Palo Alto Networks | Security Reference Blueprint for Higher Education | White Paper
SECURITY REFERENCE BLUEPRINT FOR HIGHER EDUCATIONIT security and network teams in higher education institutions around the world must balance privacy, academic freedom, and data and network security for diverse groups of users students, faculty, staff and third parties. They must also detect and block a rising volume of threats while ensuring high performance and availability and complying with applicable policies and regulations. The Security Reference Blueprint for Higher Education IT helps organizations protect student and staff data and intellectual property, improve uptime and availability, and prepare educational institutions to meet new and emerging technological challenges while reducing security threats.
Table of Contents
I. Security Concerns for Higher Education Institutions 3
II. Reference Blueprint Goals and Security Principles 3
III. Core Security Principles 4
Application and User Visibility 4
Virtual Segmentation 5
Extending Coordinated Protection to Cloud Environments and Endpoints 6
Private, Public and Hybrid Clouds 6
Advanced and Zero-Day Attack Prevention 7
Threat Correlation and Timely Reporting 7
IV. Security Reference Blueprint for Higher Education 8
Virtual Segmentation on Campus 8
Student Residences Zone 9
Campus Wi-Fi Zone 9
Endpoint Zone 10
PCI Zone 10
Special Department Zones 11
Data Center Zone 11
Securing the Data Center and Public and Private Clouds 11
Facilities Management Zone 11
Software as a Service (SaaS) 11
External Faculty and Staff Access 12
Threat Intelligence and Correlation 12
V. Migrating to Palo Alto Networks Next-Generation Security Platform 12
VI. Summary 13
Palo Alto Networks | Security Reference Blueprint for Higher Education | White Paper 2
Palo Alto Networks | Security Reference Blueprint for Higher Education | White Paper 3
I. SECURITY CONCERNS FOR HIGHER EDUCATION INSTITUTIONSCampus networks have had to keep up with increasing demand for bandwidth. More connected devices, multimedia content, e-learning tools that complement traditional learning, and the collaborative nature of research all consume bandwidth, straining security services to their breaking point. The increasing use of cloud computing and SaaS applications, while increasing efficiency and productivity, has also introduced new threat vectors.
With reams of student and faculty data, payment systems, health-care records and valuable intellectual property, higher education is a top target for hackers seeking monetary gain. One study puts the value of higher education data at $300 U.S. per record.1 But malicious hackers also successfully target educational institutions2 to disrupt operations and extract a ransom.
Many educational institutions must balance academic freedom and the exchange of opinions with the need to protect their valuable research, the welfare and privacy of their students, network availability, and the institutions reputation. For IT staff, this means continually monitoring the networks and their resources for cyberthreats. Navigating and monitoring this changing minefield is a difficult and time-consuming task for security teams, some of whom are attempting to repel millions of attacks per day.
An effective security strategy that incorporates key security principles can address these types of exposure and damage, while improving the visibility and control of IT teams. This paper discuss-es how the Palo Alto Networks Next-Generation Security Platform enables colleges and universities to implement these principles to detect and prevent threats to networks, devices and information
on premises and in the cloud while monitoring policy effective-ness and reducing complexity and unnecessary overhead. The end goal: Efficiently manage a high-performance learning environment while protecting students, faculty and their data, and ensure ongoing compliance with policies and regulations.
II. REFERENCE BLUEPRINT GOALS AND SECURITY PRINCIPLESThis Security Reference Blueprint for Higher Education describes a security framework using the preventative capabilities of the Palo Alto Networks Next-Generation Security Platform. Using this blueprint enables education security and IT professionals to protect PII and IP data and maintain a high-performance, high- availability and safe learning environment. To do so, this blueprint can help higher education institutions:
Prevent data breaches and the loss of sensitive information.
Prevent threats to vulnerable servers and end-user devices owned by faculty, students, staff or researchers.
Maintain high availability and performance while continuously scanning for and preventing new threats.
Highlight key network infrastructure assets that require extra scrutiny in order to preserve security and prevent data leakage.
Identify best practices for network security deployment and management.
Comply with relevant organizational policies and federal and state regulations relating to financial data, personal data, proprietary or restricted research, national security and more.
The Palo Alto Networks Next- Generation Security Platform natively integrates network, cloud and endpoint security into a common architecture, offering IT teams comprehensive visibility and control. This platform ap-proach ensures your organization can detect and prevent attacks, streamlines day-to- day operations, boosts security efficacy, and prevents threats at each stage of the attack lifecycle. https:// www.paloaltonetworks.com/ products/platforms.html.
Optional security subscriptions seamlessly integrate on the platform to add: protection from known and unknown threats; classification and filtering of URLs; and the ability to build logical policies based on the security posture of a users device. https://www. paloaltonetworks.com/products/platforms/subscriptions.html.
Palo Alto Networks cloud-based or on-premises malware analysis envi-ronment, WildFire, provides dynamic analysis of suspicious content in a vir-tual environment to discover unknown threats, then automatically creates and enforces content-based malware protections. It also detects malicious links in email, proactively blocking access to malicious websites.
Palo Alto Networks can provide a Security Lifecycle Review that con-sists of a one-week analysis of your environment with a complete report at the conclusion. For more information:
Palo Alto Networks | Security Reference Blueprint for Higher Education | White Paper 4
Like most industries, universities and colleges must protect faculty, staff, and their computers and servers from cyberthreats. But unlike most industries, the majority of higher education network users are clients not employees who connect their own laptops, tablets, and smartphones to campus networks. Many institutions are evaluating how network security can protect student-owned devices and be protected from the risks of those devices without impacting network performance or other student satisfaction criteria.
While the cornerstone of higher education is the free exchange of opinion and ideas, this open culture makes institutions an attractive target for hackers.3 Institutions also have a responsibility to protect any patents or intellectual property discovered when collaborating with government or industry, and the welfare of their students, faculty and staff. For IT teams, this means continuous network monitoring for new threats.
There are several types of cyberthreats that impact higher education networks: opportunistic malware with no spe-cific targeted victim; exploits of vulnerable applications; and, increasingly, targeted attacks. Using some key security principles, higher education institutions can prevent these threats, minimize network interruption or downtime, and protect against unauthorized access and leakage of sensitive data. These core security principles include:
Virtual segmentation to prevent movement of malware through the network and strengthen security posture.
Coordinated protection across endpoints, in data centers, in remote locations, at major internet gateways and in cloud locations.
Advanced prevention of zero-day and known malware attacks.
Timely reporting to enable IT, cybersecurity and intelligence professionals to coordinate actions.
Immediate and automatic sharing and distribution of threat intelligence between systems.
Application visibility and monitoring to reduce the threat footprint and assist with appropriate levels of access and capacity planning.
Subsequent sections address each of these principles in detail.
III. CORE SECURITY PRINCIPLES
Application and User Visibility Visibility into the applications being used on the network, how often they are being used, who is using them, and how much bandwidth they are consuming helps network and