Identity security helps higher-ed IT pros mitigate risk

In today’s threat landscape, anyone can be the victim of a cyberattack. While attacks on large corporations and financial institutions tend to generate the most headlines, the truth is that modern cybercriminals will target organizations of any size—and in any industry.

A common refrain in the cybersecurity industry is that “data is the new oil,” highlighting the fact that attackers aren’t just interested in money anymore—they want information. But attackers also recognize that information is more valuable to the institution than it is to them. That fact has led to a rash of ransomware attacks targeting colleges and universities, roughly two-thirds of which have been targeted by ransomware.

Even a small college is home to hundreds of students, while major universities might enroll tens of thousands. Those students submit medical records and financial aid forms, credit card info and social security numbers—a potential treasure trove for attackers, whether they plan to sell that data on the dark web or simply hold it for ransom. Unfortunately, many institutions lack the tools and knowledge to effectively protect themselves. With both the frequency and severity of identity-based attacks on the rise, colleges and universities need to understand their potential vulnerabilities and take the necessary steps to address them.

Understanding Identities and the Rise of Identity-Based Attacks

The 2022 Verizon Data Breach Investigations Report (DBIR) found that stolen credentials were a factor in nearly 50 percent of all attacks, including phishing attacks, third-party breaches, and ransomware attacks. The report notes that there has been a 30 percent increase in stolen credentials in the past five years alone, which attackers have leveraged into an increasingly reliable way to compromise identities and gain network access. For colleges and universities managing thousands of students, hundreds of employees, and sprawling alumni networks, protecting those credentials and effectively managing user identities is increasingly critical.

It’s also important to remember that many educational institutions conduct high-value research. The military in particular funds a wide range of projects at research universities, and while that research is often compartmentalized across multiple institutions, a savvy attacker able to compromise two or three of the right identities could potentially gain valuable insights into ongoing projects. At a time when cyber espionage is becoming increasingly common, the government wants assurances that its investments are being protected. Institutions without adequate identity security risk losing access to a critical source of funding.

Limiting the Potential Damage

Applying a “least privilege” model to identities—especially user identities—is essential for colleges and universities. This means that each identity should have only the privileges and entitlements it needs to fulfill its essential functions. For instance, every student needs access to their university email, but not every student needs access to business school or science lab resources. It’s important for schools to model “birthright” entitlements, like email, homework portals, and grading systems, with additional permissions defined by the classes they enroll in, which school their major falls within, their financial aid status, whether they live on campus, and other factors.

The ability to create accounts only when they are needed and provision entitlements in real time can be a significant help, eliminating the problem of unused accounts sitting around waiting to be compromised. Solid integration with a single sign-on (SSO) provider is a part of that solution, and can help with the issue of correlation (making sure there are no duplicate identities in the system). Real-time account creation and provisioning is especially helpful for online learning institutions, as allowing users to get started right away can decrease abandon rates and keep students engaged as well as secure.

Leveraging High-Tech (and Low-Tech) Identity Solutions

Artificial intelligence (AI) and machine learning (ML) also play a critical role in today’s identity security systems. Manually keeping track of entitlements and permissions across tens—even hundreds—of thousands of identities simply isn’t possible, but automated tools can identify scenarios where identities have accumulated too many privileges. Maybe a student has changed from a biology major to an accounting major but retained their science lab credentials or stopped working on a research project but accidentally retained access to its data. Students and faculty can change roles any number of times. Adjusting their entitlements as their relationship with the institution changes is a critical way to limit the damage a compromised identity could cause.

AI/ML tools can search for structural outliers that don’t fit the expected pattern, compare data over time, and observe recent trends. If a certain entitlement is rarely used, the system might recommend eliminating it. On the other hand, if one type of user is regularly requesting permission to access certain information, it might recommend granting that entitlement on a more permanent basis. In these instances, granting greater access can sometimes improve security: if administrators have to approve too many access requests, it can cause approval fatigue and lead to rubber stamping.  

On the other end of the technology spectrum, basic cyber hygiene is important and should be encouraged at every level. For colleges and universities, that means strong password policies and frequent password changes. The use of a password manager can help—in fact, working with a password management provider to grant students free access to the service isn’t a bad idea. Young people tend to reuse passwords across multiple accounts, which can result in a college’s systems being compromised thanks to a password acquired in a completely unrelated breach. Multifactor authentication, while not unbreakable, is another good way to make life harder on attackers—and sometimes that’s all it takes.

Help Is Out There

Implementing strong identity security can be intimidating for colleges and universities. This is understandable. With thousands and thousands of identities to manage, it can be difficult to even know where to begin. But in today’s threat landscape, there are plenty of security partners who can walk college IT departments through the process of conducting a security assessment, explain the principles behind modern identity security, and help generate buy-in with university administrators. There’s no need to go it alone. The resources and expertise needed to implement strong identity security are out there—today’s schools just need to recognize the challenges they face and seek out the solutions.

About the Author:

Ben Cody is the Senior Vice President of Product Management at SailPoint.