Mobile credential technology allows students, faculty and staff to navigate campus securely and with ease using their smartphone or watch to make purchases, access their meal plan, attend events, check in to class and more. Listen to how Baylor University did it.
The computer-generated transcript is below:
Kevin Hogan
OK. Hello and welcome to the latest episode of Innovations and Education, where E Campus News explores the cutting edge advancements shaping the landscape of higher learning. My name is Kevin Hogan. I’m content director for Ecampus News, and I’m happy you found us. This month I had the pleasure to speak with John Allen. He’s the CIO and the C ISO at Baylor University. We talked about their latest implementation of mobile credential technologies, which allows students, faculty and staff to navigate the campus securely and with ease. Forget about lanyards and magnetic strips. It may seem like science fiction is some, but today’s university students expect to use their smartphone or watch to make purchases, access meal plans, attend events, checking the class. Even open and close physical locks. John definitely breaks down the various opportunities and challenges of putting some system like this all together. Have a listen. John, thanks so much for your time. I. John Allen
Really appreciate it. I’m happy to be here looking.
Kevin Hogan
Forward to it, and let’s dive right in. Let’s let’s give us a little background about yourself and and the work.
John Allen
That you’re doing happy to do that. So I’m John Allen Bennett, Baylor University. Full time over 24. Years now, most of that time has been in cybersecurity. I guess we called it information security. Previous to that, I was the first ISO Seeso, about 5 1/2 years ago. I assumed the role of CIO, so on both the CIO and the C soap here at the university, which is a fairly unique combined role. I often joke to myself that I argue with myself in my office all the time, because that’s what CIA goes and Csos are. Has to do being at Baylor University, obviously, higher education, very unique Environment, campus university because we have so many verticals within our world, right when you look at it, you have everything from education to research to entertainment to housing to dining. And so as a result, when you look at technology solution. So you want to make sure that you’re providing something that really crosses across all those mediums as much as possible, and all those different areas for us. Baylor historically was using a magnetic. ID card at our university. If you think about it, that’s the technology that we had all used for decades, whether it be for credit cards or on our drivers license or or anything like that, right. The world’s changed the expectations of of our faculty and staff and students has changed. People don’t like carrying physical cards when they’re going to the gym real quick or to a dining. All and the other reality is is the durability of a magnetic stripe isn’t really good, nor is the security. When we think about where that sits from, an ability to copy, duplicate, that sort of thing. Right? So we’ve been watching the marketplace around identification, mobile identification, prox identification. And really, over the last 10 years, it’s been a lot of ebb and flows, right. The new technology would come out. And within a year or two, you’d hear all that technology has been cracked. That’s not the technology to use anymore. And so we’ve really been watching that marketplace and me wearing my, my cybersecurity hat has been intrinsically interested in having a solution that’s not just more convenient, usable for our campus population. But is also more secure long term going forward. And so when you see the progress that’s happened with NFC mobile wallets with the new hardware from partners, software from partners such as Seaboard and Allegion, we really have an ecosystem. That checks all those boxes, right? So now all of a sudden we’re able to get to a place where entering your dorm room, going down and grabbing a meaning me a meal at the dining hall, going over to the library or the student Life Center. It can be your phone, it could be your watch all of a sudden, everything you need is contained within that electronic device and it’s in a secure method, right? And so overall, we were able to move the needle significantly. Sometimes people joke, you know, staying on the bleeding edge. Well, we stayed on the old edge so long that. Jumping to the new generation, we were really able to. Yeah, several generations of investments that others made that now we’re probably going to have to be looking at updating as a result, right. And so, yeah, I think it’s a sweet spot right now in this space and that that’s the reason we’re seeing this come to fruition in the way that we are.
Kevin Hogan The the pandemic have any effect in terms? Of the the. The implementation strategies I mean, did it accelerate? I mean, would you I keep hearing about High flex and about you know the new environments where students are remote and coming back on campus and now that there’s a continued sort of hybrid experience and that changed the way you thought about security at.
Jon Allen Associate Vice President & Chief Information Officer & Chief Information Security Officer
I think for us it was really an enablement that the vendors moved the needle a lot more during that COVID time, right? Right. Like if you think about it, everybody was talking about touchless more and more right and and how to enable touchless in a secure way. And so I think during that last four years, we’ve really seen an acceleration of the. Vendors providing solutions, not so much that that the hybrid work solution or hybrid learning was driving that. Is it great that I could, you know, eventually be able to provision a mobile ID for a remote student? Sure. That’s great. Most of our usages of that ID card read. They’re about access or about, you know, duping attack, right, doing a physical tap. Certainly people want to be able to show. Hey look I’m. A student. That’s awesome, right? Maybe there’s some discounts at some local retailers or things that you get as a result. But first and foremost, it was about the campus experience enabling convenience and higher levels of security. In that experience.
Kevin Hogan
So I I know you know, during the pandemic, again, cybersecurity as a topic continued to be a number one concern even with all the other things that were happening all around in the course of your day-to-day business. Did that become more of a difficult situation for you? Did you find yourself? Other duresses because of those threats.
