Signal Sciences recently hosted a panel of security experts from higher education institutions to discuss application security challenges and opportunities they’ve experienced in their respective institutions and beyond. George Finney, CISO of Southern Methodist University, Kyle Gustafson, Sr. Information Security Engineer at California Polytechnic State University, and Aaron Muñoz, CISO at Texas Christian University, joined our CSO and co-founder, Zane Lackey, to discuss the changing landscape in a highly specialized sector.
It’s clear that higher education institutions must protect the apps and APIs that not only enable business operations, but also deliver crucial academic services like distance learning. While many colleges and universities have long offered online classes, the current pandemic is forcing institutions to expand the use of virtual courseware and make use of robust video conferencing apps that need to be rapidly delivered and secured at scale. Additionally, security stakeholders must still protect the business-critical apps that manage day-to-day functions year-round under normal circumstances.
Phishing attacks increase during the pandemic
Phishing attacks are commonplace in our everyday lives, and it’s no different for staff and students of higher education. Universities welcome thousands of new students each academic year, many of whom lack the technical knowledge to discern phishing attempts from legitimate emails generated by apps they use or other third parties. In addition, the onset of the pandemic earlier this year triggered a six-fold increase in phishing attacks, according to Finney, which accelerated the adoption of identity and multi-factor authentication (MFA) at his institution.
Many institutions have proper security controls in place, but growing student bodies or outside influences may create scalability challenges. Gustafson shared how Cal Poly prioritized securing their primary external app—the website— a few years ago with the Signal Sciences WAF when they were seeing 20,000 to 30,000 blocked attempts each month. When Gustafson’s team saw those attempts climb to more than one million per month, he was relieved to have our protections in place that scaled quickly and efficiently.
Lackey confirmed the sentiments: Signal Sciences saw a spike in malicious requests across the customer base (no industry was spared) at the onset of the pandemic with the shift to remote work and the rise in distance learning in March.
Security in Higher Ed spans from infrastructure to people
All panelists agreed universities relying on SaaS apps should integrate with SSO and MFA solutions, and if budgetary constraints limit such solutions, they may be rolled out to apps quickly once the funds become available. Higher education institutions have many niche requirements unique to them, meaning Proof of concept is one of the most important ways to vet and subsequently implement solutions.
For a distributed university like Cal Poly, part of the largest university system in the United States, partnership and information sharing plays a key role in instilling a shared security-minded culture. Security teams from universities across the nation will bounce ideas and solutions off of each other while solving appsec problems. In certain cases, the directive is network-wide. They implemented an MFA security program that could separate their users by rules dependent on each segment those users fell into.
“Initially it was risk based,” Gustafson said, “but with Covid and phishing, we have MFA on basically everything. It’s implemented in conjunction with our SSO and anything within that is protected by MFA.”
Additionally, academic IT and security teams often run lean, so apps need to work well together, along with employees. From cloud-based, to on-prem, and hybrid, all apps and vendors need to be communicating constantly to provide proper visibility. Protecting apps isn’t just an infosec problem: it’s a team sport, where multiple departments like engineering and operations must do their part to enable and empower non-IT folks to help improve the overall security posture of the university.
Identity validation and network segmentation are key to Zero Trust
With so many daily users on university apps, the Zero Trust model is important to treat all users as suspect and require identity validation. Network segmentation to isolate users in different pockets prevents unnecessary touchpoints between disparate user groups. Some universities operate as an ISP for their students and staff, and in a strong Zero Trust framework, they cannot commingle as they move fluidly between environments. Without identity confirmation, a sound security strategy can prove problematic.
For example, if a system is compromised, lateral movement is restricted by various network rules and restricted firewalls. A Zero Trust model of only granting necessary access can prevent system-wide intrusions.
At Signal Sciences, we understand there are a wide range of apps and APIs that need protection, and many times that protection needs to integrate with existing solutions. We developed a solution that delivers protection on any app or infrastructure and seamlessly integrates into your DevOps toolchains, reducing friction and increasing collaboration across all teams.
To learn first-hand how Signal Sciences helps organizations secure their apps and APIs and track user actions once authenticated, request a demo.