Universities are microcosms of society with their own digital ecosystems, making the management of identities and access rights a formidable task. With the COVID-19 pandemic thrusting the world into an unprecedented era of remote working and learning, the security boundary has significantly changed along with people's behaviours and expectations. No longer confined to a physical location, the new security boundary is the individuals associated with the university.
As the digital landscape continues to evolve, so must the approach to cybersecurity. In higher education, this new reality has led to a transformative shift in policy and strategy, where modern institutions like Flinders University are redefining the very nature of cybersecurity.
Recognising that the security perimeter is no longer the system or the location, but the person—the student, the staff member, the contractor – it has become evident that universities should now be focusing on securing people, not just places or platforms.
According to Kim Valois, the former Chief Information Security Officer at Flinders University, the university environment is an intricately complex ecosystem that involves an interplay between digital identity, cybersecurity, and the need for openness. In a recent podcast, she referred to universities as 'small cities with a vast digital infrastructure supporting a range of academic and administrative activities.'
This unique setup presents distinct challenges, especially around managing and governing access for any given user, which could have multiple personas within the university context. For example, a student may also be a staff member. When extrapolating the combinations and permutations of access across different users and an extensive mix of applications and systems without optimal Identity Security, this manifests into an access sprawl nightmare for universities.
Identity verification in a dynamic digital environment.
As universities expand their digital borders, they unintentionally create new vulnerabilities. In this digital age, where the perimeter is constantly shifting, the uniqueness of every institution's cybersecurity landscape emphasises the importance of a robust, adaptable, and agile identity security strategy.
Flinders University adopted a cloud-first identity strategy, which is key to its agility to enable people to access resources from non-traditional locations while ensuring the right people have access to the necessary resources to prevent unauthorised access. Recognising identity as an opportunity rather than a cost, the university deployed an identity security solution to save on manual labour, reduce costs through automation, and improve efficiency.
The SaaS solution removes the need to provision and maintain infrastructure software and hardware that would otherwise underpin a legacy identity platform, which was previously used. Moreover, an improved user experience with a faster, enhanced, personalised service is achieved via the SaaS platform's always-on innovation approach. Flinders University can realise these areas of value while also being able to address regulatory compliance and audit requirements.
Redefining cybersecurity by focusing on individuals as the key defence line.
This fundamental shift in perspective, from securing systems and locations to securing individuals, marks a departure from traditional cybersecurity approaches. Now, the focus is on adopting a 'least privilege' approach, granting individuals only the access rights they need to perform their tasks. This strategy eliminates unnecessary access rights and reduces potential damage from compromised accounts.
SailPoint's State of Identity in ANZ 2023 study highlights the critical need for robust identity governance. In educational services, more than 70% of respondents noted identity management as critical or essential to their organisations. Yet, despite awareness of persistent digital threats, many institutions still struggle with accountability gaps, siloed security strategies, and underdeveloped cybersecurity cultures, and the shift to hybrid work arrangements has only exacerbated pre-existing identity management challenges.
The report also emphasises the sentiment that every person with access to organisational resources now represents a security perimeter and the necessity of identity security has become business critical. Thus, a people-centric approach to cybersecurity is crucial in navigating these complexities, adapting to evolving scenarios, and meeting the unique needs of the university community without compromising user experience.
Unfortunately, there is no one-size-fits-all solution with the diverse needs and activities within a university requiring flexible and context-specific security policies. Imposing a singular security policy or a set of security controls is not practical in a complex environment like a university.
Shifting the security perimeter from places and platforms to people marks a significant evolution in strategy. As universities continue to navigate the complexities of their unique digital ecosystems, they must place identity security at the forefront of their cybersecurity strategy and focus on securing individuals, not just systems. This human-centric approach, advocating for least privilege access, zero trust framework, and flexible security policies, sets a new precedent for cybersecurity in higher education. As we move forward, it is clear our people are indeed the new security perimeter in higher education.