John Allen
Ohh I take a very unique approach when it comes to to cybersecurity because of the role that I have, right. Most people look at cybersecurity as something over here. For me, cybersecurity is baked in to everything we do on a daily basis. Everything from when we’re procuring vendors to, you know. Implementing technologies to evaluating the way workstations are configured. Cybersecurity is everyone. Right. And and I have said this people think I’m probably a little bit crazy at this point, but I don’t know about you, but I’ve never heard of a chief Financial Risk officer, right? That’s not usually a role you see in organizations. But as a result of the very you know, still infancy that we’re in with the cyber world. The cybersecurity world, we have multiple roles, really representing one is an execution and the other one is a risk advice. Most CFO’s serve both roles. Most CQRS serve both roles and so I often wonder right if we don’t hit this space where all of a sudden this is conversation of a unified role that’s managing not only the operation but the risk in this space. It’s something that I think comes to mind when you look at a project like mobile ID. Right, this is really a holistic decision. It’s not just about cyber risk. It’s cyber risk was the only reason we were doing this project probably hard to move forward if. Only doing convenience and usability, right? It’s because it holistically checks all the boxes and that can be presented in a holistic view that it’s been able to be rolled out and successful in the way it is, right. And I think that’s off of the time you look at something, you know people. We’ll say, you know, oh, multifactor authentication, such a pain. It’s like, well, look at the alternative, right. The alternative is we have 25 character passwords that have uppercase, lowercase, numbers, symbols. Squirrel noise. Right. That’s not a convenient world. So in a lot of ways, moving to a multi factor authentication world and eventually, you know, a password. World is more convenient and more secure, and I think that’s one of the dynamics that we really need to be thinking about is anywhere that we can check multiple boxes, not just this is more secure if it’s just more secure a lot of times users will try to find ways to simplify IE. That security control that’s been put in place, but if you can get that magic bundle of it’s more secure and convenient. Users are gonna flock to it, right? That is a win win and I think us as as cyber practitioners both on the security and the operations execution side need to focus on those to make sure that those are the items that we’re really checking. I think if we look at it through a single lens, which as a result of the way we’ve kind of brought up this discipline is the way that a lot of times. That’s looked at. It makes it hard to make sure we’re accomplishing both sides of that coin.
Kevin Hogan
Yeah. Guess especially to considering the majority of your customers, your students and their expectations of both convenience and security, where they’re probably more concerned about the convenience and less about the security just of the human behavior, right.
John Allen
To some degree, I think you know. Security is becoming an assumption. If you think about it more and more, we aren’t in the culture of 10 years ago, right? We were kind of in a culture where, you know, breaches were happening. Everybody’s like, how could this be happening the sky. Falling. We’re in a culture now where I think the expectation both by regulation by audit requirements, right, is that most organizations, most operations are doing strong due diligence around cybersecurity. And so I think you know that doesn’t mean that bad things can happen. Certainly they can’t. But I think the expectations of our consumers are. We are doing what we should be doing across the board as organizations, not just in higher end, right? Yeah. If you’re talking with any business, right, the expectation is as you were running. Wrong practices to protect whatever your operation is, whether that’s availability of the data integrity, confidentiality. Those are the things that you should be working to make sure that you’re addressing on a consistent.
Kevin Hogan
Basis. Can you talk about the timeline of this implementation kind of give us a breakdown of from the beginning to where you are now?
John Allen
Yeah, absolutely. So if you think about it, one of the unique things with this technology implementation is you’re replacing physical hardware, right, every touch. Point needs to be able to support this new NFC based technology for Baylor. That’s golly. Thousands of touch points, right? And so when you think about that, you’re going out, you’re physically upgrading each of those touch points. In some cases, depending on what controller is behind that interaction point, that may have to be upgraded. Your point of sale systems need to be able to engage with that. Maybe your your housing system, maybe your dining system, potentially your library. So there’s a lot of different components around that for us. This project really was initiated last spring. It was a two year project. So we we have completed the vast majority of what those interaction points are. If you think about it, there’s kind of this big curve that happens. You have dining dorms, things like that. That’s where 8090% of your interactions happen with those touch points, right? And then you get to that nice little tail where? You got a lot. Of touch points maybe there, but their interactions are minimal, right? Yeah, they’re specific labs or things along those lines. And so maybe buildings that are only locked after hours that have card access, things like that. So we’re really at that tail now where we’re working on doing the transition for those interaction points that are much less. Volume is than the ones that we’ve initially rolled out. And so that has been a great piece, you know, still work to do. Sure we’ve got success, right. I mean the students are activating mobile ID at a rate that is is really significant. The feedback I think my help desk in the first week we released it had maybe 5 calls with over 1500 students had already activated. At that point, I’m not sure you see anything right with that sort of uptake and a minimal impact which tells you the two things. We’re working with digital natives, right? Yeah, right. They figure it out. But the other thing is it’s a well executed solution, right? It’s something that follows patterns and usages that that our population is used to. And so we’re gonna continue with that student rollout. There’ll be faculty staff that will be coming on board with that as well in the coming months. And ultimately, you know. The one of the questions I always get you know, are you still going to support a physical car? Or we have to right that for situations there may not be somebody who for whatever reason, they don’t have a physical phone. So yeah, physical cards will be supported, but I expect them to be in a very small minority because at the end of the day. This is what everybody wants to do. They don’t want a God in their wallet or, you know, wear their special necklace with their card hanging around their neck or want to sit there with their watch and just tap and go. And that’s the world that we live in.
