Using remote access, and the U's new VPN, responsibly
This article is part of a series about the University of Utah’s information technology and IT security policies. Read last month’s article: IT security training, awareness efforts strengthen the U — and you
With the University of Utah and University of Utah Health virtual private network (VPN) consolidation project underway, as well as continued on- and off-site work and instruction, understanding and following the university’s Remote Access Rule may be more important now than ever.
Rule 4-004H: Remote Access outlines the requirements and responsibilities that U students, faculty, staff, and affiliates should follow to properly protect the university’s IT resources when connecting off-site to the U’s network for school or work purposes, said Ariel Baughman, data security analyst for the Information Security Office’s (ISO) Governance, Risk, & Compliance team.
Users can connect to the university network through the new Palo Alto GlobalProtect VPN, which is replacing the Cisco AnyConnect and old GlobalProtect clients. After connecting to the VPN, those who need to access other restricted IT resources or local machines may also use remote desktop protocol (RDP), secure shell (SSH), virtual desktop infrastructure (VDI), or virtual network computing (VNC).
U of U Health employees and others with specific roles may also use Citrix, which does not require a VPN connection. Although this article focuses primarily on those who should use the VPN to access the university network, the Remote Access Rule also applies to Citrix users.
Ryan Millward, senior data security analyst for ISO’s Enterprise Security group, said those who need to access restricted university resources should use the new Palo Alto GlobalProtect VPN client. The GlobalProtect VPN offers enhanced security features, including Duo Security two-factor authentication (2FA) and the ability to identify and authorize a user within a firewall policy based on Active Directory membership instead of internet protocol (IP) address. This gives greater flexibility to administrators as they no longer need to rely on an IP address for their “identity.”
“The catch, however, is that the resource must be behind a Palo Alto firewall run by UIT,” Millward said.
Additionally, GlobalProtect uses a secure, encrypted internet connection that includes university security controls like intrusion prevention devices that scan for malicious content. The VPN also provides faster speeds, more throughput, and better logging and tracking, which Millward expects will improve user experience, troubleshooting, and IT security incident management efforts.
If you cannot access some resources using only the VPN (e.g., it’s behind a departmental firewall), Millward said you should connect to the GlobalProtect client first to verify your identity, then use your preferred remote access management client.
“To comply with the U’s IT security policy, we encourage people to use the VPN to protect university data and resources. This also protects you,” Millward said. “After you sign in to the VPN, you can connect to the resources you need via the applicable remote access management tool.”
Whichever method you need, Baughman and Millward said you should use remote access only for business use. Additionally, you do not need the VPN or Citrix to access many of the university’s online resources (e.g., UMail, Canvas, Kronos, and Campus Information Services) that are accessible with an internet connection.
“If everything you do is in Box, Outlook (UMail), Teams, and those systems, then you don't need to connect to the VPN or Citrix,” Millward said. “If you cannot connect externally to the resources, you should use the VPN or Citrix, and we ask you to use them responsibly.”
The best and easiest way to comply with the rule, and to use remote access responsibly, is to use a university-owned or -managed device, Baughman and Millward said. University devices come with antivirus and anti-malware software to protect their systems.
“If you use personal devices, you need antivirus and anti-malware software, and you need to keep them and your system up to date so you don’t connect to the U’s network with a potentially compromised system,” Millward said.
Baughman agreed, noting that personal devices should comply with all university regulations — not just the Remote Access Rule — if used for university purposes.
Some irresponsible uses include sharing your remote access connection with others, modifying the connection method to bypass the U’s security, using the connection for illegal purposes, and accessing sites where you could get a computer virus that could spread to the university network.
“All of those things will increase the university’s IT security risks,” Millward said.
Baughman and Millward said you should use remote access as if you were physically at the university, connected directly to the U’s network because, essentially, you are. And anything you do on the university network that is negligent, irresponsible, or malicious could compromise the university, its data, and you.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.