In a recent blog post, Citrix Intern Jiun Hong gave us an inside look at security concerns in the Education Sector. She blended personal anecdotes with education industry statistics to show us the kind of risks students, parents and faculty face — often without even realizing it. We left off having spoken of personally identifiable information (PII), intellectual property, institution reputation and finances. Today’s installment covers everything from medical records to monitoring; we think you’ll learn a lot from this bright, young star.
Though institutions collect a wealth of sensitive information for good reasons, universities on the receiving end must not be capricious about the dangers of security breaches. There is a wide array of at-risk information—our information—in educational institutions that deserves our close attention.
The only sector more prone to hacks than education is healthcare. On the black market, patient health information is sold for more value than credit card information because it’s non-recoverable and is the kind of asset that keeps on giving.
But universities are just as much at rish. They hold the same type of information that makes healthcare so popular with hackers, because students are required to submit health data and use on-campus student clinics that store even more patient data. There are some schools that retain millions of patient records in their own university medical centers, making them desirable target for hackers looking for data gold mines.
The bad news: cyberattacks are real and are occurring at an ever-increasing rate. The good news: prevention is possible with 10 steps to cyber security.
In a recent blog post about cybersecurity, Citrix Chief Security Officer, Chris Mayers, explained how Citrix solutions support each of the ten steps and enable more secure networks regardless of industry. But how can Citrix’s products help education institutions with risks?
Information Risk Management Regime + Incident management
According to a study (focused mostly on U.S. institutions) conducted by the System Administration, Networking and Security Institute (SANS), less than half of educational institutions have a way of assessing risk for data protection, even with the overwhelming concern over compliance with Family Educational Rights and Privacy Act (FERPA) and Payment Card Industry Data Security Standard (PCI DSS).
Citrix products mainly support application and workspace virtualization, but are built with various security standards in mind, which allows for automatic compliance upon deployment. This means the concerns surrounding PII and medical records are alleviated. Just knowing when, where and how data breaches can occur in the university ICT system is vital to building preventative measures and recovery methods for institutions that support thousands of busy students. The Session Recording feature—just one of the many security capabilities built into XenApp and XenDesktop—allows evidence collection for a solid incident management base. This step and feature can alleviate the monetary and legal recovery pains in case of a cyberattack.
Secure configuration + Monitoring
Some attack vectors that universities were concerned with, from exploits against internal database systems to malware delivered to staff endpoints, could be prevented by applying patches. But among the themes discussed in the SANS study there is no mention of secure configuration, an important step to safeguarding a system. Secure configuration can be controlled with XenMobile, for mobile devices and applications, and XenApp / XenDesktop, for desktop devices. This step reduces vulnerability for systems integrity and confidentiality, taking care of the concern over loss of student data and intellectual property. NetScaler Security Insight can monitor configuration patterns, spot dangerous inconsistencies, and report issues based on NetScaler logs, all while complying with PCI standards.
Network security + Home & mobile working
Because of today’s BYOD culture, students and faculty connect various personal devices to the campus network while working with confidential data. Because the number of devices correspond to the number of potential breach points, there is a need to regulate the network with layers, which can be deployed with XenApp and XenDesktop. This protects everything from health information to research data. With more personal devices on unsecure networks outside of university walls, there is also more sensitive data being unnecessarily stored on thousands of devices that are impossible to keep track of. Working on personal devices can be made secure with ShareFile, which encrypts all data no matter where it’s pulled up.
Managing user privileges + User education & awareness
Most universities manage the risk of data breaches by not storing PII or restricting access to it. However, the best method of prevention, in terms of controlling privileges, is only permitting certain types of access to those who absolutely need it. The Citrix Ready Security Partner Program can introduce privilege management for applications without built-in capabilities. This is a step that can limit the number of devices that even populate sensitive data, which limits the chances of financial and medical information from becoming exposed. Another non-technical, human intelligence-dependent method of prevention is role-based training on specific ICT systems policies, which can sharpen awareness and reduce weak links. Citrix can help in this effort by working with various partners that support the specific deployment a university’s system may need.
Malware prevention + Removable media controls
Malware can creep in via a variety of avenues, from phishing emails sent to anyone who has access to schoolwide listserv to viruses from student endpoints. The Citrix Ready Security Partner Program allows universities to work with malware prevention products that identify and wipe out routes for malware specific to their ICT systems. Removable media controls are not as popular, but are still avenues for malware and data theft. ShareFile is a Citrix product that eradicates the need for removable media controls, with its anywhere, anytime data access with the data encryption capabilities.
The personal statements that I so painstakingly crafted when first applying to school are likely being stored in the same data center as my sensitive information. Though I wouldn’t care if we all got a laugh out of reading who I thought I was at 17 years old, I would be devastated if information that could allow my identity and finances to be stolen was exposed.
This internship at Citrix has already been a great learning experience: it has taught me that cyberterrorism is an alarming reality and that I should be more vigilant about protecting my personal data. Even so, I haven’t wasted time in fear of cyberattacks because I know that Citrix is armed with essential security competencies. As a student, I hope that educational institutions everywhere will equip themselves with the security and student mobility capabilities that Citrix offers.
Please follow the Citrix presence in the Education Sector at @CitrixEducation.
Follow Jiun at @jiunhong4.