July 11, 2017
TO: Vice Presidents, Vice Provosts, Deans, Directors, Department Heads, and Managers
FROM: Sally Kornbluth, Provost
Tallman Trask III, Executive Vice President
RE: Security requirements for Duke-owned computers
Last year we communicated with you about enhanced security measures to protect Duke’s systems, sensitive data, and the accounts of Duke faculty and staff.
Since that time, all Duke faculty and staff have been enrolled in multi-factor authentication, which was expanded last week to protect access to Box and DukeHub. By the end of the summer, multi-factor authentication will be required for off-campus use of web mail clients and VPN (encryption for network connections). Duke’s encrypted on-campus wireless network, “Dukeblue,” is in place and will completely replace the “Duke” WiFi network this August. Lastly, we have made great progress configuring Duke computers and mobile devices to use locally-operated security management systems. To date, over 14,000 computers have been enrolled in one of the campus security management systems (BigFix, SCCM, Casper and Symantec Endpoint Manager).
In light of recent cybersecurity activity, however, it is clear there remains more to do to protect our systems, data, and user accounts. In particular, there are still several thousand Duke-owned computers on the network that are not enrolled in the locally-operated security management systems and are not (with certainty) receiving security upgrades. Because of the risks posed to our systems by computers utilizing outdated software, we have asked the IT Security Office and OIT to coordinate with school and departmental IT staff to complete the enrollment of all Duke-owned computers in the campus security management systems by September 30, 2017. Enrollment will enable departmental IT staff to actively manage security software updates and applications but provide no accessibility into document contents, browser history, etc.
Enrollment in a campus security management system is not currently required for personally-owned computers and devices. However, full access to the Duke network will be restricted in the coming months to protect Duke systems from the risk unprotected personal devices pose.
We have also asked OIT to provide support for research labs and lab equipment that may need to be protected in a different manner. For example, under special circumstances and with approval from a school Dean, certain computers may be authorized to operate a monitoring status only within these tools, which provides high-level reporting related to the condition of the operating system, software patches and anti-malware defenses but which leaves the management of the computer under the control of the faculty or staff member designated as responsible for the machine. Schools or departments will determine whether the user of the computer is also able to install and manage software on the individual computer or needs assistance.
Please inform your faculty and staff of this new requirement, and encourage them to contact their local IT support personnel to enroll their computers in the management program as soon as possible. Devices that are not enrolled in one of these security management systems by September 30, 2017, will be subject to removal from the Duke network. Enrollment of personally-owned devices in a campus security management system is not required at this time, but we may need to adjust this at a later date or evaluate other protections for those devices.
Thank you for your help with the continuing efforts to keep Duke safe and secure.