Nov 13 2023

How to Manage Unmanaged Devices in Higher Ed

Personally owned and Internet of Things devices can leave university networks vulnerable to cyberthreats.

The modern higher education network landscape is a complex mix. Institutionally owned and managed devices exist alongside personally owned devices. Data and applications are spread across the institution’s on-premises network and multiple vendor-hosted cloud environments. Connections to research and educational networks make a network perimeter harder to define, and the Internet of Things presence is growing as everything from door access to telephony to classroom occupancy monitoring is shifting to the campus data network.

In a pre-pandemic Forrester survey, 69 percent of respondents estimated that at least half of the devices on their networks were either unmanaged or IoT devices outside their visibility, while 26 percent said they had three times as many unmanaged devices as managed devices on their networks. The post-pandemic landscape of remote teaching and learning is doubtless even more dominated by personally owned and unmanaged devices.

LEARN MORE: How organizations handle device management.

Access Management Tools Protect Colleges from Unmanaged Devices

Unmanaged devices represent several risks to the institution. Unpatched software, malware and poor security configuration can put both user and university data at risk. Additionally, a compromised personal device may lead to lateral movement, where an attacker leverages a user’s access to install malware or gain further access to the institution’s resources.

There are technology and policy approaches that can help reduce the risk posed by unmanaged devices. Secure service edge is a security architecture that focuses on establishing secure enclaves of resources and includes supporting technologies such as zero-trust network architecture and cloud access security brokers. It may also include network-level controls such as software-defined perimeters, software-defined WAN and Firewall as a Service.

These technologies generally operate on principles that are laid out in the National Institute of Standards and Technology’s Special Publication 800-207, which says that access to enterprise assets is granted on a per-session basis, and that access to resources is determined by dynamic policy, including client identity, application/service and the requesting asset. It may also include other behavioral and environmental attributes.

In practice, this means that access is evaluated every time it’s requested. No assumptions are made about trustworthiness based on a device’s location or ownership.

Security Software and Processes Can Help Manage Risk

Zero-trust network access is a critical technology strategy for managing risk related to unmanaged devices. Breach is assumed in a zero-trust architecture, and access can be evaluated using a combination of user identity, device health, network location and risk tolerance.

Zero trust could be used to deny access to critical resources from unmanaged devices, to impose multifactor authentication if the user is accessing the resource from an unusual device or location, or to require the user’s device to be patched before access is allowed.

Cloud access security brokers operate as a form of application proxy, where access to a cloud resource is brokered through a security layer that can impose the same types of security checks as zero trust, but in the context of a vendor-hosted cloud application. For unmanaged devices, a lightweight client may be required to enforce the institution’s conditional access policies.

Click the banner below to find out how device management paves the way to zero trust.

Software-defined perimeter, software-defined Wide Area Network and Firewall as a Service are technologies that can impose a virtual network topology over an untrusted physical topology. In the Cloud Security Alliance’s SDP architecture, for example, there is a separate data and control plane, and an always-drop firewall will not permit any communication until the control plane has evaluated and determined that it’s allowed.

This functionality is especially important for managing IoT devices that may not be capable of running a client or being joined to an Active Directory domain, or whose software configuration is managed by an external vendor.

Desktop as a Service is an important complement to these technologies. Desktop and application virtualization can provide a secure environment for end users and can be used to prevent data exfiltration by blocking clipboard, USB drives, shared storage and mapped drives between the host and the virtual environment.

This is particularly important in the case of privileged access workstations, which are used to segment administrators’ logins to avoid caching privileged credentials on local workstations that can then be used in “pass the hash” attacks.

Security log analytics is another critical capability for institutions. Security incident and event monitoring systems act as log aggregators, analyzing events from many systems and helping to correlate security information. Security orchestration, automation and response systems can be used to automatically take action based on security events, such as blocking a malicious endpoint. Extended detection and response tools, including CrowdStrike and the Microsoft Defender family of products, can correlate threat intelligence across the security community and apply the intelligence in real time to a customer’s environment.

Source: A Forrester Consulting Thought Leadership Paper Commissioned by Armis Inc.

Policy Changes Can Help Mitigate Unmanaged Device Threats

Policy and process are also critical to manage the risk of unmanaged devices. An institution’s security policy must establish clear guidelines for the classification of data and applications and impose standards for access based on those risk classifications. IT service providers across the university should be made aware of these requirements and receive appropriate training and assistance in ensuring their services are compliant.

Finally, end-user security training should include details about the risk that unmanaged endpoints can pose to the institution and the users themselves.

Unmanaged devices have long been a part of the higher education landscape, and their prevalence will continue to grow with the embrace of remote teaching and learning. Cybersecurity technologies, policies and processes will be critical for institutions to continue cloud adoption, remote work and hybrid service delivery models while managing risk and exposure.

Marcos Osorio/Stocksy

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT