Remote Access is the process of accessing the university’s
administrative systems and data from networks that are not
controlled by University at Buffalo. This policy defines the
appropriate security measures that are required for authorized
users to remotely connect to UB administrative systems.
Access to the university’s administrative systems and data
from networks that are not controlled by the university is
restricted to a prescribed multilayer security strategy to defend
against malicious attacks, unauthorized access to administrative
systems and data, and potential compromise of the remote access
device. No other means of remote access to administrative
systems will be provided.
Multi-layer Security Strategy
Remote access to UB’s administrative systems must
comply with the following requirements:
- An institutionally owned device must be securely configured,
including installation and support of the appropriate VPN software,
and token key generator software or hardware token (fob).
- A personally owned device must be securely configured,
including installation of the appropriate VPN software and utilize
a hardware token (fob).
- Device configuration, regardless of ownership, must comply with
university’s recommended procedures for anti-virus,
anti-spyware, firewall and vendor security updates.
- Authorized individuals using two-factor authentication must use
the appropriate VPN software exclusively to authenticate sessions
to university administrative systems and data.
Access to university administrative systems through
non-university networks possess substantial risks to confidential
and restricted university data, and to personal information
accessible via those administrative systems. The Internet is
by design an open and insecure suite of protocols that provide
ample opportunity for surreptitious and malicious activities by
interlopers. Applying appropriate workstation
configuration procedures and standards, and implementing
multi-layer security controls will better protect university
administrative systems from hackers. Accordingly, two-factor
authentication for authorized users is necessary is to ensure data
stream encryption for sessions through the Internet.
This policy is immediately applicable to the following
administrative system and data:
Institutionally or privately owned
computing device (e.g., laptop, desktop, tablet, smartphone)
capable of supporting the appropriate VPN software, token key
generation software, or utilize a hardware token (fob) to establish
a work session to university administrative applications through
A physical device assigned to an
authorized individual used to prove the individual’s identity
Adhering to the guidelines and
practices within the UB policy for Securing
Network Connected Devices.
Virtual Private Network (VPN)
An encrypted communications channel
between the device and the university network. VPN access is
specific to the role of the individual (AdminVPN for HUB
administrative users; CITVPN for system support staff).
The Information Technology Policy Officer is responsible for the
maintenance of this policy, and for responding to questions
regarding this policy. The Chief Information Officer is the
Implementing this policy provides you with required,
multi-layered protection from malicious programs and unauthorized
access. Failure to implement these security controls may result in
the workstation being compromised, university data placed at risk,
as well as risks to personal protected information. If your machine
is compromised and it is remotely connected to the
university’s network, the university will immediately
prohibit your connection until corrective actions are taken.
Office of the CIO
517 Capen Hall
Buffalo, NY 14260