In addition to your devices, know your policies, procedures and device security technology: Are they adequate to minimize risk? Pay special attention to:
- Zero trust. The zero-trust model assumes that no one and nothing inside or outside the network should be trusted. This calls for strict access controls, continuous monitoring and identity verification.
- Identity management. Implement multifactor authentication (such as Cisco Duo or Okta), passwordless authentication (ForgeRock) and step-up authentication (IBM Security Access Manager) when needed for access to especially sensitive data. Authentication and authorization policies should call for user identity verification before granting access to resources.
- Encryption of data at rest and in transit. Be sure to consider user phones, laptops and USB sticks — in short, any device where the loss of data could cause damage or distress.
- Patch management. Policies should ensure that operating systems, applications and firmware are updated with the latest security patches. Look to solutions such as WatchGuard Patch Management and make sure licenses can scale to accommodate future growth.
Better Your University’s Infrastructure For Future State Innovation
How fast and to what extent do you expect the number of devices to increase over the next year? Five years? What changes will you need to make to your network and wireless infrastructure to support this level of devices?
An important step in securely growing your infrastructure is to assess which security risks are likely to be most important in the future, both to your devices and to the network itself. Prioritize risks based on the impact they would have on your infrastructure and the mission of the university. Look to vulnerability assessment tools such as those from Fortinet and Tenable to identify known vulnerabilities in the operating systems, software and device configurations. Take needed steps to mitigate those vulnerabilities, and make sure that the solutions can scale as your device inventory grows.
Don’t neglect to segment the network, dividing it based on the sensitivity of the data and the requirements of different departments. This limits the ability of attackers to move laterally across the network, reduces the attack surface and contains breaches.