A shield in the clouds witheh word "NetID" written on the shield.

UW beefs up login security by moving NetID service to the cloud

The Division of Information Technology has successfully completed the migration of the university’s NetID login service from on-campus servers to the Amazon Web Services (AWS) cloud platform. This strategic move significantly improves the service’s resilience against network outages and other disruptions, ensuring a more reliable and secure login experience for students, faculty and staff.

“This is an example of the work our teams in Core Services do regularly to keep our digital infrastructure running smoothly,” said Abrianna Barca, associate director of Identity and Access Management (IAM), which operates the NetID service. “We’re constantly looking for ways like this to improve the university’s security and resilience and make sure essential services remain available even during events like outages and attacks.”

Why move to the cloud?

Recent incidents on university campuses, including the multi-day network outage at the University of Michigan in August and attempted distributed denial-of-service attack (DDoS) attacks on UW’s network, prompted university technologists to take a fresh look at the campus’s digital infrastructure. While looking for ways they could “harden” mission-critical services, they found that hosting the NetID login service on local servers made it potentially vulnerable if the campus network was knocked offline. Since a growing list of essential cloud services (Canvas, Zoom, Google, Microsoft, etc.) rely on NetID authentication to function, even that hypothetical vulnerability posed too big a risk to ignore.

By migrating the NetID service to the cloud, the university gained several key advantages:

  • Enhanced protection from attacks: AWS Shield provides powerful defenses against DDoS attacks, safeguarding the NetID login service from malicious attempts to overwhelm it with bogus traffic.
  • Flexibility and speed: The AWS cloud infrastructure can quickly scale up or down to handle fluctuations in demand, ensuring smooth performance even during high usage periods.
  • Geographic redundancy: The university now has multiple instances of the NetID service running across different regions, ensuring the service will remain available even if a particular region experiences an outage.
  • Zero downtime: Using AWS cloud services ensures that the NetID service won’t have any planned downtime, even when updating software or replacing servers.

“As a world research institution, we have users logging in from all over the world at all times of the day. So there’s never really a ‘good time’ for NetID service to be down, even for a couple of minutes,” said Ryan Larscheidt, who led the cloud migration process as an IAM technical lead.

A phased and careful approach

Larscheidt and his team meticulously planned and executed the move to AWS, following a phased approach:

  1. Developing the AWS architecture: The team designed a secure and scalable architecture for the service on AWS.
  2. Making NetID login components AWS-ready: They adapted existing components to function seamlessly within the AWS environment.
  3. Creating a “portable” NetID login: They created an abstraction layer to obscure data sources and enable smooth operation regardless of the underlying infrastructure.
  4. Incremental migration: The team migrated each component to AWS separately, allowing for thorough testing and rollback if needed.

The IAM team concluded the migration process this past fall after much checking and testing.

“The forethought by this team was impressive as they worked to mature and modernize the NetID login service. Our campus-sponsored IT services are so much more resilient than they were before this move,” said Todd Shechter, the university’s chief technology officer. “This is a significant step toward ensuring a secure and reliable digital learning and working environment for the entire UW–Madison community.”