Kevin Hogan
Any surprises any any particular challenges during the process that that came up that you can share that our readers and listeners can look out for?
John Allen
No, I think the biggest thing is, you know, making sure you get the full inventory. You know for us and if anybody’s coming off of mag stripe especially mag stripes of technology and I use technology very loosely, right when I talk. About bag strike. Anybody can go buy a $50 reader and and read the contents of a mag strike, and so making sure do you actually know where people are scanning that card and for what purpose? Right? Certainly, you know, the ones that are interacting with your integrated systems and those are the core focus. But are there any edge cases? Are there any cases? Then engaging the vendors of those integrated solutions and making. Sure. Are they ready? To support this technology right? Can they do the touch integration reader and connect back with the platform correctly to be able to do validation and all those sort of things? And what does that look like? So it’s really a multi stage process and I think because you’re working in an ecosystem and not just a single solution, you have to make sure that you do your. Due diligence and pre project work there and I think that’s where we were. We were able to do that and we had very few surprises as a result. But you know there was little things that popped up of, you know little niche thing in this quarter and you sit there and go. Ohh. OK, didn’t realize somebody was swiping the card for this purpose. Let’s go ahead and get them into another solution or talk through what that looks like going forward. So that’s probably the biggest one that that I was aware of.
Kevin Hogan Right. Any cultural changes that have to happen? We talked about the digital natives in terms of of the students probably having the expectation for these things to be on the devices, but how about another? Well, yeah. You mean they?
Speaker
So I think.
John Allen
The biggest thing, and this goes with technology as a whole, right. There’s this whole concept of change management and I laugh right. Ten years ago when we talked about change management in IT, it was making sure, OK it was your QR code Q8 before it was moved into production, right? Like that was change management who approved those change. Now it’s almost the opposite. When I talk about change management in my role today, it’s about the socialization, the marketing plan, the training plan, right, this. Whole new dynamic around technology enablement that now exists that didn’t previously and I think that is where a lot of the focus has to be because. There’s been a lot of good technology projects in the world that failed because they didn’t do change management. Right. They didn’t go through that process of properly socializing, getting feedback, providing. Training and and I think that’s a key piece of the culture now is, you know, we have a person that helps work and develop, OK, this is the marketing plan and this is what the feedback loop’s gonna look like. And this is how we’re gonna make sure if anybody needs to be trained, what that looks like. Our card office, big change for a card office that traditionally printed physical cards. So now they’re enabling online provisioning of the cards. What does that look like? What do those workflows look like? And so I think. That’s the biggest. Piece that you have to make sure to do is is enable that change management.
Kevin Hogan
Yeah. And I know I asked you before about in terms of the the timeline and the implementation with this kind of assumption that things were over and you said no, it’s you never really kind of done. Let me ask you as you look forward, do you have a A wish list going forward? Do you have hopes of where you’ve seen this continuous? Implementation and getting to another level.
John Allen
So I think it’s interesting from an authentication standpoint, right? The ID card is traditionally a place where there is vetting of the individual, right, just like a driver’s license or something else. It’s a strong credential. I do wonder, you know, long term, is there more in a passwordless world where the mobile identity can be leveraged? Certificate wise things like that right? A credential or further authentication into online systems and things I’m not aware of. Anybody doing that from from this mobile ID project standpoint, but it does make me think bigger picture is that a direction that makes sense, right? Is a more unified, we’ll call it the unification of what was traditionally a physical ID card to an online. Identity. I think that has some really interesting pieces to it, but I think there’s also a lot of complexities, right when you talk about that and what that could look like.
Kevin Hogan
Right. Well, we’ll say that for a couple of years when it comes to. Yes. And then we’ll talk. Great. Then we’ll talk about the chips in our neck, but we won’t have. To worry about it at. John Allen
All right, exactly.
Kevin Hogan
Well, John, thank you again so much for your time and for your insights. It sounds like it was a really powerful process that you’ve gone through with this, something that our our readers and listeners I know think about every day and I think this conversation. It’s been hugely helpful to them, so thanks again.
John Allen
Thank you. Appreciate it, Kevin. Appreciate the opportunity to. Share our experience.
Kevin Hogan
So that’s all for this month’s episode of Innovations and Education. Stay tuned for more episodes where we uncover the latest trends and innovations shaping the future of education. Be sure to go to ecampusnews.com to get all the latest and greatest news and insights of what’s happening in higher Ed. Once again I’m Kevin Hogan, and thanks for listening.
