Ivanti Connect Secure (ICS)
A seamless, cost-effective, SSL VPN solution for remote and mobile users from any web-enabled device to corporate resources— anytime, anywhere.
As Director of Information Security, Eric Weakland is tasked with coordinating and maintaining operations for the Information Security Unit, including the virtual private network (VPN) services. The university has hundreds of applications, both on and off premises, as well as a large physical data center, all of which require continuous monitoring to protect student, staff and faculty data from potential breaches and compromise.
Over the course of 25 years working for the university, Eric and his team have had their share of challenges in staying ahead of the security curve. Throughout the various incarnations in technology, from desktops to mobile, BYOD and IoT proliferation, adopting best practices for security requires staying up to date on solutions and making prudent decisions on what and how to invest.
With the disruptions brought by COVID-19, AU shifted its spring and fall 2020 operations to support full remote access for faculty, staff and students; all classes are online, and only select essential workers habitually come to AU’s physical campus. The sudden need to scale operations and secure access due to stay-at-home mandates meant Eric was able to take advantage and implement Ivanti’s In Case of Emergency (ICE) licensing option.
Ivanti’s ICE option allows customers easy licensing for emergency activation for instant on-demand capacity to address dramatic peaks in their usage. Users can gain up to eight weeks of maximum user count, per appliance, during ICE activation in addition to being able to move licenses between physical, virtual and cloud appliances in different locations during the activation period.
At AU, they specifically use a pair of Ivanti appliances. The test unit is off-site and is used primarily for doing quality assurance on new configuration changes and as a back-up and disaster recovery VPN service should their main cluster and data center lose connectivity.
With thousands of records containing PII (personally identifiable information) AU maintains stringent security protocols to protect the data it is entrusted with. With thousands of students online, accessing University resources from more than 170 countries, Eric and his team must stay one step ahead of the persistent attacks on its community trying to gain access via malicious emails (phishing attacks). To help manage and reduce the compromise of passwords and credentials, they added an additional layer of security by implementing Duo’s multifactor authentication (MFA) with Ivanti’s VPN.
Requiring MFA has reduced the number of breached accounts used to send spam from the AU network. Having the ability to deploy an MFA solution seamlessly on the Ivanti VPN has helped neutralize the risk of stolen passwords, while hardening the ability to connect to their network, thus further protecting AU’s threat landscape.
One of the Ivanti Connect Secure features that gets used on a regular basis is its host checker function. As a client-side agent, it performs endpoint checks on hosts that connect to PCS. It can check hosts for endpoint properties using a variety of rule types, including rules that check for and install advanced malware protection and predefined rules that check for antivirus software, firewalls, malware, spyware, specific operating systems, third-party DLLs, ports, processes, files, registry key settings and the NetBIOS name, MAC address or certificate of the client machine.
Host checker allows users to create and customize rule sets, including creating different profiles based on user types (for instance, students, faculty or internal IT staff that need access to critical data) and automatically remediates non-compliant endpoints by updating software applications that do not comply to corporate security policies.
Implementing and deploying security solutions goes beyond simply installing hardware and software. In many cases, working democratically across departments (with varying degrees of accessibility to sensitive data) requires communication and transparency when discussing user expectations. No one wants disruptions to connectivity or being denied access to data or systems.
As such, Eric and his team have taken a “default deny” policy approach, which means unless one specifically allows something, one denies it. This approach helps prevent malicious activities and accidental leakage of traffic by restricting the traffic to only known sources and only to those protocols, ports or services that are permitted and necessary to maintain operations. Applications and endpoints are identified and used to develop sets of rules and controls to restrict access.
To help communicate and clear up perceptions about more stringent security policies, like “default deny” Eric met with campus partners to answer questions and develop consensus on security protocols. Providing users with hard data and forensics around potential Indicators of Compromise (IoCs), malicious attack patterns and general abnormal network activity laid the groundwork for cross-functional adoption without pushback.
As a private university, AU is 95% tuition-dependent, meaning investments in technology tend to lean more conservative than bleeding edge. Targeting SaaS and cloud services will allow the Enterprise Security Unit the flexibility to pay as they go and turn cloud services on or off as needed. Adopting zero trust principles, such as the principle of least privilege, allows Eric and his team to make incremental changes to their existing security policies to take proverbial “baby steps” in their security journey. Luckily, having a partner like Ivanti provides them with the solutions, personnel and expertise to help get them there.
“There’s no reason for everybody’s desktop in their office to be reachable from Russia. So that’s why we adopted a VPN model where, as we moved applications to be better protected from the Internet at large, we could still enable our customers in a very friendly way to get access to the resources they need.”
“What I’ve been most impressed with is that it was able to scale up sixfold and still maintain a usable user experience and throughput. Man, I’m impressed!”
“I think the thing that makes my job so interesting is that I, number one, love the fact that I’m supporting a mission at a nonprofit that I can believe in: the goal of educating students while staying secure and compliant.”
- Eric Weakland, Director of Information Security