IT teams responsible for network security in Universities, Colleges and Schools are experiencing more and more pressure to secure their networks from both external and insider threats.
According to the Open Security Foundation, 15% of data breaches since records began has happened at educational institutions. Last year saw the most reported compromised records in the higher education sector since 2006.
Considering the amount of both personal and financial data that academic institutions store, it’s perhaps not surprising that they’re the target of malicious activity.
Access values that define Education
The academic environment is often more difficult to secure than in conventional companies or organizations. The traditional culture of education promotes the free exchange of ideas and instant information access benefits the academic mission and goals of any educational institution. IT teams must find an appropriate way to balance these access values that define education whilst protecting and safeguarding data and information systems.
An open yet secure network
Striking this balance between an open yet secure network remains a challenge for all university, college and school IT departments. These complications have led to some staggering data breaches. The compromise of over 600,000 student records at the University of Nebraska (social security numbers, addresses, grades, financial aid) was perhaps the most reported incident last year and was the result of an insider attack – a user working inside the firewall.
The best way for universities to handle such network breaches is to implement a well thought-out system of network access control and identity management.
Securing a network of free access workstations
UserLock, a software solution from IS Decisions, gives organizations the ways and means to efficiently enforce network access security as well as optimize workstation usage. It offers genuine access security for Windows networks, by preventing possible student pranks and more importantly by thwarting malicious and/or careless users.
Prevent simultaneous sessions and stop password sharing
Despite the education and increased awareness, students continue to share credentials as there is no consequence on their own access to the network. Serious security flaws can be stopped by preventing simultaneous sessions and limiting students to only one possible Windows connection at any one instance. This stops rogue users seamlessly using valid credentials at the same time as the legitimate owner.
Make authorized students accountable for any malicious activity
Preventing simultaneous logins also makes legitimate users accountable for any illegitimate action they take – whether that might be student pranks or more serious insider attacks. It ensures access to the institutions critical assets is attributed to one individual avoiding situations concerning accountability and non repudiation. Policies and procedures can then be consistently enforced to address violations that do occur.
Control & Restrict Access that support the Institution’s policies
Faculty, staff, and students should be provisioned differently onto the network so the level of access granted is appropriate for each person’s role inside the academic institution. Furthermore visiting professors, teachers and students should be provisioned separately to ensure their access is discontinued upon their departure. Controlling user logins according to user, user group or organizational units are the first line of defense for a Windows network and login rights should (and can) be granted based on the role of the user within the organization.
Such restrictions should also take into account other criteria such as workstation or device (including personal devices), time, working hours and session type (including Wi-Fi and VPN).
For example, a student having managed to get a teacher’s credentials will be able to access confidential information (exam questions, results, etc…) from any workstation on the network. UserLock however will stop account misuse by allowing the administrator to define per user and per user group, the workstation(s) that they can or cannot use (by NetBIOS name / IP range). Thus, a student would not be able to login using a teacher’s credentials from a room equipped with free access workstations.
In the same manner, it’s possible to restrain access to administrative workstations (accounting, finance, etc.) from identified workstations or a predetermined set of workstations (e.g. those within the accounting department, a particular building etc.)
UserLock allows the implementation and strict enforcement of a User Access Control Policy through User Logins. You can control when, where and how long users access resources.
Empower IT with Remote session management
UserLock continuously monitors all login and session events, automatically applying custom policies to prevent or deny logins, workstation access and usage/connection time.
In the event of abnormal or suspicious behavior having been detected on a workstation, UserLock will allow the administrator to remotely disconnect the user or lock the session from a central console or any online computer.
Control student Wi-Fi sessions and offer security to BYOD.
Allowing students and staff to use their own devices – and therefore untrusted devices – access to the organizations resources is not without risk. As UserLock secures network access across all session types, including Wi-Fi, it permits an organization to control their wireless networks and offers security to bring-your-own-devices.
Optimize the use of free access computers
In addition to efficiently enforcing network access security, UserLock optimizes workstation usage.
Restrict users to a single session at a time
On a Windows network it is very easy for a student to use his/her user account (ID and password) to open several sessions. E.g. one session for work and another to download. UserLock compels users to systematically close down their session as and when they leave the workstation, as until they have done this they cannot open another session elsewhere.
By stopping students from using several workstations, UserLock reduces the free access computer occupancy rate.
If a student leaves his session open or locked, the workstation is unavailable to all other students willing to login with their own account. To free up resources, UserLock allows the network administrator to remotely disconnect sessions left opened or locked from the central console or from any online computer.
Statistics for free access computer rooms
UserLock’s reports display precisely how the computer rooms are used, the high and low activity peaks, the occupancy rate, etc. Thus, the educational organization’s IT team can verify that open hours are satisfactory and that there are enough workstations. UserLock will give them the ability to determine the optimal distribution of the workload throughout the building(s), and take any necessary action.
Locating available workstations
UserLock features a customizable Web Intranet Page, accessible to all network users, that displays in real time all unoccupied workstations (e.g. by building and by room). This function improves students comfort by enabling them to easily and rapidly locate an available workstation, and therefore optimizes the global occupancy rate.
Delegated and remote management
UserLock can be administered from a central console (on the server or a workstation), or remotely from any online computer.
The web interface allows the delegation of UserLock administrative rights to non-IT management (e.g. teachers, supervisors, etc.), for a subset of workstations (e.g. systems in a room, floor, building), enabling supervision and management (e.g. close or unlock the session on workstations).
By offering this level of administration, UserLock gives limited supervisor rights for non-IT personnel managing users, without giving them access to more critical software settings reserved for IT administrators.
Enforcing School Security Policies
Providing a clear and consistent message on IT security policies can be helped with UserLock’s notification system. Clear messaging on legal implications helps reduce the chance students inadvertently commit a crime or lash out for a perceived injustice.
Academic institutions from around the world currently use UserLock ‘s login control and monitoring capabilities to secure their Windows Network. They include Camden City School District (United States), Southern Cross University (Australia), Universite de Montreal (Canda), The Chinese University of Hong Kong, University of Auckland (New Zealand), King Saud University (Saudi Arabia) and the University of Oklahoma (United States).