BUSINESS: Founded in 1838, the University of Westminster is a public research university based in London, United Kingdom.
SIZE: 2500 employees
BUSINESS CHALLENGE: As a recipient of UK government funding, the University of Westminster must gain Cyber Essentials certification: a government-backed scheme that sets out baseline cybersecurity controls to protect against common threats. How could the organization gain an accurate view of vulnerabilities and end-of-life systems across more than 6,500 assets?
SOLUTION: The Enterprise TruRisk Platform and its seamlessly integrated applications: Qualys VMDR®, Qualys Patch Management and Qualys CyberSecurity Asset Management
Each year, the University of Westminster supports more than 19,000 students on its undergraduate, postgraduate and professional courses from its four campuses across London, England.
The University aims to offer its students the best learning experience by augmenting its programs with digital capabilities. In the wake of the COVID-19 pandemic, data-driven remote learning services have become increasingly important.
Thierry Delaitre, Head of IT Development at the University of Westminster, says: "All our colleges, schools, students and professional services teams rely more than ever on our digital systems. Our landscape comprises around 6,500 assets in total, including Windows, Linux and MacOS desktops and laptops, university-owned mobile devices for staff, and on-premises servers and public cloud environments. Mobile devices make up a significant portion of our estate: they account for 45% of all our endpoints.”
As departments across the University embrace a hybrid approach to learning, rising numbers of schools and students are connecting to its systems from home. The organization’s IT team aims to ensure high levels of security, even as devices and users move outside the University firewall.
"Education is one of the industries most targeted by cyber attackers, so reducing our risk is crucial,"explains Delaitre. "Because we want to bid for and receive funding from the UK government, we are now required to gain Cyber Essentials certification: a government-backed scheme that sets out baseline cybersecurity controls to protect against the most common threats."
He continues: "One of the key criteria for Cyber Essentials is that all our assets must be supported by the vendor. Even a single end-of-life asset would cause us to fail the audit, so it’s crucial for us to have a complete and accurate overview of our environment."
Why they chose Qualys:
For several years, the University of Westminster has used the Enterprise TruRisk Platform to perform small-scale ad hoc vulnerability scans of its IT systems. To help gain the necessary insights for Cyber Essentials certification and prepare for upcoming audits, the organization decided to move to Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization, and response.
"If we can’t see all the IT assets we have, we can’t effectively manage risk—so improving visibility was one of the key factors for moving to Qualys VMDR," Delaitre recalls. "We targeted real-time insight into the security status of all our on-premises and cloud assets. By deploying lightweight Qualys Cloud Agents on our systems, we get an instant overview of the operating system and software deployed across our estate, which allows us to identify and decommission end-of-life assets, even if they’re outside our firewall."
The University now includes Qualys Cloud Agents in its standard system images, which means it gets continuous vulnerability management and software versioning insights as soon as new systems are deployed.
To augment the vulnerability management process, the organization uses Qualys Patch Management—an add-on for Qualys VMDR—to facilitate the patching of more than 5,000 assets.
"To fast-track remediation efforts for Cyber Essentials certification, we’ve temporarily shifted responsibility for software patching to a dedicated team of technical security officers—empowering our IT systems team to focus on updating our operating systems," explains Delaitre. "We have a mixture of MacOS, Linux and Windows systems; managing patching for all these systems via a single pane of glass is a significant advantage."
"We’re also allowing non-security teams to use the Qualys solution to manage their systems. This is useful for our School of Computer Science and Engineering, who run their own servers for teaching and research purposes. When one of our system owners applies a patch, they can go to the Qualys dashboards to confirm that the remediation was successful."
As part of its move towards Cyber Essentials certification, the University is also using Qualys CyberSecurity Asset Management to deliver a single view of the compliance status of all its assets.
Delaitre comments: "CyberSecurity Asset Management helps us in a number of ways. Our enterprise systems team uses the dashboards to identify trending threats and determine the top priorities for the coming week or month. Crucially, the IT team can get a complete overview of all our assets—including the operating systems and software versions—in just a couple of clicks. This is a prerequisite for our compliance activities and something that we couldn’t do before."
Delaitre adds: "The support we receive from Qualys is extremely valuable. The team is always willing to jump on calls with us to answer questions and share best practices."
Since moving to VMDR, the University of Westminster is tracking improvements across a range of security metrics. By shifting from a reactive to a protective approach, the organization has reduced its average time to remediate vulnerabilities from weeks to days, a reduction of 85%.
"Qualys shows us exactly which assets and vulnerabilities are present across our environment and helps us to efficiently prioritize our remediation work," says Delaitre. "For example, using data from Patch Management has enabled us to reduce the average number of vulnerabilities per device on our Windows 10 estate by 93%—shrinking the attack surface for threats such as ransomware."
By continually scanning its on-premises and cloud platforms with VMDR, the organization gains timely, accurate insights that allow it to respond faster to zero-days.
"When we found out about the Log4Shell exploit, we immediately went to CyberSecurity Asset Management to see which of our assets had Java deployed," says Delaitre. "We quickly determined which Log4j systems were impacted by the vulnerability and took action to shut down the threat. Thanks to Qualys, it’s now much easier to answer questions such as: ‘Which assets are exposed to cyber risks?’, ‘What’s the root cause of those vulnerabilities?’, and “How can we remediate vulnerabilities quickly?’"
In extending Qualys VMDR to protect its environment from end to end, the University of Westminster has sparked a fundamental transformation in the way IT and non-IT teams think about security.
Delaitre elaborates: "To hit our Cyber Essentials goal, it’s vital that we get as many teams as possible thinking about—or actively engaged in—security activities. We’re now embedding a secure-by-design approach into core processes such as procurement, which helps ensure we have a mature device lifecycle management process in place to mitigate the risk of end-of-life assets. In the last 12 months, we’ve transformed our security culture, and the visibility we’ve gained from VMDR has played a big part in that success."
Looking ahead, the University of Westminster is confident that it has the tools to unlock Cyber Essentials certification and drive ongoing improvements to its security posture.
"We estimate that we are only months away from gaining our Cyber Essentials certification—and without a solution like Qualys VMDR, there’s no way that would have been possible," concludes Delaitre. "Security is about more than audits: it’s an ongoing process that demands constant vigilance. Through our partnership with Qualys, we’re gaining the fine-grained, real-time insights we need to protect students, colleges, schools and employees across the University of Westminster."
“Security is about more than audits: it’s an ongoing process that demands constant vigilance. Through our partnership with Qualys, we’re gaining the fine-grained, real-time insights we need to protect students, colleges, schools and employees across the University of Westminster.”
Head of IT Development, University of Westminster