CERN deploys YubiKeys to protect admin accounts and server access

Protecting administrator accounts and access

As a large, world-renowned research organization, CERN needed to find a way to secure access to its most critical assets. Since the organization has many critical computing services as well as accelerators’ operations, account protection for administrators and operators became a top concern.

“We are permanently evaluating our security footprint, and while we keep improving our computer security, we identified that there were a certain amount of accounts that could be considered a single point of failure. This is why we chose to roll out multi-factor authentication.”

Evaluating the right 2FA solution

With future plans for deployment, it was important for CERN to select an authentication solution that was simple to use and could easily integrate into various systems. The organization adheres to a BYOD (bring your own device) policy, so flexibility to work with multiple operating systems including Linux, Mac OS, and Windows, was a key consideration for the organization. The goal was to be able to deploy a solution for all users with minimal backend requirements.

Given the impossibility to have one silver bullet in CERN’s academic environment, CERN reviewed several authentication options for users. They also wanted to consider a hardware authentication device for added convenience. Smart cards were initially considered, but they were too difficult to integrate due to the need for drivers, and expensive readers.

In looking for a simple and robust solution, the CERN team selected the YubiKey, which met all of the pre-established usability and integration criteria.

The YubiKey could easily integrate with any existing system or client, and seamlessly provide protection to the user by just one touch of the key. This made the YubiKey easy to deploy from the user perspective. Not only did this eliminate the need to change anything about the devices, or systems used by employees, but it also allowed CERN to maintain their own deployments on the server side.

“We chose YubiKey because we found that it integrates rather easily with any operating system and with any client. We could therefore deploy it for all of our users, without having to change anything from the user side.”

Implementation of the YubiKey

In 2012, the initial YubiKey implementation took place over the course of a few short months, with a concentrated deployment to the CERN Computer Security Team. Since then, the YubiKey deployment has expanded to a larger audience within IT and beyond, starting with Windows administrators. Currently, the YubiKey is used as one of several multi-factor authentication tokens during single sign-on for web applications and for SSH login to servers.

“With regard to YubiKey deployment and usage, if our staff don’t say anything, that’s a sign they are generally happy. Given the silence, the YubiKey has been quite a success.”

The future of strong authentication at CERN

Moving forward, CERN plans to roll out YubiKeys to the larger organization including all administrators in the IT department and some users with administrative access to systems in the data center outside of the IT department.

“This is where the security team has its main task. To find the right balance between an enhanced level of security using multi-factor authentication, including the YubiKey, and a deployment of the solution which is as easy for our broader user community as the administrators, so our users will not start looking for other ways around it.”

CERN’s accelerator complex is subject to a long shutdown, which begins at the end of this year and lasts for two years, making it the ideal timeframe to explore additional YubiKey deployments and use cases.