IAM Pulse Episode 4: Neumann University
On this episode of IAM Pulse, we are joined by Kushan Fonseca from Neumann University discussing the cybersecurity in education perspective at Neumann University. We talk cybersecurity awareness for the staff, the students, and the challenges of cybersecurity in education.
Listen to the podcast:
Transcript:
William Papa:
You're listening to, IAM Pulse a podcast, discussing all things, identity access management from defending against cyber attacks and to enhancing our overall cyber security strategy. This podcast is brought to you by BIO-key international and innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.
Kimberly Johnson:
On this episode, I'm pleased to be joined by Kushan [inaudible] director of network administration and user technology at Neumann university based out of the Philadelphia, Pennsylvania area. Hi Kushan, and thanks for joining me today.
Kushan Fonseca:
Hi Kim. Thank you for joining me today.
Kimberly Johnson:
Yeah, thanks so much. And Kushan, one thing I like to do is before we dive into the content, just give our listeners a little bit of a brief introduction about yourself and some of your background and your it experiences.
Kushan Fonseca:
Yeah. I'm, I'm actually originally from Sri Lanka and now I'm living in us. I'm in I'm in the it industry almost 15 years seven years in corporate and close to seven years in education. I CA my I from the beginning, I started with the hardware and then moved to networking and then went to system administration and then from there to cloud, and I'm also SharePoint administrator looking at the business processing dwells in that platform. At, at, at last, my currently role is director of network administration and use the technology at Neumann university.
Kimberly Johnson:
That's great. That's great. And Kushan, I just found out a, a fun fact about you, which is you currently speak three languages, is that correct?
Kushan Fonseca:
Correct. I, I just I speak Sri Lankan, I speak English and I also speak some Tamils.
Kimberly Johnson:
That's fascinating. And I then confessed to you that I, I speak English. I think that's the best I could say that we we've mastered over here on this side of the conversation. So we'll keep it flush today, right.
Kushan Fonseca:
I mean, if you keep it English, that will be comfortable to me too.
Kimberly Johnson:
Okay. and so Kushan, great background seems like, you know, you've done the hardware, software cloud SharePoint. I know you've gotten invested into, you know, the Microsoft suite and products. Now looking at Neumann help our listeners understand a little bit about the I-Team it team that you manage and a little bit more of the structure of it at Neumann.
Kushan Fonseca:
Yeah. So a new pneumo as a Neumann doesn't have a big it team. So Neumann co my overall team will be like 10 10 members. They're, they're break into a two section. We have three members in network security and administration side, and the rest of the folks will be leading on the help desk side and helping the end user perspective. Mainly their the day-to-day business will be helping the users and helping answering the questions in the it field. And our, in my team, mainly I work with the network team to talk about day-to-day security what's happening, how is our backups and infrastructure is not a lot big. So but the more productive I can see this more, if it's a bigger team it's will be less productive, but with the small team, I'm very productive with my team
Kimberly Johnson:
Lot done with a small power team. Right. Is, is what, yep. And then how about you know, one of the things I'm always curious about is who then you report to, or who runs your it department, is it a CIO, or do you have a chief information security officer Neumann?
Kushan Fonseca:
We do not have a chief security officer currently I have a coworker, John [inaudible], who's working with me head to head with the security perspective. me and him run security very tight at Neumann. I am actually I'm reporting to a CIO about me and that's, that's our it department, so that that's where we are. Right.
Kimberly Johnson:
Okay. Yeah. And I, I, you know, curious because a lot of education institutions out there don't have the dedicated CSO role. So always, always good to hear and, and everybody listening and if they have it or not. So interesting structure. And so
Kushan Fonseca:
I'm sorry, I don't want to interrupt, but the, the benefit that wa what I'm getting to is having, seeing all the prospective is very beneficial to me and my team to make proper decisions. So being being a, I'm wearing a security hat, the networking, the infrastructure, the help desk that helped actually to make the best decisions.
Kimberly Johnson:
That's a great, yeah, that's actually a great point where, you know, actually in the commercial space or other industry, especially with large it teams, I have heard conflicting priorities between it and it security. Right. You'll hear that a lot where a seasonal may want something, but CIO has other priorities that aren't security focused. Yeah. So that's a great point that you do, you have kind of the, the entire bird's eye view, I guess, as we would call it and Kushan. So, you know, you and I spoke a little while ago and, and since then we just did a white paper and some research on cyber attacks, specifically, you know, a lot of ransomware and phishing that are really going after the education sector. You know, you're, you're boots on the ground, you're in it all the time. How do you perceive that threat, you know, on the education sector and does that at all concern you enough and change your it priorities at Neumann?
