Institutions need to adopt a ‘trust no one’ cybersecurity strategy that addresses all users, devices and applications.
It’s clear that cybersecurity is a huge concern in the education sector. As one of the most targeted segments for cyberattacks, academic institutions are on high-alert when it comes to mitigating risks and staving off bad actors.
To provide the security that campuses require takes an A-to-Z strategy. A layered approach to network security can take advantage of key cybersecurity mechanisms. It’s essential for academic institutions to develop and maintain a balanced approach to cybersecurity. If the security mechanisms are too rigid, people will look for ways to work around the procedures intended to protect their devices, data and applications. They’ll just add their own unauthorised devices and applications to avoid lengthy cybersecurity checks and software updates so they can get things done faster. It’s what’s known as “shadow IT,” and it can create vulnerabilities and open networks up to cybersecurity threats.
Assess your risks
Before you start developing a cybersecurity strategy, you should understand and assess the risks your institution faces today. As you go through the risk assessment process, keep an eye out for the following common pitfalls:
• IoT devices that are not managed by IT. These “rogue” devices often don’t comply with security policies, run outdated firmware and have no antivirus protection, increasing their opportunity to be used as an entry point for attack.
• Unauthorised equipment and personal devices that access the network. As mentioned previously, these “shadow IT” devices could be running any software and could already be infected with viruses and malware ready to attack the network.
• Inconsistent security policies. Inconsistencies introduce weaknesses in network protection that can be targeted by untrusted parties.
• Networks with static security segmentation and implicit trust. These traditional approaches to cybersecurity allow users, devices and applications that were initially trusted, to attack the network with no checks to verify they should still be trusted. They also assume cyberattacks cannot come from within, which is not the case.
Know your regulations
In addition to understanding the risks at hand, institutions need to identify and review the privacy regulations that must be met for data that travels over their network, as well as the access control lists (ACLs) and firewall policies for data that is stored in the cloud.
When reviewing regulatory requirements, it’s important to consider national and international privacy regulations. For example, in the U.S., academic institutions must comply with the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). And they must also remember that the European Union (EU) General Data Protection Regulation (GDPR) applies to all institutions whose enrolment includes students from the EU, no matter where it is located.
Get to zero
Academic institutions must move beyond traditional ‘moat-and-castle’ network security strategies to ‘zero trust’, which means trusting no one, no device and no application. However, evolving to a Zero Trust Network Access (ZTNA) strategy is a journey. There isn’t a single solution that can simply be purchased and implemented. It takes time to implement a full zero trust environment across all technologies.
Following the five-step approach to ZTNA cybersecurity, outlined in my previous blog — including monitoring, assessing, planning, simulating and enforcing — allows academic institutions to realise important benefits across all aspects of their operations. While the most obvious benefits are related to preventing and detecting unauthorised network access, there are numerous educational and business benefits as well, including protecting students’ personal information and welfare, and circumventing financial hardships — the list could go on and on.
From a technology perspective, comprehensive network access control lists, and role-based access control, provide the ability to authenticate every connection and assign permissions to each user and device that accesses the network. As a result, institutions get a granular level of protection that makes it far more difficult for rogue users and devices to access network resources and data.
Using micro-segmentation to further segment user traffic within a macro- segment also enables more granular control of user and device access to reduce the risk of an attack running rampant throughout the network. With micro-segmentation, user traffic within a macro-segment, such as a VLAN, can be separated based on factors such as time of day, access location, user profile such as a student, faculty or administrative staff and other access controls. The same security policy follows the person no matter where they are, allowing the institution to cast a more unified approach to cybersecurity.
Underpinned by experience
Working with a partner who can provide expert insight and guidance as well as proven cybersecurity networking solutions goes a long way to getting things right. At ALE, we’ve helped educational institutions around the world develop their cybersecurity strategies. We understand the steps that must be taken, and we work to provide the secure networking solutions that meet your goals.
We’re a trusted partner with academic institutions around the world. A few examples include, California State University in the U.S., Centro Paula Souza in Brazil, and Linköping University in Sweden, where our smart, resilient networking solutions provide the security, high speeds and performance users need to work safer, better and faster.
Learn more about ALE secure networking solutions for educational institutions.