Logo

Securing Remote Access In Higher Ed - Shared screen with speaker view
Curtis Josey
34:39
Curt Josey, Cornell University
Technical Help, Heather Cisneros- EDUCAUSE
34:40
Welcome, everyone to today’s Industry & Campus Solutions webinar - “Securing Remote Access in Higher Ed.”
Melinda Sampson
34:45
Melinda Sampson, Banff Centre for Arts and Creativity, Banff, Alberta
Jerilyn Prescott
34:48
Jerilyn from University of Idaho
Rob Smith (he/him/his)
34:55
Hello from Baltimore, MD, looks like 36 degrees and rainy this afternoon.
Donald Flowers
35:03
Donald Flowers from Campbell University in NC
Kevin Hulett - OSUIT
35:06
Kevin Hulett from Okmulgee OK, OSU Institute of Technology-icy
Said Fattouh
35:19
Said Fattouh with University of Houston-Downtown
Antony Awaida
35:26
HI Said
Technical Help, Heather Cisneros- EDUCAUSE
35:28
Be sure to select “Everyone” from the dropdown so we can see your comments.
Technical Help, Heather Cisneros- EDUCAUSE
35:35
If you have any technical difficulties, please send a private chat to “Panelists.”
Technical Help, Heather Cisneros- EDUCAUSE
35:44
To open captioning in a separate, adjustable browser, please click on the arrow next to the “cc” button at the bottom of your window and select “View Full Transcript.”
Technical Help, Heather Cisneros- EDUCAUSE
35:52
Recordings and resources from this session will be available on the on the EDUCAUSE event archive page:https://events.educause.edu/webinar/2022/securing-remote-access-in-higher-ed
Bob Landon
35:53
Bob Landon from Huntington University in IN
michael
36:23
Michael from Southwestern Oregon Community College.
EDUCAUSE Moderator, Jamie Farrell (she, her, hers)
37:14
Thank you for joining us everyone! Please use the chat to share comments and ask questions throughout the discussion.
EDUCAUSE Moderator, Jamie Farrell (she, her, hers)
37:37
Be sure to select “Everyone” from the chat dropdown so we can see your comments!
EDUCAUSE Moderator, Jamie Farrell (she, her, hers)
40:04
Hello to everyone who’s just joining us! Please use the chat to introduce yourself, ask questions, and make comments. Be sure to select “Everyone” from the dropdown so we can see your comments.
Jenny Olson
40:53
Jenny Olson from Highline College
Heather Wasserlein, Apporto
42:40
Heather joining from CA where we’re hoping for some of the precipitation you guys on the east coast are seeing. Stay warm everyone btw!
Marlon Raghunanan
42:43
We’re seeing compromises of student accounts which are based on M365, so compromised accounts have e-mail access to the entire 20K student body.
Heather Wasserlein, Apporto
43:46
Glad to see folks from around the country (and world!). Excellent to see representation from as far as Belgium and Trinidad!
Ken
46:16
Ken Jandes, VP, College Support Services, from American College of Education
Heather Wasserlein, Apporto
46:22
@marlon Thanks for sharing. Sorry to hear about your compromised student accounts. The speakers will be discussing possible solutions. Please let me know if your concerns are not addressed.
Technical Help, Heather Cisneros- EDUCAUSE
47:48
Thank you to everyone who’s just joining us! Please use the chat to introduce yourself, ask questions, and make comments. Be sure to select “Everyone” from the dropdown so we can see your comments.
Candace M Winslow
48:26
the number has not been defined yet.
Glenn Forbes Fleming Larratt
48:31
Is the nature of the question “IT workforce” or “all fac/staff”?
Marie-Claude Arguin
48:44
Hello from Canada! Marie here, CIO Queen's University. Great pres so far. A lot to relate to.
Athena Hoeppner
49:07
Are we counting Faculty?
Heather Wasserlein, Apporto
49:16
@glenn This refers to all faculty / staff
Glenn Forbes Fleming Larratt
49:48
OK, missed my window. I’m probably in one of the bottom two buckets.
Heather Wasserlein, Apporto
50:03
Thanks Glenn
Bob Landon
50:40
Aren't we missing a large portion of the actual demographic for who the threat comes from on a university network? It should be staff, faculty, and students.
Donald Flowers
51:44
How do you combat securing personal "BYOD" devices without taking ownership of the device?
