IT Project: Securing Northwestern Email
Project Status
May 2021: Phase One of the Securing Northwestern Email Project is complete. In collaboration with University schools and administrative units, Northwestern IT has completed the implementation timeline for applying the two security updates included in the scope of the project: activating Duo Multi-factor Authentication for Microsoft 365 (formerly Office 365 of O365) and decommissioning support for Basic Authentication on Microsoft 365 applications.
Project Charter
Background
The project work aligns with Microsoft's plans to end support for Basic Authentication in 2021. This outdated sign-on protocol relies on sending user names and passwords—often stored on or saved to a device—with every request for connection to systems and applications, increasing the risk of attackers capturing users' credentials. As most users' devices are already configured with Modern Authentication—an upgraded and more secure sign-on protocol—community impact is minimal.
The project also furthers Northwestern IT's work to provide Multi-factor Authentication technology, adding a critical extra layer of login protection for Northwestern systems. The University continues to be proactive in using various technologies to further protect personal employee data and the data of the entire University community. As members of the University community, it is everyone's responsibility to take steps to protect your NetID and password, which ultimately protects access to sensitive information on Northwestern administrative and departmental data systems.
Goals and Objectives
The Securing Northwestern Email project is part of Northwestern IT's continued commitment to maintaining consistent, effective, and secure delivery of services for the University community in a way that meets their needs efficiently, enabling them to be productive, while also safeguarding University data and information. It seeks to provide:
- Further protection of sensitive data, even in the event that a user NetID and password become compromised
- Mitigation against phishing attacks by preventing access to sensitive information
- Convenient security functionality on and off campus, via a variety of device types
The primary goal of the Securing Northwestern Email project is to continue to strengthen the security for Northwestern-managed email accounts. Specifically, we are introducing two changes that will reduce the impact of compromised email accounts:
- Activating Duo Multi-factor Authentication (MFA) for Microsoft 365 (formerly Office 365 or O365) applications—This enhancement impacts all students, faculty, staff, and affiliate accounts, as each Microsoft 365 application is in scope—including Outlook email, Teams, SharePoint, OneDrive, and Excel, among others. Authenticating with Duo MFA on Microsoft 365 will work the same way it does on other prominent, secure systems across Northwestern.
- Decommissioning support for Basic Authentication on Microsoft 365 applications—Most users' devices are already configured with Modern Authentication and will not notice any impact in access or use of Northwestern email or other Microsoft 365 applications. However, those who are using an older version of Outlook, or accessing email using something other than Outlook, may need to take action to ensure there is no disruption to email access from their computers and mobile devices.
Approach
The project will be accomplished in three phases:
Discovery: June 2020-August 2020
Pilot period to develop support documentation and identify known issues
Planning: August 2020–November 2020
Coordination with University schools and units to finalize the timeline and strategic process
Implementation: Fall 2020–Spring 2021
Partnering with University schools and units to deploy implementation beginning in late November 2020. All Northwestern University accounts will receive these changes by spring 2021.
Project Timeline
Phase | Description | Target Date | Status |
---|---|---|---|
Discovery |
Conduct pilots, garner feedback, finalize support documentation |
June – August 2020 | Completed |
Planning |
Collaborate with schools and units to determine timeline and process |
August – December 2020 | Completed |
Implementation | Work with schools to deploy the changes to all remaining University accounts | November 2020 – April 2021 | Completed |