Sikov - stock.adobe.com

CW Innovation Awards: Balancing security and user experience

The National University of Singapore’s Safe initiative has strengthened the security of IT systems and end-user devices while prioritising user experience through passwordless access

The National University of Singapore’s (NUS) has embarked on a two-year project aimed at protecting its user community, systems and data against cyber threats.

Dubbed Safe (Security and Freedom for Everyone), the initiative, which comes on the back of the looming cyber threat landscape, serves not only as a defence and detection tool, but also delivers a good user experience for students, staff and faculty members.

The S$3.2m project, fully endorsed by the university’s senior management, included fortifying security protocols across more than 430 IT systems. The first phase was initiated in July 2023 and met its allocated budget and timeframe for completion by December 2023. The second phase, which started in January 2024, is expected to be completed by the end of 2024.

“We believe the Safe project was a success because we balanced cyber security with user experience. This unique approach prioritises both security and user satisfaction, fostering a culture of security awareness and cooperation within the NUS community,” said Candice Khor, programme lead of Safe and associate director for student systems at NUS.

Safe objectives

The Safe project was guided by three objectives. The first was to give staff and students access to NUS systems and applications without using passwords. These mitigated risks associated with breaches and phishing attacks, which often stems from password-related vulnerabilities.

Passwordless login was achieved through exchanges of cryptographic certificates, which not only addressed risks associated with weak or stolen passwords, but also enhanced user experience, making it safer, faster, and more convenient.

The second objective was to implement multi-factor authentication (MFA) using Microsoft Authenticator to replace a legacy two-factor authentication (2FA) system. MFA added an extra layer of security, acting as a digital guardian against compromised passwords and phishing attempts.

This solution seamlessly integrated with Microsoft 365 and modernised the previous 2FA infrastructure. It provided secure user access to NUS’s critical services, as well as applications such as Microsoft Outlook, Microsoft Teams and Zoom.

Finally, NUS implemented VMware’s Workspace One to protect end-user devices by ensuring that only trusted devices will be able to access critical applications, including its travel and claims management system. Trusted devices can also access intranet resources, even when off-campus, without the need to use a virtual private network.

Most of the work was developed in-house by the university’s internal IT team. Where possible, commercial off-the-shelf devices were used while software-as-a-service (SaaS) applications were handled by vendors. VMware furnished authentication services for Workspace One, while Microsoft Azure delivered Azure Active Directory authentication solutions for the MFA implementation.

Striking the right balance

To ensure the security measures implemented were accepted by NUS staff and students, the IT team strived to achieve a balance between cyber security and user experience. This helped to increase adoption and ensured high compliance by eliminating the need for users to look for workaround solutions to circumvent security measures.

Various change management strategies were employed. For example, the team designed a dedicated website to offer comprehensive information for users seeking insights on the project’s scope and benefits.

It organised roadshows, spanning all three campuses, to educate the community about Safe and used LinkedIn and Instagram to disseminate messages to target audiences. The team also conducted briefings and disseminated emails to NUS IT staff and various departments responsible for managing their respective applications.

Safe was featured on NUS Inside Stories and placed on the NUS Staff Portal website banner, improving the project’s visibility and generating buy-in from would-be users. The team collaborated with the NUS Students’ Union to foster meaningful engagement and discussion before and after the MFA roll-out.

Key learnings

One of the key learnings when embarking on such a complex and extensive project was to ensure that the initiative was divided into distinct and manageable phases, each delineating a specific set of tasks and supported by the right resources at every stage.

This enabled a controlled and systematic introduction of transformative changes, which minimised the risk of disruptions while facilitating effective management of the transition process.

Another key learning was to adopt a phased implementation approach, which was supported by a multidisciplinary team comprising key members across various NUS IT teams such as security, infrastructure, applications, service desk and communications.

The team treated data privacy seriously. It documented what data was collected, why the data was needed, how it would be used, and shared this information on websites and in knowledge articles. Additionally, the team provided other relevant resources such as the privacy notice from the university’s data protection office to reassure users that the Safe initiative complies with NUS policies.

Besides this, it benefited from engaging representatives from various departments as they acted as project champions and helped with the communications and roll-out of the changes to their departments. “We’d like to acknowledge the unwavering support from NUS senior management, which was pivotal in the project’s triumph,” said Khor.

Read more about CW Innovation Awards 2024

Read more on IT risk management