Antony Awaida
52:01
@donald this is the topic of this webinar
Antony Awaida
52:18
you don't have to secure the device if you deliver a secure virtual desktop
Marlon Raghunanan
52:28
@Bob. Agreed but we’re told the answer is education and training. So you would think that the people who job it is to teach would be predisposed to learn :-)
Donald Flowers
52:31
I'm just getting ahead my self
EDUCAUSE Moderator, Jamie Farrell (she, her, hers)
53:27
I’m excited too, Donald. 😁
Heather Wasserlein, Apporto
56:42
Bob is absolutely correct, IMHO. BYOD adds risk and extends the perimeter.
Glenn Forbes Fleming Larratt
57:36
You make the point that one of the criteria of a Zero Trust “allow/deny” calculus might include “what IP are they coming from”? What do you make of the train of arguments “perimeter security is dead/kill your VPN/don’t tie trust to source IP at all” that seem to be some folks’ entire concept of Zero Trust?
Heather Wasserlein, Apporto
57:49
This includes students for sure. I believe staff are often the higher priority, because of the types of sensitive data (eg. Financial, medical, etc.) that staff work with.
Heather Wasserlein, Apporto
59:33
The good news is there are many ways to secure BYOD devices. One of the easiest may be using virtual desktops (esp if accessed via a browser).
Heather Wasserlein, Apporto
01:00:00
@glenn Good question - we will answer your question live.
Sharon Austin
01:01:12
Only because it submitted before I could make it 100%
Kevin Warenda
01:02:57
With so many cloud and SaaS solutions in play now the perimeter is very blurred
Marlon Raghunanan
01:04:51
Q: Is that an argument for not going single sign on?
Jim Russell (he, him, his)
01:06:18
@Marlon Cost for some institution can be a challenge. TCO so support in addition to direct costs. But yes, it should be on our roadmaps or here now.
John Venturella
01:08:23
its about privacy and security. sorry.
Adam Scaramella
01:08:54
Yeah...both unless you aren't segmenting access based on login.
John Venturella
01:10:26
some VPNs have dynamic policy and are attribute based
Glenn Forbes Fleming Larratt
01:10:45
OK - but of the 5 tenets you evaluated, the “kill your VPN” mantra does nothing but throw away the one tenet where you’re succeeding.
ric
01:11:19
I really don't know about this VPN statements
Bob Landon
01:12:30
We try to solve this problem by insisting that any endpoint that connects must have our endpoint agent installed on it. Also that no foreign VPN usage is allowed inside the perimeter. Not perfect, but it certainly helps!
Jared Evans
01:12:49
We apply some policy to VPN sessions, e.g. contractors can VPN in but they are restricted to be able to connect to pre-authorized servers only.
Bob Landon
01:13:27
Same here. We can tie the VPN credentials to resource access.
ric
01:13:42
I think this is just to sell secure virtual desktops
Bob Landon
01:13:46
lol
John Venturella
01:13:51
lol
Heather Wasserlein, Apporto
01:13:52
Just to clarify, we still see value in VPNs
Bob Landon
01:14:05
Absolutely...
Heather Wasserlein, Apporto
01:14:22
I think Nick is just alluding to some of the VPN limitations
ric
01:15:15
lol...
Glenn Forbes Fleming Larratt
01:15:19
I take the point that Zero Trust is a goal and a journey, not a destination; but many notional adherents of Zero trust - some involved in network planning - seem to think it means reduce everything to the lowest common denominator. I get the idea that many have cherry-picked the notion of Zero Trust for making things more convenient, not more secure.
Heather Wasserlein, Apporto
01:15:31
We do believe browser based access to a virtual desktop helps reduce the perimeter and reduce risk significantly
Marlon Raghunanan
01:15:49
Remember the environment actually dictates the approach, not IT or Security teams. In many cases our Bursary plays a significant part.
ric
01:15:56
yeah...if you talk about the security of the endpoint then I get it
Bob Landon
01:16:04
Agreed
John Venturella
01:16:34
what's to stop the "Secure Virtual Desktop" endpoint from being compromised? Perhaps it relies on a daily reset of the machine?
Heather Wasserlein, Apporto
01:16:39
We definitely agree more work is required (eg. Defining access permissions to particular applications and data, for example) for a full Zero Trust environment
Heather Wasserlein, Apporto
01:17:00
@John Great question - I will ask the speakers to address this
Kevin Warenda
01:18:04
Defense in depth!
Glenn Forbes Fleming Larratt
01:18:13
Thank you, Anthony.
Matt Vita
01:18:17
the secure virtual desktop is within your network/datacenter. it it becomes compromised .. you've got bigger problems than who is using it.
Athena Hoeppner
01:18:35
This brings to mind my credit card company that somehow differentiate legitimate use from suspicious activity, even when I travel overseas.
