A Zero-Trust Approach Helps Higher Education Close the Security Gap

Share Post

If data is the new oil, as the saying goes, then universities are boomtowns. Groundbreaking proprietary research creates large sets of sensitive and highly valuable data, attracting national and international hackers. Students’ personal information and pristine Social Security Numbers, with direct links to their parents’ bank accounts, are stored at every college and university for current enrollees and alumni alike, that data can become easy targets for people with malicious intent. Millions of dollars for research funding, payroll and vendor payments flow through outdated commerce engines that can be redirected mid-flight if not protected.

Information security strategy remains the #1 most urgent issue to address for the last four years, according to Educause, the largest community of IT and professionals leaders in higher education.

A Growing Attack Surface
Cybersecurity in higher education is more challenging than in a typical corporation because universities have a long heritage of an open, collaborative culture. In many cases, tens of thousands of people are on campus day and night. Students, who live highly-connected digital lives, typically bring a half-dozen devices to campus – from laptops and mobile phones to printers, game consoles, wearables, mood lights, smart TVs and digital personal assistants.

Security challenges are increasing as forward-thinking universities and more and more facility departments are embracing industrial IoT. Building automation systems, including energy efficient APs, HVAC, emergency blue light boxes, and smart dormitory door locks make the campus greener and safer. Campuses have network-connected smart lighting, security cameras, vending machines and connected  laundry facilities. Even network-enabled garbage cans and rat traps can notify the facilities team when they’re full. But the IoT devices are often vulnerable.

Many well-regarded universities have been victims of data breaches and cyber-disruptions. Human error, social engineering, and inadequately secured email credentials are the most common sources of breaches in higher education, according to the Verizon Data Breach Investigations Report.

Cybersecurity is a challenge for higher education institutions everywhere. A recent penetration test of UK universities run by an education think tank revealed a 100% success rate of gaining access to institutions high-value data within two hours. A mere 15 percent of the surveyed universities’ IT and security staff rated their organization as eight or better out of ten for being well protected.

It’s Time to Modernize Cybersecurity
Modernizing cybersecurity is a growing effort across higher education. Cybersecurity can no longer operate on a “trust but verify” basis. Instead, institutions are adopting a zero-trust model that assumes that it has already been attacked, and the pertinent question is how badly. Zero is a proactive, security-by-design approach that can protect a university’s mission.

Here are four steps to take to secure the campus network.

1. Gain visibility into everything on your network. Universities have an incredible diversity of devices, from students’ laptops, smart speakers and gaming systems, to laser cutters and electronic scanning microscopes to electronic door locks. Most devices are not managed by the IT team. Oftentimes, these devices simply can’t run traditional endpoint security.

You can’t manage what you can’t see, so getting clear visibility into what’s connected to the network is the first step in reducing risk. Aruba ClearPass Device Insight gives IT managers visibility into all connected devices. With ClearPass, IT can accurately identify all wired and wireless devices, whether laptops and tablets, or difficult-to-detect IoT devices such as interactive whiteboards, 3D printers, temperature and environmental sensors, student ID cards and security cameras.

2. Use centralized policies to control network access. With centralized control over access policies, IT can assure a better experience for students, faculty, administrators and visitors while mitigating risk. All devices must be properly authenticated. If sensitive data is involved, such as research data or student’s financial information, IT must have the authority to restrict what kinds of devices connect, what types of traffic they can communicate, and to what locations.

Aruba ClearPass can discover, profile, authenticate and authorize users, their devices and IoT devices before allowing access to their digital resources. IT can control access by user device, role, location, application and time of day, enforcing appropriate controls.

Aruba supports WPA3, the successor to WPA2 authentication. WPA3 improves security and simplifies device onboarding. Nothing changes from the user perspective, but they get a truly secure connection. All wireless traffic is encrypted. WPA3 also makes it much easier to onboard IoT devices.

3. Segment the network intelligently. IT has long used network segmentation to enhance security, such as keeping visitor traffic separate from instructional applications or administrative applications. But setting up virtual LANs (VLANs) or access control lists is a painstaking manual process, and when a policy is changed, it can mean many hours of reconfiguring switches.

Instead, access policies can dynamically enforced throughout the network. Aruba Dynamic Segmentation is an easier way to establish and enforce that separation. IT can ensure that network access policies are enforced consistently for each user, device and application—whether in academic buildings, residence halls or the stadium. By policy, security cameras, building automation systems and other IoT systems can be limited to communicate only with the appropriate servers or cloud services.  With Dynamic Segmentation, enforced through the Aruba Policy Enforcement Firewall, IT can ensure that IoT device traffic is isolated, mitigating the risk that a hacked IP camera or printer could spread.

4. Use AI to detect attacks and response faster. Security teams work diligently to respond quickly to incidents, but their efforts are stymied by mountains of alerts and manual correlation to determine if a threat has real consequences. Artificial intelligence and machine learning can lighten the burdensome workload of security operations.

Aruba IntroSpect uses machine learning and analytics to continuously monitor any device with an IP address, and detect hidden attacks that bypassed traditional perimeter or endpoint security products. IntroSpect points IT staff to the biggest risks, so analysts can take action faster. IntroSpect can be integrated with the broader security ecosystem to take automated enforcement actions.

Smarter Networks
More than 2,500 universities around the world rely on Aruba networking and security to deliver a great user experience in a challenging environment. Aruba’s security framework gives IT teams an integrated way to gain visibility, control and advanced threat defense. Extensive protection is embedded within the Aruba wired and wireless infrastructure, gateways, and controllers to secure the physical network infrastructure.

The Aruba Policy Enforcement Engine was recently recognized by insurers for the ability to reduce risk. The new Cyber Catalyst program created by Marsh, the insurance and risk management firm, enables customers that adopt designated technologies to be considered for enhanced terms and conditions on cyber insurance policies from participating insurers.

Learn More About Cybersecurity in Higher Education
Read about Aruba’s security for higher education.

Educause Top 10 IT issues for 2019.