The Art of Protection
College students are, by nature, a curious bunch. They tend to be constantly (or almost constantly) connected in their personal lives, but to complete their studies, they also need campuswide access to a staggering array of hardware, software and websites.
Curiosity certainly is something colleges and universities want to encourage. And yet, such inquisitiveness presents unique, ongoing challenges for IT departments, which must walk a fine line between allowing students to explore the Internet's seemingly infinite information resources and keeping institutional data and networks safe.
The Art Center Design College relies primarily on hardware to secure PCs and thin clients at both its Tucson, Ariz., and Albuquerque, N.M., campuses. Detjen Jones, head of information technology, attributes the choice to this simple reality: With software, he and his staff can somewhat control the security of classroom and student PCs, but they have much less control over the personal devices students use to tap into the college's network.
After several years of cobbling together a client security approach using network switches, Jones' team last year decided to install two SonicWALL NSA 4500 unified threat management firewalls, which connect the two campuses via a virtual private network tunnel. Plus, says Jones, the appliances give IT staff access to advanced security features, such as tracking, monitoring, scheduling, packet filtering and automatic shutdown.
“We needed a more formal, fully featured approach” to client security, Jones says. “With the SonicWALL appliances, we can easily monitor client connections and outgoing and incoming information, blocking intrusions, viruses and threats long before they have a chance to enter our internal network.”
By creating security layers, the IT team can increase the protection it affords students accessing the college's data infrastructure, while also insulating data from tampering, Jones adds.
Protecting clients via both software and network-based tools is smart, says Eric Ogren, founder and principal analyst of the Ogren Group. "Higher education is about the only vertical where network access control has some traction, to make sure student computers have active client security before [they are allowed to connect] to the network."
The University of Arizona could be viewed as the Art Center Design College's polar opposite in terms of student enrollment (nearly 40,000 versus 600, respectively), but the two share many of the same client security issues. UA's IT department maintains a segregated network for students' personal devices, but staff also must manage university-owned PCs and systems used by administrators, researchers, staff and students.
A recent campuswide IT risk assessment found that although most computers were running the university-mandated suite of Sophos client security tools – which includes antivirus, spyware and firewall protection – some lacked disk encryption capabilities.
“We have a lot of data that has to remain secure, and we need to find additional ways to protect it,” says Cathy Bates, the university's information security officer. “We think the best way to do that is through encryption.”
Bates' team is planning to upgrade to Sophos' latest Endpoint Security and Data Protection suite, which offers device control, network access control, encryption and real-time access to the SophosLabs database of compromised sites to avoid, as well as antivirus and malware protection. The university hasn't yet decided which elements of the suite they'll use, however.
The IT staff also are researching standalone full and partial disk encryption tools.
Regardless of the path UA chooses, Bates believes products are just one component of the overall client security equation. Old-fashioned education is equally important, she says.
“We have more than 250 independent security liaisons who work with academic and administrative units to get the word out about security,” Bates says. “That includes monthly security newsletters and coordinated risk assessments, as well as other methods of campuswide security education.”
Together – Forever
A comprehensive approach to client security uses both software on the client side and tools on the network side. Here's what to look for:
- A software-based endpoint security suite that comprises data and threat protection (antimalware and antispyware, for example), unified threat management and administration, and content and policy-based assessment and controls (manufacturers include Symantec, McAfee, Sophos and Trend Micro)
- Software-based hard disk encryption (GuardianEdge Technologies and PGP)
- Network access control (available from every network vendor)
- Network security appliances (Fortinet, SonicWALL and WatchGuard Technologies)
- Firewall (a multitude of software and hardware options available)