IT teams responsible for network security in Universities, Colleges and Schools are experiencing more and more pressure to secure their networks from both external and insider threats.
According to the CSO,13% of data breaches last year happened at educational institutions. According to EDUCAUSE, a nonprofit association of IT leaders in higher education, information security remains the #1 issue in 2018 for the third year in a row.
Considering the amount of both personal and financial data that academic institutions store, it’s perhaps not surprising that they’re the target of malicious activity.
Access values that define Education
The academic environment is often more difficult to secure than in conventional companies or organizations. The traditional culture of education promotes the free exchange of ideas and instant information access benefits the academic mission and goals of any educational institution. IT teams must find an appropriate way to balance these access values that define education whilst protecting and safeguarding data and information systems.
An open yet secure network
Striking this balance between an open yet secure network remains a challenge for all university, college and school IT departments. These complications have led to some staggering data breaches. The compromise of over 600,000 student records at the University of Nebraska (social security numbers, addresses, grades, financial aid) was perhaps the most reported incident last year and was the result of an insider attack – a user working inside the firewall.
The best way for universities to handle such network breaches is to implement a well thought-out system of network access control and identity management.
Securing Access to your Education Network
UserLock is a versatile suite that provides educational organizations with a protective layer at the forefront of their Windows Active Directory network to help secure access for students, teachers and faculty. It makes the logon itself a scrutinized and protected event.
The ability to successfully logon (and remain logged on) becomes more than just whether the right credentials are used. UserLock will detect suspicious access attempts based on customized and granular logon policies that are set for that particular account. It will act accordingly – either denying or approving the logon – and alert IT (or the appropriate user themselves) if stipulated.
Prevent simultaneous sessions and stop password sharing
Despite the education and increased awareness, students continue to share credentials as there is no consequence on their own access to the network. Serious security flaws can be stopped by preventing simultaneous sessions and limiting students to only one possible Windows connection at any one instance. This stops rogue users seamlessly using valid credentials at the same time as the legitimate owner.
Make authorized students accountable for any malicious activity
Preventing simultaneous logins also makes legitimate users accountable for any illegitimate action they take – whether that might be student pranks or more serious insider attacks. It ensures access to the institutions critical assets is attributed to one individual avoiding situations concerning accountability and non repudiation. Policies and procedures can then be consistently enforced to address violations that do occur.
Control & Restrict Access that support the Institution’s policies
Faculty, staff, and students should be provisioned differently onto the network so the level of access granted is appropriate for each person’s role inside the academic institution. Furthermore visiting professors, teachers and students should be provisioned separately to ensure their access is discontinued upon their departure. Controlling user logins according to user, user group or organizational units are the first line of defense for a Windows network and login rights should (and can) be granted based on the role of the user within the organization.
Such restrictions should also take into account other criteria such as workstation or device (including personal devices), time, working hours and session type (including Wi-Fi and VPN).
For example, a student having managed to get a teacher’s credentials will be able to access confidential information (exam questions, results, etc…) from any workstation on the network. UserLock however will stop account misuse by allowing the administrator to define per user and per user group, the workstation(s) that they can or cannot use (by NetBIOS name / IP range). Thus, a student would not be able to login using a teacher’s credentials from a room equipped with free access workstations.
In the same manner, it’s possible to restrain access to administrative workstations (accounting, finance, etc.) from identified workstations or a predetermined set of workstations (e.g. those within the accounting department, a particular building etc.)
UserLock allows the implementation and strict enforcement of a User Access Control Policy through User Logins. You can control when, where and how long users access resources.
Empower IT with Remote session management
UserLock continuously monitors all login and session events, automatically applying custom policies to prevent or deny logins, workstation access and usage/connection time.
In the event of abnormal or suspicious behavior having been detected on a workstation, UserLock will allow the administrator to remotely disconnect the user or lock the session from a central console or any online computer.
Control student wireless sessions and offer security to BYOD.
Allowing students and staff to use their own devices – and therefore untrusted devices – access to the organizations resources is not without risk. As UserLock secures network access across all session types, including Wi-Fi, it permits an organization to control their wireless networks and offers security to bring-your-own-devices.
Delegated and remote management
UserLock can be administered from a central console (on the server or a workstation), or remotely from any online computer.
The web interface allows the delegation of UserLock administrative rights to non-IT management (e.g. teachers, supervisors, etc.), for a subset of workstations (e.g. systems in a room, floor, building), enabling supervision and management (e.g. close or unlock the session on workstations).
By offering this level of administration, UserLock gives limited supervisor rights for non-IT personnel managing users, without giving them access to more critical software settings reserved for IT administrators.
Enforcing School Security Policies
Providing a clear and consistent message on IT security policies can be helped with UserLock’s notification system. Clear messaging on legal implications helps reduce the chance students inadvertently commit a crime or lash out for a perceived injustice.
No Logon, No Threat
With UserLock some of the potential scenarios that are can now be prevented include:
- Genuine but compromised logins from exploited users are now useless to malicious insiders or would-be attackers
- Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers simultaneously can now be prevented
- Access to any data/resource is now always identifiable and attributed to an individual user. This accountability discourages an insider from acting maliciously and makes all users more careful with their actions
- Suspicious activity is flagged and allows IT departments the chance to react instantly.
- Users can be notified with tailor-made message and alerts – including alerts on their own trusted access. Informed employees are another line of defence in the security of your networks
Academic institutions from around the world currently use UserLock ‘s login control and monitoring capabilities to secure their Windows Network. They include University of Auckland (New Zealand), Albany City School District (United States) and The University of Kent (U.K.).