Kushan Fonseca:
It does concern. I mean, if you're talking about security, it concerned every second of every second. And actually we, as a, if it's an education industry, if we re carried a lot of common things like the school system and and also what application word, Excel, PowerPoint platforms, and they own individual LMS systems. And there are many, many systems they're using here and there, it can be more complicated when it come to handling the security on those applications. So that's been focused. You need to take a look at the big picture recent attacks and account compromising fishing and the threads that all actually come can be like a headache, too many ID leaders. My, my focus is putting all into two, one thinking pattern to see where, where this all happening, we can, I mean, today's the phishing attack you need to, you need to struggle with educating your members, like, especially in education world, you can see like students, most of the educations, I'm, I'm pretty sure the students are way advanced and your faculty and staff.
Kushan Fonseca:
So you have to focus on where you weak weaknesses are, so we can continue educating the faculty staff will be very helpful to them as well as you need to protect your application for using some platforms using using the common, common common security protocols. That's, that's where we've more focusing on. We have, we have a currently one product at Neumann. We currently use one product polo God, that, which is, that handles all our password headaches. Also it handles our application headaches. So most of the ransomware phishing attack or account compromise happening in the account level using a product that routine rely on all those areas will help to help to anybody, to, to protect your application and your environment.
Kimberly Johnson:
And I, yeah, that's, it's interesting. So have the technology side on protecting applications and the, the research that we had come out the cybersecurity awareness is interesting, right? Because it's pretty low in a lot of categories. And I would say, you know, this is probably one of the first times where, especially with COVID and now we're all sitting at home and that's where we do our work. I'm now seeing ads for cybersecurity, which, you know, we didn't, I don't think we saw on TV very often before. And I find it, I love the saying you're, you're pointing out too, that students now are probably more cyber aware then your faculty and staff, right. Is that, that's kind of what I'm hearing you say. Okay.
Kushan Fonseca:
Yeah. That, that absolutely. Because if you provide a new technology to students, Hey, we are using two factor authentication. They're going to say, Oh, no problem. We go to use it. But if you're talking to your faculty and staff member, we using two factor authentication, they will ask you what that is. Oh, don't make my password more complicated as it is right now.
Kimberly Johnson:
I know it's kind of like yeah, I can imagine the faculty and staff might be the ones that do the classic, you know, Oh, I, I have them stored in a safe file. It's like, well, what's the file name passwords dot doc, you know, you know, that may not be or writing them down or other things like that. So, yeah, that's, that's what we heard. And so you mentioned what would you say the top attacks are that, that you're most concerned with? I heard ransomware is that of a, a top concern
Kushan Fonseca:
Brand somewhere. We, we pretty much, we have application control in place with the with Microsoft product. We use app blocker. And also we monitor from our firewall, which, which who installing and what, who has our permission to install the application. Who's allowed to even launch the application. But that's the ransomware side. And also using phishing attack. The account compromise is the bigger headache that we we're dealing free recently dealing with the account compromise to prevent that we need to tackle all the system like a single sign on and using modify multifactor authentication, using some authentication method actually will help us to do that help us to eliminate those phishing attack and account compromising.
Kimberly Johnson:
Yeah. I have a kind of funny follow on question for you. So is the goal to prevent a phishing attack or is it to prevent the spread of a phishing attack?
Kushan Fonseca:
I've I think every leaders will try to prevent that first and mandating that. It's I think that's our main goal, but starting with eliminating, those will be the starting point, which my, what I thinking. Yeah. Yeah. I think that's, you know,
Kimberly Johnson:
That's what I've heard, you know, we always do these fishing drills and tests and, you know, try to try to trick our employees or users. And but ultimately the assumption that I've heard is that it will happen at some point. Right. So how do you stop the spread of that account compromise once it has been compromised in the first place? So
Kushan Fonseca:
Yeah, there are some, some, you know, if you're have, it depends on what type of attack it depends on what kind of threat, it depends kind of a ransomware. So I, I don't have a clear answer to that particular question, but if you look at your infrastructure, you can actually plan out to being on the cloud. I recommend the cloud very much because that's where your best buck is. And you will get more protection instead of a, you manually maintaining and maintaining and controlling in on-prem.
