Educational institutions, especially those of higher education, are prime targets for cyber threats. Such institutions gain access to & create proprietary information that is extremely personal, valuable and often related to state & national security. Personally Identifiable Information (PII) of their students, research & proprietary knowledge developed by their programs, and access & control of financial assets (endowments, grants, funding) are all typical of the types information that an institution of higher education has. As such, we have the responsibility to protect the institution and everyone involved with the institution against potential threats.

All logical measures to protect these institutions should be employed when economically feasible. The key is to both reduce unknown variables, and strengthen the weakest link in a system whenever possible to ensure threats are easier to spot & defend against. Password managers, such as LastPass, and authentication techniques can help reduce unknown variables in a system with multiple users by reducing the potential of weak passwords and user error. Such tools can be a great asset when protecting a system with many users, assets, and entry points.

Harvards Kennedy School of Government (HKS) sits within the University, and is related to all other Harvard Schools & Colleges, so we can analyze the security of HKS akin to the security of the university. Additionally, since password managers direct users are students and faculty, we can build our threat model based on the main applications and tools these students use (entry points for bad actors) which password managers could work with.

A quick analysis of this threat model shows us that there are many tools that students and/or faculty may use that aren’t secured directly by any Harvard controlled or initiated system. For example: Google Docs are constantly used for group research and access is often shared rather flippantly from person to person. The skills needed for a bad actor to obtain a link to a shared Google Doc with proprietary research and student information, is rather low. This type of workflow represents the weakest link, and is created by the student and faculty using everyday tools!

As stated, each application that is not yet secured by a Harvard managed security protocol represents an unknown variable in our threat model, and poses as a potential entry point to assets. I suggest requiring a password manager for any tool used for a school related function will make these variables known and managed through a single source of security. Additionally, the requirement of using two-factor authentication (a feature offered by most password managers) will further decrease the likelihood of a bad actor succeeding in accessing our data.

In order for this suggestion to be effective as intended, faculty and students must all first install LastPass (or other), and then activate the application to sync with the tools they’ll use for school work. Implementation of such a requirement can be difficult as there doesn’t exist an exhaustive list of tools that a given faculty member or student may use during their time at HKS. Its also important to note that most students will only be on campus for 1-3 years, whereas faculty may work on campus for 10 years or more.

I’d suggest first ensuring that all faculty install and use LastPass as part of their daily routines first, to set a precedent for us amongst their students. Required set-up and training sessions with faculty before the start of a school year can help drive such adoption. Logging and dashboard moderation can also help administration identify faculty that don’t install the product. Similar trainings and set-up sessions should then be incorporated into student orientation & pre-program workshops to ensure students have the appropriate technologies set up before school starts.

Beyond required trainings and set-up sessions, consistent reminders and nudges by various school functions (Campus Security, Faculty, Facilities) can help nudge users to use password managers in conjunction with all of their productivity tools.

From a security standpoint, requiring students and faculty to use password managers & dual-authentication is a pivotal step in making our campus safer. From a liability perspective, we should think about the implications of making such a requirement. What if LastPass, 1Password etc. are hacked? Are we liable for student data during such an incident? For all such events, we should be comfortable knowing that our employed tactic lowers the probability of the event happening in the first place. We will also recognize that we are responsible for any breach of data or other proprietary information & asset, regardless of the means used to protect it, and should prepare to react & compensate those affected accordingly.

In summary, the security of a university is extremely complex and multi-faceted. When we think directly about the application and effectiveness of a password manager used by students and staff, its clear that it will simplify and structure a range of potential entry points for bad actors - thus making our institution easier to protect.