Curt Josey, Cornell University

Welcome, everyone to today’s Industry & Campus Solutions webinar - “Securing Remote Access in Higher Ed.”

Melinda Sampson, Banff Centre for Arts and Creativity, Banff, Alberta

Jerilyn from University of Idaho

Hello from Baltimore, MD, looks like 36 degrees and rainy this afternoon.

Donald Flowers from Campbell University in NC

Kevin Hulett from Okmulgee OK, OSU Institute of Technology-icy

Said Fattouh with University of Houston-Downtown

HI Said

Be sure to select “Everyone” from the dropdown so we can see your comments.

If you have any technical difficulties, please send a private chat to “Panelists.”

To open captioning in a separate, adjustable browser, please click on the arrow next to the “cc” button at the bottom of your window and select “View Full Transcript.”

Recordings and resources from this session will be available on the on the EDUCAUSE event archive page:https://events.educause.edu/webinar/2022/securing-remote-access-in-higher-ed

Bob Landon from Huntington University in IN

Michael from Southwestern Oregon Community College.

Thank you for joining us everyone! Please use the chat to share comments and ask questions throughout the discussion.

Be sure to select “Everyone” from the chat dropdown so we can see your comments!

Hello to everyone who’s just joining us! Please use the chat to introduce yourself, ask questions, and make comments. Be sure to select “Everyone” from the dropdown so we can see your comments.

Jenny Olson from Highline College

Heather joining from CA where we’re hoping for some of the precipitation you guys on the east coast are seeing. Stay warm everyone btw!

We’re seeing compromises of student accounts which are based on M365, so compromised accounts have e-mail access to the entire 20K student body.

Glad to see folks from around the country (and world!). Excellent to see representation from as far as Belgium and Trinidad!

Ken Jandes, VP, College Support Services, from American College of Education

@marlon Thanks for sharing. Sorry to hear about your compromised student accounts. The speakers will be discussing possible solutions. Please let me know if your concerns are not addressed.

Thank you to everyone who’s just joining us! Please use the chat to introduce yourself, ask questions, and make comments. Be sure to select “Everyone” from the dropdown so we can see your comments.

the number has not been defined yet.

Is the nature of the question “IT workforce” or “all fac/staff”?

Hello from Canada! Marie here, CIO Queen's University. Great pres so far. A lot to relate to.

Are we counting Faculty?

@glenn This refers to all faculty / staff

OK, missed my window. I’m probably in one of the bottom two buckets.

Thanks Glenn

Aren't we missing a large portion of the actual demographic for who the threat comes from on a university network? It should be staff, faculty, and students.

How do you combat securing personal "BYOD" devices without taking ownership of the device?

@donald this is the topic of this webinar

you don't have to secure the device if you deliver a secure virtual desktop

@Bob. Agreed but we’re told the answer is education and training. So you would think that the people who job it is to teach would be predisposed to learn :-)

I'm just getting ahead my self

I’m excited too, Donald. 😁

Bob is absolutely correct, IMHO. BYOD adds risk and extends the perimeter.

You make the point that one of the criteria of a Zero Trust “allow/deny” calculus might include “what IP are they coming from”? What do you make of the train of arguments “perimeter security is dead/kill your VPN/don’t tie trust to source IP at all” that seem to be some folks’ entire concept of Zero Trust?

This includes students for sure. I believe staff are often the higher priority, because of the types of sensitive data (eg. Financial, medical, etc.) that staff work with.

The good news is there are many ways to secure BYOD devices. One of the easiest may be using virtual desktops (esp if accessed via a browser).

@glenn Good question - we will answer your question live.

Only because it submitted before I could make it 100%

With so many cloud and SaaS solutions in play now the perimeter is very blurred

Q: Is that an argument for not going single sign on?

@Marlon Cost for some institution can be a challenge. TCO so support in addition to direct costs. But yes, it should be on our roadmaps or here now.

its about privacy and security. sorry.