Kimberly Johnson:
Right, right. Yeah. There's, there's much more damage that can be done if you have everything on premise and going to the, actually the cloud that was one of my other, you know, sides of the question in terms of the dynamics that we're seeing in education you know, the rapid adoption of new technology and cloud services to really support that shift to the remote learning that we saw as a result of the pandemic and continue to see, right. It's not something that's. Did you also have that rapid expansion and need for new technology at Neumann and how did that change or impact any of your it and it security priorities?
Kushan Fonseca:
Absolutely. Yeah, that's, that's a bigger change to us. Even even before pandemic, we had the conversations, Hey, we would like to move to the cloud, but it wasn't that much like a financial offices, like they wanna, they don't want to technically mainly it budget run by CapEx, not like operational budget ethics. So they are more, more of a, like, you know, dragging their feet to go into the cloud, or that's going to be operations going to be X. So then the dependent that Medicaid actually changed their mind. Now we need to be there and they re they know the security risk, and we at Neumann our finite CFO actually decide to invest money on going to the cloud actually give us a big boost and that's a, that's a financial point, but in the it point, we actually have to think about all our applications, what applications we use, what applications we we have with the each platform we currently using Microsoft Azure and nothing wrong with the AWS and Google cloud, if you're in that platforms.
Kushan Fonseca:
If you but mainly the challenge we had at Neumann, how are we moving this application to the cloud and how we maintaining our security when you moving to the cloud, do we have to use their authentication or protocols that we, if we move to the cloud? So you, you, you might re, you might facing a lot of security issues and you have to change the way you think about the security when you move into the cloud with that overall I, my, my vision at Neumann is I don't want to, I want her to increase the security if I move to the cloud. So some of the challenge we had with some application is you have to decrease the security, but it's in the cloud, but then you, what you're going to do with the, all the, how to protecting it.
Kushan Fonseca:
So having a team member that has that knowledge with it, without breaking that security to be on the cloud is very helpful. Like my, my, my coworker John Krasinski is he's actually a great on looking on those security holes when you're moving applications and you don't want to break you, you still need to maintain your student records, his student profiles, and as well as the their authentication model and with some we have currently we are using a portal, God. And with that product, we, we did not have to we didn't have to change any, any authentications. We maintain all the security, the, exactly where it is, is tight. And we add some extra layer of security top on it by using Azure proxy to provide, provide a better protection to the application.
Kimberly Johnson:
Interesting. Yeah. And I, I love that saying that you have to think about security differently in the cloud, right? It, it produces new challenges. It produces also some, you know, cost savings and productivity savings, but it is a different situation altogether that you have to think through. And the nuances of it, just out of curiosity, when the CFO, you know, said, okay, we really need to move to the cloud. And obviously in a, I would assume a rapid timeframe was security at the table in the conversations to do that. Or was it brought to you, you, you and your team after the decision was made?
Kushan Fonseca:
I think with my, especially with my CFO security, wasn't his main concern. The more concern about him is the flexibility that he, what he is trying to get because we have saving the, his moral whole mission is to how to save the cost. I get his point and also if, as it, it being ID feel for 15 years, I understand how important the security is. With his vision, we were, after we moved to the cloud, we able to move all the on-prem servers off to the cloud. And we have our security server our firewalls also on the cloud as well. That helped to eliminate some over costs, like a air conditioning on the server room. We don't have to spend a lot of money on the devices. God reduced the power from them, the heat it's good for the eco ecosystem, as of right now at Neumann.
Kushan Fonseca:
And also the, the more for my team is a less maintaining. So we don't go touch the the servers to maintain itself updating. And all we have to do is just to keep up with the technology. It's not easy, but it's a, it's a great challenge and which my team is very adapting to that model right now. It's, it's as of as a, as a, for old person, like in being 50 years ago, or 10, five years ago, 10 years ago, we do not have, we did everything on Pratt. But at that thing to this ongoing changes, you just need to keep focused on what you, what you need to do. And you know, what's coming with the security, what are the new features, how we can integrate that to our existing system, how we can adapt that to the user. So that's, that's my that's my main, main, the goal with, as of right now with my team, is to let them, Hey the Azure cloud is rapidly changing and adding more system and adding more things to their product. So let's keep up with this and and let that way, we will be head over the security. We will be able to integrate those new system with our products and so forth.
Kimberly Johnson:
Hmm. Yeah. So new, new challenges, new overhead on your team, but at least what I've heard argued is, is potentially more effective and more impactful, right. Versus patching vulnerabilities and maintaining server rooms and, you know, balancing the costs of that. You're now staying kind of on that leading edge of the security that's available and readily available, right? From the cloud perspective.
