How a University Used DNSFilter to Up Their Security Game

Every organization has a responsibility to protect valuable resources and keep employees safe, but colleges and universities have even more to protect: students. Yet it can be difficult to keep students safe while respecting their privacy.

Universities must protect student data, which means complying with various privacy and security regulations, such as Gramm-Leach-Bliley for financial aid data, PCI for credit card payments and even the General Data Protection Regulation for students coming from the European Union. Universities also aim to prevent students from visiting inappropriate sites or downloading malicious files.

For Indiana Wesleyan University, the flaws in its ad hoc approach to security became apparent about five years ago. That’s when the evangelical Christian university hired its first CISO.

When Michael Madl took the job, he assessed the security controls in place, what was working and what needed to be done. Madl immediately noticed the proliferation of shadow computing, largely due to a culture that allowed faculty and staff to use the tools that suited them best instead of university-sanctioned ones. If, for example, a faculty member insisted on storing data in Dropbox when the university had normalized on Microsoft, cybersecurity and compliance issues could arise. With this in mind, Madl has compiled a comprehensive inventory of data assets, devices, networking systems and software.

Over the next few years, Madl increased the security and privacy of campus resources. It upgraded firewalls to Palo Alto Next-Generation Firewalls and added extensive detection and response, behavior analysis, and an external security operations center to oversee a centralized security management system. information and security events. It also upgraded the university’s Network Access Control (NAC), providing wireless NAC for students to limit where they could and could not connect.

You can’t protect what you can’t see

One problem Madl quickly noticed was a lack of visibility into traffic or data entering or leaving the network. Even firewalls, which had basic URL filtering and DNS sink technology, didn’t provide enough visibility into what was happening on endpoints. Still, the ability to see traffic was key to filtering content and quickly deploying controls.

When researching new technologies, Madl first considered the obvious choices of vendors such as Cisco and Cloudflare. They have effective filtering technology, but the products proved too expensive for a strictly tuition-funded university, he said. Further research led him to DNSFilter, a content filtering technology designed to block online threats and inappropriate content. It was a much more affordable option and would meet the needs of the university.

The DNSFilter tool could cater differently to the two groups of university users, employees and students. For employees, the university’s small IT team deployed an agent through its mobile device management system to all employee devices – phones, laptops and desktops. The agent modifies the DNS settings on the host, routing everything through the DNSFilter cloud. The agent then converts the DNS settings to point to DNSFilter for any request made by the machine – web requests but also other programs installed on the machine that point home, such as antivirus. This helps the Madl team not only from a web traffic perspective; it identifies traffic from any element of the device that “phones home” and establishes an internet connection.

Using this agent, DNSFilter can enforce compliance and security policies. Employees have access to the Internet except for malicious and inappropriate sites.

DNSFilter also helps ensure that employees use university-approved software and tools such as VPNs and file sharing.

Madl pointed to AppAware as a particularly useful DNSFilter feature. AppAware detects and blocks risky apps, helping to control apps used by employees.

Student protection is a little trickier since the university does not want to infringe on personal rights and preferences. Due to this issue, the DNSFilter instance for students does not install agents on devices. Instead, the university uses DNSFilter controls at the firewall, edge, and directory/DNS levels to prevent users on its network from accessing malicious and adult sites. When students access the Internet, they pass through the university firewall and are assigned an IP address for the network, as well as DNS settings. If the site cannot connect to the Internet for some reason, it is passed to DNSFilter, which applies the appropriate policies.

Safety program continues to evolve

The information generated by DNSFilter has been instrumental in the security of the university.

For example, the dashboard allows IT staff to drill down into specific users to determine if the endpoint is actually trying to communicate with a malicious server. When the dashboard flags something as infected or compromised, the team can use the tool to validate what they see and determine if it’s linked to a domain.

The team can also implement immediate blocks and then send this blocklist directly to DNSFilter. DNSFilter adds the blocklist to its AppAware feature for all customers.

Madl said Indiana Wesleyan University is now focused on its broader security strategy. The next step is to move to a zero-trust security model, add micro-segmentation to the network and further develop its NAC.

About the Author

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a wide range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

Source link