Re: Personal VPN Policy Accessing University Applications

["Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>]

We allow, and in some cases encourage, personal VPN’s especially since our current on campus vpn is setup as a split 
tunnel.

There are cases where MS ATP will see traffic as impossible travel, unusual login location, etc., but our conditional 
access is setup to force a MFA at that point…..  so its not a huge issue…..

When we enabled MFA for everyone a few months ago, we also removed most of our country restrictions, and relied on MFA 
to help restrict access.  We are seeing significantly less unauthorized usage since MFA, while decreasing help desk 
workload for troubleshooting students that were trying to access resources in restricted countries….

Is it perfect?  Absolutely not, but it has shown to help with many of the problem we were seeing.

As for our users that use personal vpn’s, we’ve gotten to where we recognize many of them as we are looking through the 
alerts, so if it comes from a normal range of ip’s, and mfa was successful, we clear the alert and continue looking…..

-Jonathan


~
Jonathan Kimmitt
CISSP, FIP, CDPSE, CIPP/E, CIPM,
CIPT, GPEN, GSNA, PCIP, CEH
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Theodore J. August
Sent: Tuesday, October 6, 2020 9:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Personal VPN Policy Accessing University Applications

Hello all,

I was just wondering how other higher-ed institutions handle users who access applications using personal VPN services 
such as Express VPN, Cyberghost, etc?  We’re seeing an overall increase in the use of these services, especially on 
mobile devices, from students.  While we appreciate the heightened awareness of privacy and security that members of 
our community are displaying by using these services, it’s also causing lots of false positives for intrusions in a 
number of our detection systems, for obvious reasons.  Right now we handle these on a case-by-case basis, but that’s 
starting to become overwhelming, and we would love to come up with a blanket policy we can socialize to our end-users. 
I’m hesitant to ban them outright, but the anonymous nature of these services makes it extremely hard to filter out 
legitimate use from malicious use.

Thanks in advance for your feedback, and thank you to everyone who participates in this list – it’s enlightening and 
educational to read all the posts whenever I have the time to check-in and catch up!

Sincerely,

--
Ted August
Assistant Director of Cybersecurity and Compliance
Office of Information Technology
Salve Regina University


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C2fc860127c594f14499008d86a035442%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637375909810835869&sdata=bjTTALGyMZ8%2FReAKI7wcGpgEruPkjkO4mGcc1c8IenY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community