Question: What are some tips and guidance for educational entities to ensure the safety and security of their IT data. What steps can and must IT leaders in schools, colleges and universities take to protect their back end data and information, and what should they be most aware about the current threat landscape?
Educational institutions are especially have unique challenges because of the large variety of different end-points that are brought into their environments. It is critical that the IT data is segregated from the networks that can be accessed by these un-managed end-point devices (such as personal mobile phones/laptops etc.). Once the IT data is isolated from the internal unintentional harm, the infrastructure security posture needs to be hardened by modern and thorough unified threat management (UTM) system.
The key tip is to keep these UTM systems up to date and current to avoid new threats. For easier consumption of UTM services, a cloud delivered UTM can be leveraged either instead of or in conjunction with on-premise based UTM solutions. In either case, considering a managed UTM solution should be considered as this will provide the security that the organization needs without significant IT effort, but rather receiving the benefits as a managed service.
Schools are especially prone to ransomware attacks, due to the combination of weak security protocols, out of date computer equipment, and a lack of skilled staff. Digital infections can spread among school computers much the same as biological germs spread among students. Security is unfortunately quite a lot like a treadmill – it never stops. You can never arrive at a state of solid protection, because what was good enough yesterday won’t be good enough tomorrow. New vulnerabilities are continually being found. The need to invest in basic online hygiene is constant.
The best security leaders have given up on implementing perfect protection, focusing instead on Digital Resilience. It’s not possible to stop every attack, but it is possible to plan ahead for how you will withstand and recover from attacks. This requires detailed knowledge, ahead of the attack, about your whole network, so that you know how to recover when any part is damaged.
Schools plan for many different kinds of disruptions – extreme weather, earthquakes, etc. What all schools have in common is they are online, and this means planning for an online disruption is mandatory. A good way to start is by mapping out the school’s network of resources, to understand what depends on what.
Sivan Tehila, director of solution architecture, Perimeter 81
Cyberattacks are becoming more and more frequent and sophisticated. While at the same time, many organizations are adopting cloud-based infrastructures. This is why cloud accounts are being targeted more than ever. The easiest way to hack into your cloud environment is by exploiting the cloud account credentials. As well, there are many different types of threats for cloud environments, such as cryptojacking, insecure APIs (application programming interfaces) and more.
However, insufficient Identity accesses are the best vulnerability for an attacker to exploit. This is why we will probably see a high demand for identity providers and single sign-on capabilities and especially Zero Trust remote access solutions.
K-12 and higher education entities require different perspectives on their IT strategy compared to IT strategies for corporate campuses. However, there are common themes and major technology trends that create similar IT challenges for both.
The proliferation of personal internet
connected devices (primarily in the form of cell phones and other gadgets) and
new web applications have caused various tectonic shifts that require similar
fundamental changes in the security posture and campus connectivity strategies.
Corporations have tried to resist the use of personal connected devices within the office network environments and have tried to block the use of other unauthorized web applications even when used to serve some business need. This was an unfruitful strategy and the hidden shadow IT, as it is sometimes called, won this grassroots driven trend. For example, employees started using the freely available file sharing apps (such as Dropbox, Google Drive, etc.) when their corporate offered alternative lacked in features and ease-of-use.
Similarly, employees continued to use their personal cell phones for business use cases when it was more convenient. Corporate IT had no choice but to embrace the fact that their employees would bring their own devices and in some cases adopt their preferred applications to solve their specific needs. This set of challenges also goes the other way with corporate provided connected devices finding their uses in personal use cases such as corporate provided laptops being used at homes.
The solution for corporations is to modify their security posture and rethink their connectivity architectures to be able to support the new reality. These changing trends have meant a shift towards a no-trust security posture versus solely relying on a on premise-based firewalling approach. It also meant starting to adopt software defined network architectures, namely, SD-WAN (Software Defined Wide Area Networking), for managing and controlling bandwidth in their campuses.
Educational entities are in a similar situation
when it comes to the proliferation of connected devices and the use of student-driven
applications that can stress the wide area network bandwidth if not properly planned
for. Therefore, it makes sense to look at some of the corporate solutions to
these very same challenges to figure out how to handle the changing security
environment and the increased pressures on bandwidth requirements.
Educational entities and campuses should also
modify their security posture to have a zero-trust model whereby it is
understood that solely protecting the perimeter of the network, although
certainly required, is not enough for a completely secure network design. Unauthorized
and uncontrolled devices (such as personal cell phones) will be present with
all of their malware that may have collected over time and can create a threat
from the inside of the network. Short of keeping these devices off of the
network (which we know is not a practical solution) the next best option is to
carve out and segregate the bandwidth available for such devices out of the
network that the institution uses. By definition, all the sensitive data and
resources will therefore be isolated and protected from any potential malware
that may be on the personal devices.
This approach, which can be achieved with
modern cognitive networking solutions in a highly cost-effective manner, will
also provide the much-needed control of WAN bandwidth usage for both networks.
Once a software-defined approach is adopted, IT
teams can take advantage of various other features that these modern technologies
offer depending on the needs of their networks. For example, multi-WAN
aggregation for additional capacity, adding premises-based or cloud-delivered
UTM (unified threat management) security solutions and various others are some
of the features that can be leveraged.
Even though at a high level corporate networks
and networks of educational institutions are highly different with respect to
their role, the important commonalities in the challenges both environments
face allows both IT teams to learn and adopt solutions that the other has tried
and tested.