Re: Personal VPN Policy Accessing University Applications

[Frank Barton <bartonf () HUSSON EDU>]

I think there's a difference between inbound and outbound VPNs

Inbound - "Aw heck no!" If I find one, I'm shutting it down!

Outbound, there are a number of reasons why someone might want or need to
use a VPN to reach out of the university. We have a number of faculty that
also work for one of the local hospitals, and they need to be able to VPN
into the hospital to access some of the things there (that they also need
for clinicals)

On the student side, it gets a little bit murkier. I can use the same logic
for enterprise VPNs, but the commercial VPNs I have a much harder time
justifying, as typically those are used for bypassing monitoring, and to
enable them to torrent copyrighted materials.

I don't know that there's a "good" answer

Frank

On Tue, Oct 6, 2020 at 10:26 AM Curt Kappenman <
ckappenman () andersonuniversity edu> wrote:

> I have been dealing with this same issue for a while now.  My problem has
> been coming up with a policy that doesn’t almost immediately start having
> exceptions.  I look forward to hearing what others have been able to come
> up with.
>
>
>
> *Curt Kappenman*
>
> *Security Compliance Officer / Systems Technician*
>
> 316 Boulevard, Anderson, SC 29621
>
> Phone: (864) 231-2850
>
> Help Desk: (864) 231-2457
>
> ckappenman () andersonuniversity edu
>
> www.andersonuniversity.edu
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Theodore J. August
> *Sent:* Tuesday, October 6, 2020 10:23 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Personal VPN Policy Accessing University
> Applications
>
>
>
> Hello all,
>
>
>
> I was just wondering how other higher-ed institutions handle users who
> access applications using personal VPN services such as Express VPN,
> Cyberghost, etc?  We’re seeing an overall increase in the use of these
> services, especially on mobile devices, from students.  While we appreciate
> the heightened awareness of privacy and security that members of our
> community are displaying by using these services, it’s also causing lots of
> false positives for intrusions in a number of our detection systems, for
> obvious reasons.  Right now we handle these on a case-by-case basis, but
> that’s starting to become overwhelming, and we would love to come up with a
> blanket policy we can socialize to our end-users. I’m hesitant to ban them
> outright, but the anonymous nature of these services makes it extremely
> hard to filter out legitimate use from malicious use.
>
>
>
> Thanks in advance for your feedback, and thank you to everyone who
> participates in this list – it’s enlightening and educational to read all
> the posts whenever I have the time to check-in and catch up!
>
>
>
> Sincerely,
>
>
>
> --
>
> Ted August
> Assistant Director of Cybersecurity and Compliance
> Office of Information Technology
> Salve Regina University
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community