Kushan Fonseca:
Yes. Yes. Actually, especially if you have exchange server recently, you probably heard everybody heard about this exchange vulnerabilities you're on prime. I highly recommend to move to the Microsoft cloud or any, any cloud, if you want to, based on the, what you have re we have exchanged. So we, we, we had like a hybrid module, so nothing wrong with the hybrid module too, but there are some, some challenges you will face with the hybrid module is some of the things you're trying to in hybrid, you cannot do it because it's only available in cloud. So those challenges you will face daily basis. So nothing new. And that means the, Oh, that's in, I have to use the cloud. I cannot use the hybrid, or then you completely down. So don't think like that, but you, you, if you look at the big picture in any cloud provider, they're always focused on mainly the hybrid module, and then you, it will provide you a step to be in the cloud module.
Kushan Fonseca:
That's that's what they doing. If you in the example world just to give you the full picture, what kind of a challenge we faced with the going to cloud is having a DNS server in the cloud mentioned we cannot, some of the product we have in a cloud. We cannot use our own prem DNS. We need to have a cloud domain services. So when we'd really need a domain services, can we integrate our application with the, in this example, our printing application, universal printing, we try to implement that. So we, because of the hybrid module module, we faced so many issues that we cannot be in the cloud, but definitely we thought about, okay, of course it will cost more money to little bit money to be on Azure domain services. And we spend that, but we reduced the money by eliminating 10, 15 printers. So you have to really think about the big picture way you will use, you need to spend money to save money. That's my whole thing about high hybrid modules. So it's, it's all about how do you look at the picture and which direction,
Kimberly Johnson:
Right. Right. Was that the pitch to the CFO? We have to spend money too.
Kushan Fonseca:
I think more of a CFO. I don't know that that just came from me. I, it,
Kimberly Johnson:
Yeah. And I think that, you know, you make a great point too. That's why we don't say, you know, just jump to the cloud, it's called a cloud migration. Right. Because it, it definitely doesn't happen overnight. Yeah
Kushan Fonseca:
Know, so I, I'm sorry. I have to say that my CFO is very good with the financial too, as you know, when, when he's, he's he giving me food, food, flexibility, that's, that's the one benefit I am having. Like you, you can educate your, your CFO and, you know, financial officers to be like, Hey, I understand you were concerned about the money, but this is what we can do. Actually. You need to show them a picture. Like if you, if you didn't show them a picture because they don't have a technology background, show them and teach them. If you spending money over here. Now this is where you saving money. So you always have to look at the other side, you cannot just as a director, I cannot look at the, Oh, we need to be in the security. We need to, if you do something, show them here's the end result. Right. Right. And I
Kimberly Johnson:
Think, you know, last time we talked you know, I called it geek speak, which, you know, maybe somebody likes somebody doesn't. But that's a lot of times why it has a hard time communicating to the business to say, no, no, this is the business value that it will bring us. Right. If you just tell them, Hey, we can't be on a cloud based DNS and we need to move to Azure. It's like, you're speaking one of the other languages. Right. It just doesn't compute for the business side. So I remember you putting that. That's a great tip for people that are listening in. And Keshaun, so just, you know, we've talked about risks. We've talked about technology adoption and changes. How about anything more specific to I am. So I I'm, you know, I always think of kind of three relative areas, you know, multi-factor authentication single sign on and, and self-service password reset, anything. High-Level there that are key projects as you move into this year, or even into the next few years that you think are critical for Neumann.
Kushan Fonseca:
Yeah, absolutely. That was the, one of the critical stage when I started at Neumann we had three student and faculties are using three for password and three to get into each system. So that was the, one of the biggest thing we need. We have biggest challenge. We had to, how we can condense and how we can provide one username and password. This is almost four or five years ago. And then, then at the same time, the time pass, we had a we had a security breach a couple of years ago about, you know, giving the student, giving the username and password to some students. So that's another issue with active field. We we, even though every semester, everyone, every semester start, we have like a whole line of students are rating and change to change the password.
Kushan Fonseca:
That's kind of an extra manpower right there that we have to deal with. This is all five, five years ago. When I, when I, when I look it up and when I start at Neumann, and that was one of my challenge, how can I get rid of her this whole big line of student waiting on East semester to get the password at the same time, I have to think about how can I bring in all the applications they access to the Neumann two into one place. And then from there, that's my first two goal. And then I have to think about how can I provide the two factor authentication, user validation and and so forth. So that, that was the, one of the identity access management that, that we have right now is follow God help to do that because it, it, it's a single glass of single sign-on and a self service password reset.