John Venturella
01:18:41
@Matt didn't they say it's in the cloud?
Heather Wasserlein, Apporto
01:19:16
@matt John is correct. The Apporto solution is in the cloud.
Bob Landon
01:19:58
We actually monitor things like changes in IP address within an impossible amount of time. Also unusual activity for a user. Definitely a layered defense approach
Stephany Freeman
01:20:10
The biggest pushback we've seen from Secure Virtual Desktops is that they're often not useful for what folks need to do. To create a template that is useful takes more resources than we have available.
Heather Wasserlein, Apporto
01:20:19
The good news is if a cloud server is compromised, and your staff/students are accessing the virtual desktop via a browser, the compromise will not find it’s way back to the user’s device
Heather Wasserlein, Apporto
01:20:28
It becomes our problem vs. yours ;)
Heather Wasserlein, Apporto
01:21:06
And, browsers and cloud servers are backed by a lot of security (from Google, Amazon, MS, etc.)
Heather Wasserlein, Apporto
01:22:15
In addition to ongoing scanning, monitoring, and patching on our end
John Venturella
01:22:34
So the "Secure VIrtual Desktop" needs to be configured to prevent any data transfer to the user's personal machine.
Technical Help, Heather Cisneros- EDUCAUSE
01:22:36
We appreciate your feedback! As we continue with our session, please take note of our brief session evaluation and fill it out before leaving the online room today: https://survey.alchemer.com/s3/6725758/IC2203
Matt Vita
01:22:41
if you define your environment (data center, servers, etc.) to include cloud or hybrid, vs on-prem, it's still your environment to control.
John Venturella
01:23:28
Thank you, Heather.
Heather Wasserlein, Apporto
01:23:33
@matt Correct, we need to protect our environment. The browser provides a “barrier” to protect your devices from our environment though.
Antony Awaida
01:23:44
@kevin we deliver the virtual desktop in the browser - not using a client or VPN
Matt Vita
01:23:48
virtual desktops are like watching an interactive TV. the screen is presented to the end user device, everything is processed in the data center or cloud infra
Heather Wasserlein, Apporto
01:24:00
@matt Also, you are absolutely correct the hybrid and on-prem are a different story.
Candace M Winslow
01:24:15
@Athena - your bank must have a much better security company than mine. Weekly gets it wrong -- from blocking my legitimate attempts to use debit card for smaller purchases, to letting strangers in another state have my money. Most frustrating is when they block my account completely -- always on a Friday. Our faculty would not put up with that type of inconvenience.
Heather Wasserlein, Apporto
01:26:37
@John Agreed, the "Secure VIrtual Desktop" needs to be configured to prevent any data transfer to the user's personal machine.
Heather Wasserlein, Apporto
01:27:27
There may be multiple ways to address this. We provide tools to ensure data is not downloaded to the user’s device, for example.
Antony Awaida
01:28:06
@kevin, we are adding technology to be able to identify who leaked the data - a watermark - more details later
Bob Landon
01:28:10
You should probably amend that to "accidental data leakage". If someone has access to data, it can be leaked intentionally no matter what security you put in place.
Bob Landon
01:28:33
Watermarks are a good idea
Heather Wasserlein, Apporto
01:29:05
@matt You’re exactly right. Virtual Desktops are like watching TV. We are streaming pixels to the browser. Data itself always resides in the cloud.
Matt Vita
01:29:21
yep
Heather Wasserlein, Apporto
01:29:40
@bob We are currently working on watermarks 😊 Stay tuned for this coming very soon!
John Venturella
01:30:40
@heather, if its just pixels streaming, why do we need to stick to browser-based vs agent-based. is agent-based more risky?
Heather Wasserlein, Apporto
01:31:20
@stephany Can you elaborate
Heather Wasserlein, Apporto
01:31:49
You mentioned the biggest pushback we've seen from Secure Virtual Desktops is that they're often not useful for what folks need to do. To create a template that is useful takes more resources than we have available.
Glenn Forbes Fleming Larratt
01:33:19
Appreciate the distinction, Nick. Thanks for clarifying.
Said Fattouh
01:33:40
Is there a standard/recommended length of time (30 days, 7 days, etc.) for two-factor authentication to various systems to "remember my device" without annoying users?
Matt Vita
01:33:42
agent based is more difficult to manage (software on the end device) but you get more functionality from it.
Heather Wasserlein, Apporto
01:34:10
@Stephany Something we have experience with is virtualizing a wide variety of applications - over 200 different applications. (Higher ed throws every type of software at us from the very common MS and Adobe apps all the way down to 3D chemistry visualization apps, music editing, architecture tools, etc.). Is there something specific you are thinking of?