Yeah...both unless you aren't segmenting access based on login.

some VPNs have dynamic policy and are attribute based

OK - but of the 5 tenets you evaluated, the “kill your VPN” mantra does nothing but throw away the one tenet where you’re succeeding.

I really don't know about this VPN statements

We try to solve this problem by insisting that any endpoint that connects must have our endpoint agent installed on it. Also that no foreign VPN usage is allowed inside the perimeter. Not perfect, but it certainly helps!

We apply some policy to VPN sessions, e.g. contractors can VPN in but they are restricted to be able to connect to pre-authorized servers only.

Same here. We can tie the VPN credentials to resource access.

I think this is just to sell secure virtual desktops

lol

lol

Just to clarify, we still see value in VPNs

Absolutely...

I think Nick is just alluding to some of the VPN limitations

lol...

I take the point that Zero Trust is a goal and a journey, not a destination; but many notional adherents of Zero trust - some involved in network planning - seem to think it means reduce everything to the lowest common denominator. I get the idea that many have cherry-picked the notion of Zero Trust for making things more convenient, not more secure.

We do believe browser based access to a virtual desktop helps reduce the perimeter and reduce risk significantly

Remember the environment actually dictates the approach, not IT or Security teams. In many cases our Bursary plays a significant part.

yeah...if you talk about the security of the endpoint then I get it

Agreed

what's to stop the "Secure Virtual Desktop" endpoint from being compromised? Perhaps it relies on a daily reset of the machine?

We definitely agree more work is required (eg. Defining access permissions to particular applications and data, for example) for a full Zero Trust environment

@John Great question - I will ask the speakers to address this

Defense in depth!

Thank you, Anthony.

the secure virtual desktop is within your network/datacenter. it it becomes compromised .. you've got bigger problems than who is using it.

This brings to mind my credit card company that somehow differentiate legitimate use from suspicious activity, even when I travel overseas.

@Matt didn't they say it's in the cloud?

@matt John is correct. The Apporto solution is in the cloud.

We actually monitor things like changes in IP address within an impossible amount of time. Also unusual activity for a user. Definitely a layered defense approach

The biggest pushback we've seen from Secure Virtual Desktops is that they're often not useful for what folks need to do. To create a template that is useful takes more resources than we have available.

The good news is if a cloud server is compromised, and your staff/students are accessing the virtual desktop via a browser, the compromise will not find it’s way back to the user’s device

It becomes our problem vs. yours ;)

And, browsers and cloud servers are backed by a lot of security (from Google, Amazon, MS, etc.)

In addition to ongoing scanning, monitoring, and patching on our end

So the "Secure VIrtual Desktop" needs to be configured to prevent any data transfer to the user's personal machine.

We appreciate your feedback! As we continue with our session, please take note of our brief session evaluation and fill it out before leaving the online room today: https://survey.alchemer.com/s3/6725758/IC2203

if you define your environment (data center, servers, etc.) to include cloud or hybrid, vs on-prem, it's still your environment to control.

Thank you, Heather.

@matt Correct, we need to protect our environment. The browser provides a “barrier” to protect your devices from our environment though.

@kevin we deliver the virtual desktop in the browser - not using a client or VPN

virtual desktops are like watching an interactive TV. the screen is presented to the end user device, everything is processed in the data center or cloud infra

@matt Also, you are absolutely correct the hybrid and on-prem are a different story.

@Athena - your bank must have a much better security company than mine. Weekly gets it wrong -- from blocking my legitimate attempts to use debit card for smaller purchases, to letting strangers in another state have my money. Most frustrating is when they block my account completely -- always on a Friday. Our faculty would not put up with that type of inconvenience.

@John Agreed, the "Secure VIrtual Desktop" needs to be configured to prevent any data transfer to the user's personal machine.

There may be multiple ways to address this. We provide tools to ensure data is not downloaded to the user’s device, for example.

