Why is zero trust part of keeping end users secure? It changes the focus away from tools like VPNs to truly securing the endpoints. VPNs can be a crutch, and they can encourage sloppy security habits. Using a combination of tools, including mobile device management solutions and endpoint security suites, IT staff can armor users’ devices and monitor compliance with institutional security policy.
When the VPN is gone, IT and the end user must look harder at how to secure the endpoint, whether that’s a laptop, desktop or mobile device. Centrally managed endpoint security may encounter some resistance from an independent academic community, so IT teams should be ready to defend the need and the value it delivers.
Standardize Tools and Configurations Whenever Possible
One of the challenges IT departments have had to navigate over the past year is balancing users’ individual preferences and the need for standard tools that meet specific security requirements.
The best examples of this are collaboration tools, such as email, chat and videoconferencing. By offering institutionally standardized tools that are already configured with better security, you can protect remote users who make heavier use of collaboration tools than they do when working on campus. Even if you can’t afford a campuswide subscription for some of these tools, you can prepare documentation and quick reference guides to help users secure their personal or free subscriptions.
For standardization, collaboration is the obvious category to start with. File sharing and drive synchronization are instances where a little security
goes a long way.
Security isn’t only about data security, however: Standards for cloud backups and other areas can increase the availability and maintain the integrity of institutional data.
Increase Control and Security With IAM
Higher education has always been at the forefront of federated identity technology for authenticating users, long before service providers such as Google and Microsoft got into the act. Now is the time to take that authentication service further with mandatory two-factor authentication, if your institution hasn’t done so already.
Identity is only the first half of the identity and access management equation, however. Authorization and access controls should be strengthened so that IT can deliver a full-fledged IAM solution covering as many applications as possible. Going all-in with IAM means changes across the institutional IT landscape, so any IAM program should also include considerable support for application developers in the form of training and toolkits.
How does this help to secure remote users? One benefit of IAM is the security it provides for institutional applications and sensitive information. IAM does so by offering more finely grained control over who can read or write certain data. With ransomware showing no signs of slowing down, a good IAM solution can help reduce the impact when a remote user’s desktop or laptop is compromised.
Review Logging and Automation to Catch Potential Threats
IT teams should also use the increased level of remote work to better automate security information and event management tools. Make sure that security logs from firewalls, servers and other network sensors are supplemented by workstation logs, especially for desktops being used by remote faculty and staff.
A good set of SIEM rules will help to catch end-user security problems early. The goal is to identify problems before too much damage has occurred and before an attacker can leverage access into a larger security breach.
Train Users to Separate Home and Work Computing
The need for security education doesn’t end just because people aren’t on campus, but the form of your training program may have to change. In fact, with people increasingly responsible for their own information security and with help desks no longer just down the hall, a solid security education program has never been more important.
Training should emphasize strong separation of home and work computing, phishing education and awareness, the need for continuous backups, and the importance of security updates to keep devices secure. Even great training and motivated users aren’t a guarantee against incidents, of course. The training should also make sure users know how to contact the college’s 24/7/365 tiger team for security emergencies.