Tips for securing endpoint devices on college campuses


While textbooks once symbolized the center of college life, nowadays digital devices are what store, provide access and share information across college campuses and between students, faculty and guests all over the world. This is good news for students and faculty who need open and extensive access to research, but a huge concern for college IT professionals tasked with securing the network and its various endpoints.

From smartphones to laptops to personal IoT devices (like the popular Fitbit), IT departments are tasked with keeping up with the continuous flow of endpoints accessing the network, as well as new innovations that may require key revisions to the institution’s security policies. The basic need to connect these devices inundates IT departments with access requests, guest permissions and compliance concerns that would probably make most corporate or organizational IT professionals dizzy.

That said, there are ways to grapple with the endpoint challenge on college campuses that will give IT departments peace of mind.

The first thing that’s important to note about college endpoints is that they are usually personal devices. While some in the corporate world might call it a “lenient” policy, most college campuses — in the spirit of learning and acceptance — allow students, faculty and guests to use devices of their personal choosing, without any control over the posture of those devices, or the applications installed. As a result, endpoint devices are a potential gateway for network breaches based on the sheer fact that they are connected to the college Wi-Fi network and have been granted access to email accounts, education resources and even private information.

In addition, higher education has rather lax firewall policies, creating space for hackers to gain access to sensitive information — potentially resulting in a compliance nightmare. Finally, as more colleges extend campuses overseas, there’s even greater risk that the endpoints joining the network could infect the entire system with foreign “bugs.”

In order to prevent these and other threats, college IT departments should focus the majority of their efforts on the first stage of interaction with endpoints, i.e. the onboarding process that marks the beginning of each school year. IT departments should create a solid onboarding strategy that will ensure passwords are strong, endpoint credentials (such as owner, location, operating system, anti-virus software and even applications) are recorded, and that IP addresses are tracked for the entirety of the digital relationship.

Being thorough about this process is important if IT departments want to gain visibility into their networks and control over potentially vulnerable endpoints during a breach.

The process can be carried out by sending devices a dissolvable or full-fledged agent, and there are options for agentless solutions with more flexibility. If new students and faculty have a personal IoT device, make sure they understand the security risks involved and are registered with the IT department because these devices have been used as a means of attack.

Once a thorough onboarding process is in place, IT departments can allow students and faculty to go back to the free exchange of information and passion for new technologies while knowing that they understand their network’s threat landscape.

Another source of concern for the global institution of higher education are guests — either lecturers, parents or library visitors — that frequent their campuses. What if a parent paying a significant sum of money for their child’s education was kicked off the campus network? They would certainly be an unhappy camper. That’s why, together with developing a thorough onboarding strategy, college IT departments should create a detailed strategy for secure guest access.

The best place to start is with two-factor authentication, which can be applied to students as well as faculty, with the second element being based on location or contextual information to assure that they are on campus and are familiar with the institution.

Aside from two-factor authentication for connection, institutions should categorize the policy based on the kind of guest. For satellite campuses, the best option could be showing them a disclaimer every time they connect. For parents and guest lecturers, sponsored access from an approved user makes sense. And for all other guests, consider requiring authentication with a registered email address or phone number. There are a number of options to choose from, and many of them suit higher education’s promise of flexibility and efficiency, while remaining completely secure.

Once solid onboarding and guest access policies are in place, IT departments will automatically see an improvement in their levels of network visibility and control.

If a ransomware attack is directed at the institution, the IT department can remotely and instantaneously cut off vulnerable devices registered with the system. If the IP addresses of those devices are registered, there are network access control solutions that can see into the posture of endpoints to determine whether lingering vulnerabilities exist. Once information on the owner and location of the device is recorded, it can be used to track down a rogue device and engage in effective communication with the owner to bring it into compliance.

Additionally, if it appears that rogue devices are prevalent in a certain location on the network, the IT department can direct its remediation efforts succinctly without causing a campus-wide hullabaloo.

Bring-your-own-device (BYOD) is a now a well-entrenched trend that essentially began on the college campus (which were the first places to have internet access). But the pace of technology change and the desire to encourage the freedom of information has left college campuses falling behind on security. While college students and faculty have always been seen as being at the forefront of innovation, higher education institutions and their IT departments need to get on board with secure network access solutions that can keep up with that innovation.

Ofer Amitai is CEO and co-founder of Portnox. He has over 20 years of experience in network security.