Content originally written and created for OneAffinity
One of the most challenging aspects of keeping a university network safe and productive is the inevitable security risks the student body brings.
Carrying their own devices and looking to collaborate, they often inadvertently compromise the network, typically after visiting malware-laden websites or unknowingly downloading malicious code. Campuses typically also have relatively relaxed access policies and little control over the devices that students bring to campus. The result is a long list of colleges that have had their security breached, including prestigious institutions such as Harvard University and the University of California, Berkeley.
It is a challenge that needs to be met with a coordinated strategy that encompasses education, segmentation, and remedial action. These steps don’t have to be taken in sequence, but they must be taken – the sooner the better for everyone who uses the network.
Educate your student body
Ignorance is the number-one enemy when it comes to network security, as students are often unaware of basic safe computing protocols and practices.
Education, through in-person outreach, authentication-screen messaging or online courses, can help ensure students are less likely to engage in practices that load their computers with the kind of malware you don’t want on your network. While students (and, let’s be honest, faculty members as well) can be careless, most don’t want to be the source of problems. Teach them to be your allies and you’ll cut down on malware infestations and support calls.
Segment and back up your network
It’s obvious that not every user needs access to every corner of your infrastructure. Modern authentication and network directory facilities make it easy to segment the network, so each individual element can be ring-fenced in the event of a security breach. Critical data should also be backed daily to the cloud, with information relayed to the provider encrypted.
In terms of individual devices, the key is to implement a configuration policy that requires any device that connects to the network to:
- Be up-to-date with application and OS versions.
- Have specific anti-malware protection
- Connect through a VPN.
- Meet any condition (or set of conditions) that administrators require.
Then the device can be routed to (and limited to) the specific network segments that the user’s network privilege allows.
Take remedial action, fast
Network administrators also need to be able to take remedial action fast. Device scans can be set up to quickly search for known malware or vulnerabilities and then quarantine the device on a ‘safe’ network segment (with no access to the rest of the network) until the infestation and vulnerability can be remediated.
At some universities, IT departments also find it useful to have ‘open scan’ days set up (often around the beginning of the term), where students can bring laptops to be scanned for malicious code and have anti-malware installed. These open days are also perfect for educating students.
Colleges and universities are defined by their academic freedoms, but they need to balance network security with this openness if their student body wants to enjoy the facilities and have a productive experience.