@kevin, we are adding technology to be able to identify who leaked the data - a watermark - more details later

You should probably amend that to "accidental data leakage". If someone has access to data, it can be leaked intentionally no matter what security you put in place.

Watermarks are a good idea

@matt You’re exactly right. Virtual Desktops are like watching TV. We are streaming pixels to the browser. Data itself always resides in the cloud.

yep

@bob We are currently working on watermarks 😊 Stay tuned for this coming very soon!

@heather, if its just pixels streaming, why do we need to stick to browser-based vs agent-based. is agent-based more risky?

@stephany Can you elaborate

You mentioned the biggest pushback we've seen from Secure Virtual Desktops is that they're often not useful for what folks need to do. To create a template that is useful takes more resources than we have available.

Appreciate the distinction, Nick. Thanks for clarifying.

Is there a standard/recommended length of time (30 days, 7 days, etc.) for two-factor authentication to various systems to "remember my device" without annoying users?

agent based is more difficult to manage (software on the end device) but you get more functionality from it.

@Stephany Something we have experience with is virtualizing a wide variety of applications - over 200 different applications. (Higher ed throws every type of software at us from the very common MS and Adobe apps all the way down to 3D chemistry visualization apps, music editing, architecture tools, etc.). Is there something specific you are thinking of?

desktops can be configured for most use cases that you can plan for. It takes time, but you can manage them centrally, deploy changes universally, and everyone (in a use case) can get the same experience

This was an outstanding webinar, thank you so much!

^virtual desktops

Oops. Antony, please accept an apology for misspelling your name.

Thank you for your participation! Before leaving, please don’t forget to fill out our evaluation: https://survey.alchemer.com/s3/6725758/IC2203

@matt, is there more risk with agent-based?

No worries Glenn ;)

Yes we believe there is more risk with agent based

Some agents for VDI setup a VPN

I would love to be able to deliver a customized template creation service! Our schools have gone the other way - standardized templates. All they do is convince people to stay away from our virtual desktops.

@john, there can be if it's not managed well. you can control which versions of an agent are allowed to connect, so define a policy (N-1, N-2, etc.) and set the policy to deny anything else.

@antony, could you explain why its riskier to do agent-based?

Thank you for your participation! Before leaving, please don’t forget to fill out our evaluation: https://survey.alchemer.com/s3/6725758/IC2203

@stephany Please feel free to reach out to me (heather@apporto.com) if you’d like a quick demo of how to setup templates (customized desktops). This is as easy as a list with checkboxes 🙂

@John I will answer live

@heather - I'll see if I can convince our folks to talk to you.

I don't see a reason why a VDI app would require a VPN. I wouldn't design a solution that way.

@matt, VDI doesn't require VPN

@geby Thank you!

@Rhonda that was someone else's comment. I was stating my disagreement.

@antony, thank you for the explanation. many admins use agent-based still.

If you have more questions after today’s discussion, you can email them to sales@apporto.com

@Antony. We must not forget browser injection.

we do pen testing

Great conversation!!

Happyo discuss

Thank you.

Many thanks Donald!

Thank you all!!

Thank you. Very nice presentation.

Thanks Kevin and Edith too 🙂

Thank you all.

And Jorge !

Thanks all

Thank you. I loved hearing everyone's view points.

Thanks everyone

Thank you!

Thank You

Thank you for your participation! Before leaving, please don’t forget to fill out our evaluation: https://survey.alchemer.com/s3/6725758/IC2203

Recordings and resources from this session will be available on the on the EDUCAUSE event archive page:https://events.educause.edu/webinar/2022/securing-remote-access-in-higher-ed

Great discussion !!!

Please make sure to check out our next webinars on March 2nd at 1pm ET to hear about “Wheaton College Revolutionizes Student Learning.”https://events.educause.edu/webinar/2022/wheaton-college-revolutionizes-student-learning

Thanks, have a good one!