Sep 22 2021

Establish a Long-Term Security Plan for Remote Staff and Faculty in Higher Ed

With more staff and faculty maintaining off-campus or hybrid work arrangements, colleges need a permanent strategy to secure data

The pandemic greatly expanded a practice that many institutions were already using, at least for some staff and faculty members: remote and hybrid work. When the pandemic made it critical to get all employees ready to work from home, institutions made that happen as best they could.

Going forward, the number of remote employees may not remain as high as it was last year, but it likely won’t fall back to pre-pandemic levels, either. For many colleges, that means establishing long-term practices to keep institutional data secure, no matter where staff and faculty are working.

Avoid VPN Pitfalls by Adopting Zero Trust

Zero trust means dropping the idea that VPNs or a physical presence on campus makes users more secure, and it’s a shift that’s happening in the IT industry. Getting remote faculty and staff off VPNs is a more focused approach to keeping institutional applications and data secure.

That said, the computing footprint in higher education — which may include many departmental applications developed without input from campus IT — makes this move difficult. The lack of common standards and requirements for authentication and access control create barriers to a shift to zero trust.

One excellent strategy is to segment off academic and research servers to isolate them, then offer secured, authenticated proxy services to sit in front of applications. That won’t solve all problems, but it can dramatically reduce the attack surface you present
to malicious users.

Why is zero trust part of keeping end users secure? It changes the focus away from tools like VPNs to truly securing the endpoints. VPNs can be a crutch, and they can encourage sloppy security habits. Using a combination of tools, including mobile device management solutions and endpoint security suites, IT staff can armor users’ devices and monitor compliance with institutional security policy.

When the VPN is gone, IT and the end user must look harder at how to secure the endpoint, whether that’s a laptop, desktop or mobile device. Centrally managed endpoint security may encounter some resistance from an independent academic community, so IT teams should be ready to defend the need and the value it delivers.

RELATED: Here are 5 VPN myths your end users need to know.

Standardize Tools and Configurations Whenever Possible

One of the challenges IT departments have had to navigate over the past year is balancing users’ individual preferences and the need for standard tools that meet specific security requirements.

The best examples of this are collaboration tools, such as email, chat and videoconferencing. By offering institutionally standardized tools that are already configured with better security, you can protect remote users who make heavier use of collaboration tools than they do when working on campus. Even if you can’t afford a campuswide subscription for some of these tools, you can prepare documentation and quick reference guides to help users secure their personal or free subscriptions.

For standardization, collaboration is the obvious category to start with. File sharing and drive synchronization are instances where a little security
goes a long way.

Security isn’t only about data security, however: Standards for cloud backups and other areas can increase the availability and maintain the integrity of institutional data.

Increase Control and Security With IAM

Higher education has always been at the forefront of federated identity technology for authenticating users, long before service providers such as Google and Microsoft got into the act. Now is the time to take that authentication service further with mandatory two-factor authentication, if your institution hasn’t done so already.

Identity is only the first half of the identity and access management equation, however. Authorization and access controls should be strengthened so that IT can deliver a full-fledged IAM solution covering as many applications as possible. Going all-in with IAM means changes across the institutional IT landscape, so any IAM program should also include considerable support for application developers in the form of training and toolkits.

How does this help to secure remote users? One benefit of IAM is the security it provides for institutional applications and sensitive information. IAM does so by offering more finely grained control over who can read or write certain data. With ransomware showing no signs of slowing down, a good IAM solution can help reduce the impact when a remote user’s desktop or laptop is compromised.

DIVE DEEPER: How to choose an Identity and Access Management solution for higher education.

Review Logging and Automation to Catch Potential Threats 

IT teams should also use the increased level of remote work to better automate security information and event management tools. Make sure that security logs from firewalls, servers and other network sensors are supplemented by workstation logs, especially for desktops being used by remote faculty and staff.

A good set of SIEM rules will help to catch end-user security problems early. The goal is to identify problems before too much damage has occurred and before an attacker can leverage access into a larger security breach.

Train Users to Separate Home and Work Computing

The need for security education doesn’t end just because people aren’t on campus, but the form of your training program may have to change. In fact, with people increasingly responsible for their own information security and with help desks no longer just down the hall, a solid security education program has never been more important.

Training should emphasize strong separation of home and work computing, phishing education and awareness, the need for continuous backups, and the importance of security updates to keep devices secure. Even great training and motivated users aren’t a guarantee against incidents, of course. The training should also make sure users know how to contact the college’s 24/7/365 tiger team for security emergencies. 

SARINYAPINNGAM/ iStock / Getty Images Plus