May 24 2021

4 Tips for Higher Education IT Asset Management

Palmer College’s IT director shares how his institution secured nearly 7,000 internet-connected devices.

Palmer College of Chiropractic is the first and largest chiropractic college in the world. We have three campuses — in Iowa, California and Florida — serving 2,100 students and employing 500 people. And with that territory, we are in charge of securing nearly 7,000 devices that are connected to the internet on our campuses.

Given the nature of our institution, the risks are high. We must comply with not only the Family Educational Rights and Privacy Act, but also the Health Insurance Portability and Accountability ActGeneral Data Protection Regulation and the Payment Card Industry Data Security Standard.

With cyberattacks on the rise in many sectors, including education and healthcare, the processes and protocols we’ve implemented at Palmer College are likely relevant to university hospitals and other specialized higher education institutions. Here, we’d like to share our four most important tips for managing and securing IT assets.

1. Get Real-Time, Granular Visibility to Understand Asset Risks

The connected devices on Palmer College campuses include everything from laptops and printers to thermal imaging systems and security cameras. While faculty computers are relatively easy to monitor and update, securing internet-connected medical devices and operational technology is vastly more complicated.

We need these devices to educate our students. But many of these machines hold massive amounts of data, some of which is confidential and must be protected.

DIVE DEEPER: COVID-19 has altered student expectations for data privacy.

Unlike other higher education IT assets, medical devices and operational technology are expected to be in use for 10 years or more. These devices often run on older (sometimes proprietary) operating systems that can’t be easily updated or patched without taking them offline — and any time a medical device has to be taken offline, it’s costly to our college.

This created quite a conundrum for us, considering that any connected device can be compromised by cybercriminals. We realized it’s essential to have real-time, granular visibility into all the devices on our network at any given moment. Classifying the devices by make, model, serial number and operating system is also important. This level of detail will reveal the vulnerabilities each device brings, such as recalls or obsolete operating systems that could be easily compromised.

This aligns with the framework set by the Center for Internet Security; the No.1 step to securing your enterprise is to have proper visibility into each asset.

RELATED: Learn how to centralize control and increase visibility with SDN. 

2. Know Where Your Assets Are in Your Network

While it’s important to profile devices in granular detail, along with the risks they bring, this step alone is not enough. You also need to understand where each device is in relation to your network’s topology.

Understanding a device at a network topology level (such as VLAN or subnet) is important for security and compliance. For example, you don’t want a lab device to be on the same VLAN as a vulnerable vending machine because one contains sensitive data.

As a part of your incident response strategy, you need to be able to quickly locate exactly which building, hallway and room a high-risk device is in. If you’re trying to segregate a potentially compromised device, you might also want to know the VLAN and subnet associated with the device so that you can create the appropriate segmentation policies to isolate the machine.

Having a real-time asset inventory can potentially save you from wasting hours locating devices during an emergency.

MORE ON EDTECH: Learn these Defense-in-Depth strategies.

3. Know How Your IT Assets Communicate

Unlike users, devices have very specific communication patterns. If you understand what the normal baseline behavior is, you can detect unusual behaviors that may indicate a potential compromise.

You will also want to map device communication patterns so you can monitor devices that are communicating to the internet or those that are using supervisory protocols (such as Remote Desktop ProtocolSecure Shell or Telnet). You can even use these communication patterns to ensure devices are working correctly.

For example, are your managed devices communicating to the anti-virus update server? Integration with Active Directory also enables you to monitor which user is accessing what device and when, correlating this data with the network they logged in from and maintaining an accurate access record for each device user.

Before finding an automated solution, we used a security information and event management system to identify suspicious traffic, and we manually matched IP addresses to VLANs and switches to find devices. Obviously, this approach couldn’t scale.

To make asset inventory and management feasible for all three campuses, automation and machine learning are required. At Palmer College, we used Ordr to help us automatically identify devices, visualize exactly where they are and see what they are communicating with.

It used to take our team several days to find devices or to identify issues with network topology deployments, but through machine learning, this can be automated to scale. Our team can now easily ensure devices are on the right VLAN (and undergoing baseline normal communications) and identify potentially malicious behaviors with a click of a button.

4. Use Visibility to Build the Foundation for Enforcement

The most fundamental lesson is: You can’t protect what you can’t see.

But having visibility into your IT assets doesn’t simply mean knowing what the assets are. True visibility means seeing real-time, granular details about each connected device on the network. Understand the risks these devices bring, map out exactly what they are doing in the network and monitor how they are used.

With asset visibility as your foundation, you can start automating to secure these devices at scale. Knowing what your assets are doing — along with their network topology information — empowers you to create zero-trust policies that give devices the access they need while limiting exposure.

It all starts with visibility.

da-kuk/Getty Images