TIER Contributor Profile - Richard Biever, CISO, Duke University
This month’s TIER Community Contributor Spotlight shines on Duke University’s Richard Biever. Richard got his start in IT in 1994 after graduating from the University of Georgia. He spent a number of years at PeachNet, the research and education network in Georgia, and was involved in the rollout of the network to schools and libraries across the state. He later joined Hewlett Packard and spent 10 years as a network engineer, hostmaster, and later security officer.
In 2007, Richard moved to Georgia Tech as the Security Policy and Compliance Manager, and he joined Duke in 2011 as the CISO, taking over the IAM team there in 2012. Duke’s current focus in identity and access management is to provide support for the account lifecycle, authentication and authorization, self-service tools for individuals to manage their accounts, and integration efforts to make use of federated single-sign on. Key tools include Shibboleth (and SP registration), Grouper (group management), and Duo Security’s multifactor authentication service. A key project has been to integrate Duo into Shibboleth and other authentication front-ends with the goal of promoting and enforcing the use of multifactor.
“IAM is extremely important,” says Richard. “The team and systems we support are responsible for the electronic identities of Duke faculty, staff, students, alumni and affiliates. We are responsible for the authentication mechanisms our community uses to access resources and for integration with the key systems of record (human resources and student information systems) as well as downstream services and applications.” For example, over the past year Duke has seen a greater need for external accounts to access some systems or applications. To meet this need, they’ve placed emphasis on the use of “Social to SAML” services, which allow external visitors to use their Facebook, LinkedIn, or Google accounts to authenticate.
Duke is not only a major proponent and supporter of TIER and Internet2, but actively participates in its development efforts. Duke’s CIO, Tracy Futhey, is on the Internet2 Board of Trustees, and the university has a developer heavily involved in Grouper, and an architect who is an active participant in the Scalable Consent project.
With regard to the importance of key TIER products, Richard states, “Shibboleth and Grouper have been a key part of our authentication and authorization strategy. Duke has over 3500 enrolled systems making use of Shibboleth, and it is a key part of our MFA effort.” Grouper is widely used by Duke for group management and authorization, with over 300,000 groups in use today.
“TIER and Incommon also play an important role, as our overall IAM strategy is to make use of the TIER components to manage Duke identities and supplementing authN and authZ mechanisms,” Richard says. “Since we are a big supporter of federation and federated identities, InCommon is a major partner for us.” In addition to the work above Richard has contributed significantly to the TIER Security and Audit working group.
“It has been terrific to have Richard on the working group,” says Helen Patton, CISO at The Ohio State University, and the chair of the TIER Security and Audit Working Group. “He’s now leading the effort to perform threat modeling for the TIER products, and I’m confident he’ll do great job for the community. His expertise has been invaluable.”