Matt Vita
01:34:50
desktops can be configured for most use cases that you can plan for. It takes time, but you can manage them centrally, deploy changes universally, and everyone (in a use case) can get the same experience
Sharon Austin
01:34:57
This was an outstanding webinar, thank you so much!
Matt Vita
01:35:01
^virtual desktops
Glenn Forbes Fleming Larratt
01:35:15
Oops. Antony, please accept an apology for misspelling your name.
Technical Help, Heather Cisneros- EDUCAUSE
01:35:18
Thank you for your participation! Before leaving, please don’t forget to fill out our evaluation: https://survey.alchemer.com/s3/6725758/IC2203
John Venturella
01:35:30
@matt, is there more risk with agent-based?
Antony Awaida
01:35:38
No worries Glenn ;)
Antony Awaida
01:36:02
Yes we believe there is more risk with agent based
Antony Awaida
01:36:16
Some agents for VDI setup a VPN
Stephany Freeman
01:36:17
I would love to be able to deliver a customized template creation service! Our schools have gone the other way - standardized templates. All they do is convince people to stay away from our virtual desktops.
Matt Vita
01:36:36
@john, there can be if it's not managed well. you can control which versions of an agent are allowed to connect, so define a policy (N-1, N-2, etc.) and set the policy to deny anything else.
John Venturella
01:36:40
@antony, could you explain why its riskier to do agent-based?
Technical Help, Heather Cisneros- EDUCAUSE
01:36:53
Thank you for your participation! Before leaving, please don’t forget to fill out our evaluation: https://survey.alchemer.com/s3/6725758/IC2203
Heather Wasserlein, Apporto
01:37:17
@stephany Please feel free to reach out to me (heather@apporto.com) if you’d like a quick demo of how to setup templates (customized desktops). This is as easy as a list with checkboxes 🙂
Antony Awaida
01:37:31
@John I will answer live
Stephany Freeman
01:38:06
@heather - I'll see if I can convince our folks to talk to you.
Matt Vita
01:38:28
I don't see a reason why a VDI app would require a VPN. I wouldn't design a solution that way.
Rhonda Johnson
01:38:43
@matt, VDI doesn't require VPN
Heather Wasserlein, Apporto
01:39:08
@geby Thank you!
Matt Vita
01:39:18
@Rhonda that was someone else's comment. I was stating my disagreement.
John Venturella
01:39:53
@antony, thank you for the explanation. many admins use agent-based still.
EDUCAUSE Moderator, Jamie Farrell (she, her, hers)
01:39:57
If you have more questions after today’s discussion, you can email them to sales@apporto.com
Marlon Raghunanan
01:40:04
@Antony. We must not forget browser injection.
Antony Awaida
01:40:19
we do pen testing
Donald Flowers
01:40:20
Great conversation!!
Antony Awaida
01:40:24
Happyo discuss
michael
01:40:33
Thank you.
Heather Wasserlein, Apporto
01:40:35
Many thanks Donald!
edith
01:40:37
Thank you all!!
Jorge Villon, Jr.
01:40:38
Thank you. Very nice presentation.
Heather Wasserlein, Apporto
01:40:47
Thanks Kevin and Edith too 🙂
Dawnetta (Dawn) Taylor
01:40:52
Thank you all.
Heather Wasserlein, Apporto
01:40:54
And Jorge !
Jeff Kuntzman (he/him)
01:40:54
Thanks all
Stephany Freeman
01:40:57
Thank you. I loved hearing everyone's view points.
Isaac Hall
01:41:01
Thanks everyone
Mark Gonzales
01:41:02
Thank you!
Vicente Maysonet Jr
01:41:02
Thank You
Technical Help, Heather Cisneros- EDUCAUSE
01:41:05
Thank you for your participation! Before leaving, please don’t forget to fill out our evaluation: https://survey.alchemer.com/s3/6725758/IC2203
Technical Help, Heather Cisneros- EDUCAUSE
01:41:12
Recordings and resources from this session will be available on the on the EDUCAUSE event archive page:https://events.educause.edu/webinar/2022/securing-remote-access-in-higher-ed
Ken
01:41:13
Great discussion !!!
Technical Help, Heather Cisneros- EDUCAUSE
01:41:19
Please make sure to check out our next webinars on March 2nd at 1pm ET to hear about “Wheaton College Revolutionizes Student Learning.”https://events.educause.edu/webinar/2022/wheaton-college-revolutionizes-student-learning
Donald Flowers
01:41:23
Thanks, have a good one!