Kushan Fonseca:
We are no longer have to students or faculty don't longer have to call to the help desk and change their password. And if they call by accidentally, they don't, they, you know they have the phone, they don't have that cell phone number anymore, but they can call the help desk and to change the password. And we have a user validation method using that platform. And that's not staying there, but beyond within that platform, we can go for a two factor authentication. We can do a validation that helped us to eliminate the account compromise that help us to having credential or identity going to the hacker's info into hackers hand. And that, that helped us big time. Neumann actually that's where we are right now. And also giving, finding a product like a portal, God will help to, to go away.
Kushan Fonseca:
You want it to go, does that help us, especially in human, doesn't matter, you moving to the cloud, you a hybrid that solution is fit right into that module. So that, that kind of took off my overhead overhead headache that, Oh, if we move to the cloud, how can we still maintain and manage our IAM? So that's kind of, that's kind of a, kind of a luck, high case I can, I can say, but it's it's finding your right tools to to accomplish what you want to do. And seeing the bigger picture to the future will help down the road. So students are very happy with the single sign on. They only have one password and hackers are probably sad because we are asking other teaching to they to a secondary email address and a phone number before they log in every three months.
Kushan Fonseca:
And being effective, able to implement multifactor authentication using that platform is the another, not the benefit to us. Actually, we are in the middle of doing that as of right now. You can do it on a couple of different weights, the multifactor authentication taking off the end-user the, the comfortable level like Oh, I have to log into every time I have to look at my phone or I have to get an authentication code. That's kind of a, kind of a breaking point for them. But what we did is as we are implementing as of right now, if you're on campus, we will not ask you to do the two factor authentication, but you off campus, if you're not on a campus network, you are required to do the two factor authentication. So the giving you, you have to look at the user side as well as the security that's was the, one of the biggest challenge in, in any industry with the education, having a single sign-on. And so Pat self password reset is you to concern that it as your number one priority. Yeah.
Kimberly Johnson:
Yeah. That's a great point. I think I'm so happy to hear you're doing kind of that contextual based, right? Like on campus, off campus. I think, you know, that's also kind of that future where it's not just the factors that are provided, but it's actually getting into the context or the behavioral data you know, around the, the access. You know, but yeah, that's, that's why I've always thought I am kind of this three legged stool. Right. And as we always say, without one of them, it doesn't really work so well, so you kind of have to have all pieces.
Kushan Fonseca:
And also I have to mention that if you're like we have as of right now, most of the, or the campus they're using key at the dormitories. So we are actually looking into a way that, how we can replace that key from each student. So that way, using the cards, SWAT, and using the biometrical technology at Neumann as well. So we are stepping into it's, it's not easy especially in education. They always look like why, how is that going to be a convenience? Yes, of course, it's, it's going to be a convenience. And because students, more students are more like to have that comfort level. So if you using your fingerprint, getting into a dorm room, I think they will be low. They can be more appreciated. They can be more happy with that.
Kimberly Johnson:
And on the security side, they can't, they can't necessarily share their fingerprint, which is also great your team. And Keshaun so just you know, one final question I wanted to kind of ask you is what advice, you know, maybe just, let's just, let's just hone it down to one what's one tip that you would give other it leaders such as yourself that are listening in from the education sector.
Kushan Fonseca:
Yeah. One advice I can give you is don't forget about the security, put the security and always your top, top topic. And when you implement a security look for a cloud, look for all the applications that you use that can be more convenience to the end user, because if you make it a more difficulty, they will not use it. So you have to, you, you have to really concern about what you're trying to do and look for all the application, look for, look for, look for every possible scenario that that can take your system can be compromised from a security level and keep the cloud to the top.
Kimberly Johnson:
Right? Right. So cloud, I love the point. Think about security always first and kind of differently in the cloud and sounds like, make it convenient. Right. I think users appreciate when security is convenient. And so, yeah, and, and so Kushan that is all the time we have for now. Thank you again for joining me to give really that firsthand perspective about what it's like to navigate cyber risk, as well as these user expectations that are really changing our cybersecurity requirements for educational institutions. You know, you've, you've really shed some light on the firsthand perspective which I know our listeners appreciate. Anyways, that wraps up today's episode of I am pulse. Thank you for listening to our show. If you are interested in learning more, please check out our new white paper on cybersecurity and education by visiting our resource center on [inaudible] dot com. You can join us next time to learn more about I am and how to secure identity, the way that you want. Talk to you soon.