Device Registration Applies Zero-Trust Principles To Bolster Security
Access management is a must-have, and it’s become so common that the complaints about being forced to use multifactor authentication have quieted, especially as university communities become more familiar with the risks of cybercrime.
Authenticating devices is equally as critical to IT teams. Cataloging the Media Access Control address on every one of those devices is step one to get logged on to a secure campus network. From there, just as with user authentication, devices must be verified by a credentialed user each time they try to connect. That’s so that if — or, more likely, when — a user’s credentials and/or their device are compromised, the suspect MAC address can be tracked down, and the offending device can be quarantined.
This is only possible, however, if higher education network environments are properly segmented. A freshman who just moved into a dorm room can’t, under any circumstances, connect to the same network that stores financial information for the college, for example.
LEARN MORE: Identity and access management addresses the challenges of complex IT environments.
Network Segmentation Keeps the Most Valuable Data Safe
One of the reasons higher education is such a frequent target for cyberattackers is that educational networks are open by design. That’s counter to the zero-trust philosophy but central to the higher education philosophy that promotes collaboration, free thought and transparency. Those things aren’t likely to change anytime soon.
So, if higher education networks are going to be more open and vulnerable, packed with users who may or may not have great cyber hygiene, there are going to be breaches. The goal becomes limiting the damage from those breaches.
Think about public safety offices, which have IoT cameras, license plate readers, biometrics and other tools they use around campus. Those devices must connect to a network, but not the main university network, since a whole host of protected data is collected by those devices. They need their own network, data storage — on-premises or in the cloud — and credentialing procedure. Same goes for a researcher organizing a project, especially one that leans on technology or has to do with technology-related research. Those findings are proprietary to the researcher and/or the institution, and in some cases could also be privileged information (a university contract with the Department of Defense, for example).
Keeping those two networks off the main campus network for students is crucial, as is separating those two networks — public safety and research — from each other. And there are countless other examples and potential complexities, for instance when research is being done across several campuses, or when a student holds a job in the financial aid office.
Segmenting networks requires some cooperation between central IT and individual offices and departments on campus, some of which may have been enjoying a certain level of autonomy when it comes to technology.
Cooperation is necessary because a clear roadmap must be available in case of a network intrusion. In some cases, a third-party partner can come in and offer managed services to conduct an assessment, draw a clean roadmap and recommend a plan.
If, for example, a device can be identified as the source of malware, it’s vital that the IT security staff and incident response team can look at that roadmap and understand where to make sure certain channels stay closed. Without the roadmap, it’s hard to tell if an infected device has been truly isolated.
