires users to provide at least two different types of evidence (“factors”) to prove their identity. For example, users may be required to provide their password (something they know) plus a temporary code generated on their phone (something they have). This increases the likelihood that the user’s account will remain secure should their password become compromised.

Should we be using MFA?

Beyond 12 needed to streamline security and IT functions in order for the organization to continue growing to scale. A near-term priority for that effort was implementing MFA. If we assume that, sooner or later, someone is going to get phished, or get malware, or encounter something that might compromise one of their work accounts, then at the very least we need to make sure that everyone has MFA enabled to mitigate those threats.

Beyond 12 is entrusted with a lot of student data through its technology products and direct-service programs. Even if we didn’t have legal requirements to protect data in certain ways, it’s still ethically the right thing to do because we care about our students and we want to make sure we’re doing right by them. That includes making sure that their data is accessible only to those who should have access to it.

Whether or not your organization manages data that is tightly regulated like education or health records, all organizations should implement MFA as a kind of digital hygiene. Down the road — as your nonprofit grows, as your business model expands, as you start to gather more data — you’ll already have the right processes in place.

Got advice for deploying MFA in my organization?

Of course, every organization is different, but one of the most important things to keep in mind when rolling out any new technology is to understand your team: how do they use technology? How do they navigate change? How might this new program affect their key workflows? Making time to think through these questions will help you design a more human-centered plan.

While it may be tempting to make piecemeal progress, be true to your security policies and plan for the long-term. If you believe that all access to sensitive data should require MFA, then start with that—even if there’s going to be a bit of staff dissent—because if you roll out SSO without MFA, and then a few months later say, ‘Now that you’ve adjusted to that change, we’re going to introduce this additional one,’ then you’ll have to deal with change management twice.

These are the basic steps that Beyond 12 took to deploy SSO and MFA.

1. Make sure all critical applications are plugged in. This may be obvious, but it serves two key purposes. First, it eases the transition for your staff, who benefit from having one place to go for everything they need to do their work. Second, putting all of your critical applications “behind the wall” ensures that all your potentially sensitive data is covered.

2. Configure groups. Most IT leaders are familiar with group- or role-based permissioning. Beyond 12 created user groups within Okta that were based on the type of applications that group members would need. For example, software development applications are available to the engineering team, and core business applications for communications and collaboration are available to all employees. Contractors and partners represent other potential groups.

3. Set policies. Okta’s adaptive multi-factor authentication gives administrators flexibility to design security policies that are right for their organization. This includes allowing a variety of factors such as passwords, push notifications, mobile tokens, biometrics, and more. It also includes the ability to enable contextual access management that takes into account the user’s device, physical location, and network information for authentication.

4. Teach your staff. Change is hard, no matter how simple or necessary. You can’t over-communicate during a transition like this. Be sure to use multiple modes to meet your colleagues where they are. For example, Beyond 12 held time to walk each team through the transition, set expectations, and field questions; there were detailed emails; plus internal office hours. Every organization is different, but everyone likes to be supported through change.

5. Provide (and get) ongoing support. Make sure that your team knows where they can get their questions answered when they arise. It’s also important for technology leaders to invest in their own professional development. Check for available support or training options from your vendors and make sure all staff know how to access them.

What issues came up after implementation?

Beyond 12’s rollout of SSO and MFA went smoothly, and there were only a couple key questions that arose soon after implementation. The first was how often users would be prompted to provide a second factor. With Okta and many other tools, this is configurable. Another issue that came up was ensuring that team members can securely work offline by providing factors that don’t require an internet connection or cell service, such as a YubiKey or a one-time-password generator (Okta offers their own, but is also compatible with others like Google Authenticator).

What’s next?

Beyond 12 continues to partner with Okta to explore new services and functionality, including automated account provisioning/deprovisioning and custom integrations for new apps. Okta For Good provides ongoing support to nonprofits in a variety of ways including product discounts, pro bono services, and events like the Nonprofit Collaborative at Oktane (Okta’s annual user conference, which is free for nonprofits) and regional user groups specifically for nonprofits.