At Duke University, minimizing information security risks comes from “harmonized” systems instead of fragmented services across hundreds of providers, Mary McKee, the institution’s identity management and security services director, said during a Crowdstrike event on Thursday.
Cloud adoption and work-from-anywhere culture are expanding the amount of entry points information security leaders need to secure, she said. McKee said that as well as streamlining the number of providers an institution uses, tackling security from a resource-based approach instead of a person- or role-based approach can help minimize risk. That means, she said, making sure users only have access to necessary systems and checking permissions routinely.
“You don’t want to get into a situation where people are expecting the perimeter to provide too much security, like, we’re gonna put all of our sensitive things in here — but then once you’re in here to get one thing, now you have access to all the things,” McKee said.
Universities and other public institutions are facing a rise in cyberattacks, with President Joe Biden recently signing an executive order that requires federal agencies to focus on zero-trust strategies for cybersecurity.
The high-profile SolarWinds cyberattack, which affected some universities, did not hit Duke. McKee attributed that to its streamlined digital services. McKee’s fellow panelist, Esmond Kane, the chief information security officer for Steward Health Care, said implementing a zero-trust approach means expanding the scope of cybersecurity as organizations watch for supply-chain attacks.
“It’s a technique that they’ve been using for decades,” Kane said. “[The attackers have] been diverting supplies and they’ve been going after wire fraud with your business executives. Now they’re going after your your trusted advisers. And all I can say is, I hope that you’ve increased your due diligence around that supply chain beyond third parties into your fourth parties. I hope that you’re you’re going beyond just a checklist questionnaire, and you’re subjecting them to a robust assessment that includes some elements of scoring. Some of these best practices are being advocated for with the executive order.”
Educause, a nonprofit that serves about 1,600 higher education institutions, recently launched a partnership with Greycastle Security to help leaders assess vendors. In a voluntary survey, only about 150 Educause member institutions said they had on-staff security analysts to check security questionnaires submitted by vendors.
During a panel on Wednesday, Sol Bermann, the chief information security officer at the University of Michigan said that as institutions’ risks grow they also need more and better products.
McKee on Thursday said that while Duke University has seen some users also use their email passwords on third-party websites, two-factor authentication has often kept attackers out. Those kinds of observations are key to deciding where to invest resources and implement tools, she said. Duke often sees attacks on legitimate accounts, but rarely sees attackers try to create new identities to access the system, she said.
“When we look at where are we seeing these attacks, … it would be great to have better identity proofing on front end,” McKee said.