Challenges Facing The Education Sector

The Higher Education sector has some unique challenges: complex infrastructure, multiple locations, and large numbers of students, faculty members, suppliers. and partners that change daily. They all need access to shared infrastructure to do their work, and that's hard to manage safely.

JISC, provider of digital infrastructure and services for education and research organisations highlighted the specific threats for Higher Education in its Cyber Impact 2022 report.  As is common in security recommendations and standards such a Cyber Essentials or DSP in the NHS, there are specific recommendations re user accounts. For example, here are the relevant entries in the list of recommended questions for IT and senior leaders to assess their cybersecurity posture:

• 2. Do we have effective mechanisms for controlling access to resources, such as how we handle new starters, movers or when staff leave our organisation?
• 3. Do we review user accounts and systems for unnecessary privileges on a regular basis?
• 4. Do we enforce MFA for all systems and users? (this is interesting: not all systems support MFA, but PAM can be used to add MFA)
• 10. Are our networks separated so that if an attacker gets access to one device they will not have access to our entire estate? (similarly, if an administrator's account is compromised, can you sure that doesn't grant access to all IT systems?)

The report highlights that there were 15 FES and HE organisations impacted by ransomware in 2020, 18 in 2021, and 3 already in 2022 (as at April 2022). At least part of the rise is due to changes to remote working during the pandemic which exposed the risk of poorly configured Remote Desktop Protocol (RDP) systems (secure remote access to applications is a key capability of Osirium PAM).

Privileged Access Management (PAM) is the foundational cybersecurity measure that addresses those issues raised in the JISC report:

• Provides a central point of visibility and control for privileged admin accounts
• Separates humans from the admin credentials so they can't be compromised
• Monitor and record admin session to ensure credentials aren't misused or to help with incident investigation
• Automate common processes like create/update/remove accounts to enable self-service, ensure policies are enforced, and remove the possibility of users or admins using privileged credentials for anything other than valid tasks.

A particular challenge in the higher education sector is the dependency on a network of partners and suppliers that need access to their IT systems. With even less control over those users and systems being used to access establishment IT systems, threat levels are elevated. Read the University of Reading case study to see how they prioritised securing vendor access and address that challenge with Osirium PAM.

Increasingly, education organisations are also taking steps to protect their staff, partner and student laptops and desktops where most attacks originate. That's why they're looking at Privileged Endpoint Management (PEM) reduces the risk without increasing the workload for ITH Help Desks.

Automating everyday IT work with Osirium Automation means administrative tasks can be safely delegated to Help Desk staff or end-users which improves security and service.

When there's so much personal data, financial information, and intellectual property at stake, it's critical that IT infrastructure, data, services and applications have high levels of control and audit trails, should a breach occur.

That's why Privileged Access Security must be the key foundation to your cybersecurity strategy.