In higher education, almost anything goes with respect to devices and student access. There are virtually no controls over who can connect what types of devices to the network. To add to that, many higher education institutions have distributed campuses and systems, a combination of new and legacy network infrastructure, and diverse access requirements stemming from an amalgamation of open networks and various levels of restricted access networks for research.
Using a legacy or mixed network infrastructure means an 802.1X enforcement strategy was problematic at best. Even the legacy components that support 802.1X are not entirely compatible with each other, and some components do not support 802.1X at all.
While the college-owned endpoints are able to use agents for enhanced data gathering, the larger student-owned, Bring Your Own Device (BYOD) environment will not tolerate an agent installation. Students require connections at any time from any place, making both mobile device access and device security valid concerns. Being blind to the devices connected to the college means a third-party attacker performing perimeter reconnaissance, or worse, one who has infiltrated security using a compromised device or identity, would have essentially unfettered access. Identifying device configurations and related security policy compliance prior to allowing the device access to the educational network and resources is paramount.
Given the level of attention most students pay to device hygiene, it is imperative for security to be proactive in protecting college data and systems from compromise. One device infected with a Trojan or ransomware could impact hundreds of students, put thousands of hours of research in jeopardy, and even cause the loss of thousands to millions of dollars of research and student funding.
With a small IT staff and an even smaller IT security staff, the ease of installation, configuration, management, and scalability are primary concerns. The college’s combination of new and legacy infrastructure created the inability to rely on 802.1X protocol, and the diversity of the student device ecosystem drove the need for a wide range of device compatibility. The college had other requirements around multi-domain authentication both with and without Lightweight Directory Access Protocol (LDAP) support.
Post ForeScout CounterACT® installation, the college saw significant return on investment (ROI) for both their IT department and the student body. The ability to collect continuous monitoring of devices once connected to the environment helped the college ensure that only appropriate access and activities were allowed by employees, students and guests.
To learn more about the business challenges this company faces and the resulting ROI from leveraging CounterACT to bring visibility and policy compliance into their environment, click here.