Coventry University puts security at the heart of its cloud-first strategy

Universities can make juicy targets for attackers of all stripes: state-tied advanced persistent threat (APT) groups that want intellectual property (IP), criminals that want money, even the students themselves who might be looking to cause trouble. They all pose a potential threat. 

Last year 76 universities located across the world were attacked by hackers reportedly linked to Iran. In 2016 the University of Calgary was forced to pay $20,000 after a ransomware attack. In 2017 a group of students used a network of campus vending machines and light sensors to overwhelm their institution’s network.

Despite the range of threat actors, many university networks remain vulnerable. A recent penetration testing study carried out by the Higher Education Policy Institute (HEPI) and Jisc found that its researchers were able to gain access to high-value data within two hours on every single higher education network they tested.

With students now digitally native, universities need double down on serving digital services in a way that that doesn’t impact security or learning availability. 

Security in a time of digital transformation

Located Southeast of Birmingham, Coventry University educates around 30,000 students per year. Originally founded as Coventry School of Design in 1843, today it also has campuses in London and Scarborough, and is thirteenth among UK universities in the Guardian University league tables of 2019.

Like other universities, Coventry has to contend with defending the personal and financial data of its staff and students along with its valuable research data, plus ensuring availability of key services. It must also ensure that thousands of users and devices are safely connecting to campus networks. Coventry is doing all this while at the same time undergoing a digital transformation to become a cloud-first university — in secure way.

“What we do is try to be very proactive,” says Steve Humber, chief digital information officer at Coventry University. “I want to understand the types of threats that are coming towards me, the attack vectors, and how they’re changing, and whether those attacks or very real to me and therefore creates a risk.”

“For example, APT groups taking our research data — the risk of that is medium because we are not a huge research organization yet, but we have to protect our research data,” says Humber. “Organized crime looking for financial gain, are we targets there? Absolutely, because we’ve got a diverse, sometimes immature user base — our students.”

Humber and chief technology officer Stephen Booth share security responsibility within the university, with Humber taking ultimate responsibility. Prior to joining the university, Humber had various IT strategy-related roles within engineering company Rolls-Royce Holdings including within the aerospace and nuclear divisions, meaning security has never been far from his mind.

“In any company like Rolls-Royce that take part in defense or is a large manufacturing organization, you’re always a target for attacks, so security for me has always been right at the heart of what you do, and I take cyber and data protection very seriously. I want to be sector-leading in our security.”

Coventry’s digital transformation

As part of its effort to provide a better and more efficient learning experience for students, the university is undergoing a digital transformation initiative across its services internally and externally.

“I joined Coventry not just to provide core IT services and security as needed,” says Humber, “I look at my role as driving productivity within the organization, optimizing performance for back-office systems and teaching and learning systems, and really trying to unleash the potential in our group and use technology to transform where Coventry needs to get to.”

This approach sees Coventry breaking down its transformation efforts into three layers:

1. A base layer of what Humber described as “flawless IT operations — secure, efficient, guaranteed computing wrapped around good principles of IT security.”
2. A layer around using technology to drive effective business performance and transform the organization through better use of systems such as customer relationship management (CRM) and student systems of records
3. An innovation layer that looks at improving the student experience using technologies such as chatbots and predictive analytics.

To facilitate these goals, Coventry is developing a cloud-first strategy, and Humber says the institution is “explicit” about wanting to use public cloud infrastructure for as many use cases as possible. “If you’re a brand-new tech startup, you can put all your applications to the cloud almost immediately.” But most organizations, and Coventry is no exception, have to deal with a set of legacy applications that “probably are not immediately public cloud ready,” says Humber.

As part of this cloud-first strategy, the Coventry team is assessing every service the university offers and deciding which cloud hosting model – public cloud, private, or hybrid – it is best suited to and then redesigning and reengineering all of those services for that model with a security and privacy by design approach.

“Security threads through everything,” says Booth, “but it’s one of those foundational elements. If we’re going to achieve this digital transformation, security is the platform you have to have in place to build on top to do everything else.”

Keeping cloud-based learning systems available

Despite this focus on being cloud-first, that is mainly for hosting and Coventry doesn’t rely on importing pre-made services for staff or students. “We don’t outsource design,” says Humber. “If you do then you’re passing responsibilities on and you’re not accountable. We will make sure that whatever cloud provider we use, we oversee the design of services that we want to run for our students and our staff to make sure we’re happy with them. I wouldn’t outsource that, because it’s my team and I am responsible for the security, performance, and availability of the service.”

One such service is Moodle, an open-source learning management system (LMS). Moodle is Coventry’s primary teaching and learning platform and used to host and distribute learning materials and receive submissions from students. “Because it is the primary system students are interacting with, they’re using it all the time,” says Booth. “If you have a drop off in that system, that very quickly impacts the teaching and learning that you can do in the business.”

Today, Coventry’s Moodle deployment is hosted and secured by AWS, having moved to the cloud provider after a DDoS incident. “Our Moodle was externally hosted, and we had a DDoS attack that was successful. We were down for about four hours,” explains Booth. “On the back of that, we realized the hosting wasn’t sufficient.”

As part of its hosting arrangement with AWS, Coventry deployed the cloud provider’s EventShield DDoS protection product, which provides detection and automatic mitigations aimed to minimize downtime and latency caused by denial of service attacks. Since moving to AWS, the university has seen scalability-related outages eliminated and prevented any DDoS-related incidents from disrupting services.

Looking forward, Humber hopes to expand the university’s cloud-based security operations, including automatic and proactive monitoring for anomalies and then locking and blocking of accounts. “What I’d like to do is get to a position where the SOC is almost in the cloud so I can reduce the SOC down and we become the intelligence of what we need.”