Solving Aussie school and university cyber challenge

Solving Aussie school and university cyber challenge
This article was produced in partnership with Thales’s Cloud Protection & Licensing division, a global leader in digital identities and data protection.
Thales Cloud Protection & Licensing is part of the Thales Group and has been securing the world’s most sensitive data for over 40 years. Today’s organisations depend on the cloud, data and software in order to make decisive decisions. That’s why the most respected brands and largest organisations in the world rely on Thales to help them protect and secure access to their most sensitive information and software wherever it is created, shared or stored.

The pandemic has dramatically increased the Australian education sector’s reliance on online systems. Technologies such as cloud have created a new norm for day-to-day operations, and how students will continue to learn moving forward. 

This digital shift has helped build resilience, but it has also created new challenges including heightened exposure to rampant cybercrime.

Education remains a prime target for hackers and one of the least protected industries against malicious actors. Last July, the Australian education sector saw an increase of 17% in the number of cybersecurity breaches compared to the first half of 2020. Incidents included an attack on the NSW Department of Education, forcing a shutdown of many of its online learning platforms.

The question isn’t whether educational institutions invest enough in cybersecurity, but where the gaps are in their protection.

Digital identities: cyber frontier for the online education world

Whether it is learning, teaching, research, collaboration, administration or payroll, every facet of operations has been digitised to some degree.

Hybrid and online-only teaching have become the expectation, while cross-border collaboration, including for research, is stronger than ever before. From an operational perspective, all financial and procurement systems can now be accessed remotely, and payments made via online channels.

The roll-out of these systems, previously only accessed on-premise through secure locations and protocols, has pushed security perimeters beyond physical walls. Each time a user needs to access a system, their digital identity needs to be verified and approved as safe and legitimate through appropriate levels of authorisation.

Addressing the biggest challenge: securing humans

Education institutions now operate in a completely ‘perimeter-less’ environment. The risk with this is that it only takes one simple human mistake to compromise an entire institution.

This is worrying when human error remains one of the biggest sources of data breaches.

Furthermore, the education sector is confronted with the extra challenge to secure digital identities and provide different access permissions for a very disparate range of users. 

Securing students’ digital identities and giving them access to just what they need to study (online and offline) is different to authorising access to resources and systems to admin staff, teachers, or third-party providers.

This often results in different Identity and Access Management (IAM) solutions being used, each aimed at catering to different needs.

But this ultimately ends up creating more complexity and costs, and unfortunately more security gaps than it bridges. 

Stronger Identity and Access Management, wrapped in a Zero Trust approach

Schools and universities must prioritise a digital and hybrid IAM strategy, and look to remove layers, not add complexity. This includes the roll-out of a technology stack that is cost-effective yet intuitive with easy-to-use tools.

Adopting a ‘trust no one, verify everywhere’ mentality and a Zero Trust approach means that only authorised and authenticated users can gain access to online systems, assets and data.

Here are four priority areas to consider:

  • Ubiquitous policy – a policy that just focuses on identity protection needs to be adopted, so all users can be covered and no application remains unassessed
    • Smart Single Sign On policies have proven the most helpful. They provide frictionless authentication and passwordless identities, while allowing access to multiple applications.
    • Any unusual activity concerning a digital identity (a suspicious time of day, device, geography, network or other activity) is questioned and identities need to be revalidated.
  • Ease of use - this will help address limitations imposed by user groups with very different levels of awareness and experience of cybersecurity. Having a single and very intuitive IAM platform rather than combining solutions from various providers, will make things simpler, provide seamless access for everyone and reduce potential security gaps.
  • Breadth of identification strategies options. This is extremely important when considering the wide range of users requiring different levels of access. Consider policies based around FIDO passwordless and One Time Password (OTP) strategies, and solutions including Two-Factor Authentication (2FA), Multiple Factor Authentication (MFA) and Single Sign On (SSO).
  • Ability to deploy multiple authenticators - to validate various user profiles within the same organisation. For example, a user with more trade secrets or patent information will need higher grade of security. Guides such as the NIST framework can be helpful to set-up these security grade levels.

With the right IAM platform and the adoption of a Zero Trust mindset, educational institutions can confidently kick-start their 2022 post-pandemic recovery plans. Empowering staff and students to continue taking advantage of the today’s hybrid education model, while keeping their identity, data and the entire education organisation secure.

For more information about how you can kick-start or improve your digital identities protection journey, please visit Thales Cloud Protection & Licensing (CPL)’s website or get in touch with one of Thales’ experts today.

About Rana Gupta

Rana Gupta is APAC Regional VP, Authentication & Encryption at Thales. He is a recognised APAC business leader, an Identity & Data Protection advocate, as well as an Information Security enthusiast sharing his technology expertise at various forums across the APAC region. Rana holds an Engineering Master’s in Electronics and Communications from IIT, Roorkee and a Bachelor of Electrical Engineering degree from Punjab Engineering College, Chandigarh.