Challenges Educational Institutions Face When Trying to Protect Access to Student RecordsTraditionally, educational institutions have always found it difficult to find funding for large scale security solutions. In addition, many organizations consider their student networks apart of the public internet and provide no protection capabilities from traditional threats (they may offer free AV but not proper segmentation and isolation capabilities). This leaves strategic initiatives within an environment to focus strictly on the backend systems as specified by FERPA. Protection of an individual’s records on their personal devices is not covered by the mandate. Therefore, best practices to protect privileged access to student records and vulnerability management of operating systems and applications falls within the IT and Security staffs realm for management. The challenge is not keeping the databases locked down, or installing patches, but answering the question: Who should have access and for how long? Typically, these controls are very loose in educational intuitions due to the variety of access required and by all approved entities. This may include stale user accounts, non-rotating passwords, legacy applications with no support, or even custom applications written by students or faculty to access information. All of these create environmental concerns that lead to poor IT management controls and risks to the data being accessed inappropriately. In the end, FERPA requires protection to this information but fails to provide the necessary checks and balances – like PCI DSS in the payment card industry – to ensure organizations are making good security decisions to protect the information. 3 Steps to Stop Insider and External ttacks Against Information Technology Assets There are several steps educational institutions can take to better protect access to student records, here are my top 3 recommendations:
- Privileged Access Management – Implement a strategy (and if needed a technology solution) to remove administrator rights from all backend and supporting user systems. This implies segmented access via proxy or password safe technology complimented by least privileged with full session monitoring, auditing, and reporting.
- Vulnerability Management – Ensure whatever the asset is; from operating system and application, to router, switch, and HVAC all security patches are applied and tested regularly for new threats.
- Education – Ensure team members are educated on the latest cyber security threats from ransomware to phishing. Once teams understand how modern (and legacy) attacks occur, they are better prepared to architecture, configure, and defend against them within the intuition. BeyondTrust has partnered with multiple education institutions like Embry-Riddle, providing free information technology security training videos to help staff and students understand the latest security threats and architectures to protect against them.
- Limit access and log all activity
- Encrypt the data at rest and in transit
- Split critical information like SSN numbers across multiple databases
- Perform regular vulnerability assessments and pen tests
- Limit administrator access
- Have network and application segmentation
Learn how the University of California San Diego Keeps Focus on Collaboration with PowerBroker in this case study.Then, the risks to the personally identifiable information can be minimized and secured against hacks. For more information on how BeyondTrust can help your educational institution better control access to student records, contact us today, or check out one of the many case studies where customers used BeyondTrust to secure against hacks and data breach threats.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.