Beyond Policy: How to Protect Devices You Don't Own
As mobile devices proliferate on campus, IT staff build lines of defense to secure hardware and information.
Protecting Portables
Students at the University of North Carolina Wilmington have a choice when they buy their notebook computers. They can opt to spend a few extra dollars on a license for a tracking service – or not.
Zachery Mitcham, UNCW's senior information security officer, is pretty clear about how easy the choice is: “It's a no-brainer. These tools prove themselves so many times over that we always encourage students to buy the licenses.”
The tracking tools may be proven, but if used alone they're not enough protection. Mitcham says UNCW takes a layered approach, deployed in depth, to all kinds of security issues, including those regarding portable hardware and the critical information they often carry.
“We don't count on any single security tool or strategy. So if you exploit one, others will stop you – the culprit can't target any one approach and succeed,” he explains.
With seemingly every member of the faculty, staff and student body packing at least one mobile computing device, IT managers at colleges and universities increasingly wrestle with the kind of security issues UNCW faces.
Simply reminding staff and students to use safety locks and strong passwords can be an effective first line of defense. But no matter how successful an institution is at instilling good security practices, such behavior must typically be augmented with technology, says Rodney Petersen, director of the cybersecurity initiative at EDUCAUSE.
Petersen says that while good security starts with policy, most IT staffs can't rely on policy alone. He suggests using encryption and other forms of general device security, such as auto-lock and stronger password protection.
38 years
The amount of time it would take to crack a 56-bit encryption algorithm using the computing power of an average home user
12 seconds
The time it would take a U.S. intelligence agency to crack a 56-bit encryption algorithm using the computational power at its disposal
Source: MyCrypto.net
“Colleges have an extra challenge in that they're often trying to protect mobile devices owned by individual students or faculty,” Petersen says. “They don't have a lot of control at the point of purchase.”
For UNCW, its security strategy starts with Absolute Software's Computrace LoJack for Laptops included with the mobile computers that the university offers through its discount program. The university urges students to purchase the LoJack for Laptops license or to use another tracking tool.
LoJack for Laptops, like other tracing services, embeds a software agent on the device that communicates with a monitoring center if the hardware is missing. The agent offers information about the physical location of the computer and network traffic in and out of the machine. Depending on the version installed, tracking software also makes it possible to remotely lock down the missing device and delete sensitive information from it.
Recovering stolen hardware often comes with collateral benefits, Mitcham points out.
“You often find that the thief has more than the notebook you traced,” Mitcham says. “When you recover the hardware, you're likely to recover your television and maybe some items that belong to other people.”
Smart Security
As for smartphones, encryption and password-protected access controls are musts, says Mitcham, who also recommends that users take advantage of tracing programs offered by phone
manufacturers.
At College of the Holy Cross in Worcester, Mass., BlackBerry smartphones issued to staff are secured through Research in Motion's BlackBerry Enterprise Server middleware, says Becky Chickering, senior technology support specialist. The BES server delivers Secure Sockets Layer encryption and enables remote security precautions for missing phones.
“If someone calls and tells me that a device is lost, I can issue from the server either a lock or a wipe, and within seconds that phone is locked with a password, or it's erasing the contents of the device,” says Chickering. She adds that it's also important to wipe a phone clean of information before turning it in to a provider for a new model.
Encryption is also important for notebook hard drives, as is using some form of tracking software to help retrieve errant hardware, says Chickering.
Holy Cross's Senior Technical Services Engineer David Shettler says his greatest mobile security worries focus on the information on the portable devices.
“The information is the real gold – people's identities, Social Security numbers, financial information, even medical records in some departments,” says Shettler, who is also the vice president and lead developer of the Open Security Foundation.
Krissy Lukens of St. Norbert College wanted an added layer of security for the school's Flip cameras, which is why the St. Norbert logo is laser-etched on each device.
Photo Credit: Shane Van Boxtel
Holy Cross installs McAfee Endpoint Encryption software on mobile hardware owned by the college, which protects against unauthorized access to information in standard applications, including calendars, contacts and e-mail, Shettler says.
Encryption is part of Holy Cross's overall security strategy, which relies on classifying data, knowing where it's located and protecting it on the move and at rest, says Shettler. Encryption is too costly to be a standard application in the college's student notebook program, but the school encourages policies to protect mobile devices from loss.
“The cost of the notebook or smartphone is pretty significant to a student or their parents, so we get good cooperation. But no policy is going to prevent theft entirely or mean that no one will ever leave a device on a bus or the backseat of a cab,” he says.
Tracking Apps
St. Norbert College in De Pere, Wis., also uses Computrace LoJack for Laptops on many of the notebook computers purchased by students or assigned to staff. So far, the college has not had to trace a missing machine, but uses the software agent to track which applications are installed on college-owned notebooks, says Microcomputer Support Specialist Chris Brown.
The college is also implementing encryption on a limited number of devices, weighing the security benefits against some loss of performance, Brown says.
Unlike LoJack, which has no learning curve for users, encryption also requires an extra password, making the technology a little less convenient to use, Brown says.
“I'm sure people will use it once they understand what's at stake when they lose a device, but it's a harder sell,” says Brown.
Raising awareness of security is a big part of the job, says Brown. Even at St. Norbert, a small college with 2,200 students situated in a peaceful lakeside community, vigilance matters.
“We try to foster a safe environment in all ways, and we want people to feel relaxed,” Brown says. “But they have to understand that a portable device is portable for somebody else, too, and there's the danger – it can walk away. You have to take some steps to protect them, whether it means cabling them to a table or just changing your password every month.”
Security almost always requires a price paid in convenience, which is particularly true with mobile devices, says Petersen of EDUCAUSE.
“We love these devices precisely because we can carry them around and use them anywhere, so it's the ultimate trade-off to give up some of that convenience,” he says.
Gartner analyst John Pescatore sees a future in which mobile device users almost exclusively consume services and information from the Internet cloud, reducing the risk of data breaches when a device is lost or stolen. For now, he recommends some basic steps to secure mobile devices.
“Enforce password policies, support and enforce the timeout function on the device, encrypt the contents, and for smartphones particularly, enable a kill switch so the device is disabled as soon as it shows up on the wireless network,” he says. “With those minimal requirements, you know the data is safe. You still have to take all the usual precautions to protect the hardware.”
Security specialists like Mitcham at UNCW will take the usual precautions and more, continuing to bolster their defense of mobile devices along with the institutionwide security they provide on their networks.
“Bad people sometimes look at universities as easy targets,” Mitcham says. “That's not the case here, and we want to keep it that way.”
Back-to-Basics Security
St. Norbert College's teacher education program takes a decidedly back-to-basics approach to securing some of its mobile devices: The college has its logo prominently laser-etched onto the Flip Video cameras it lends to apprentice teachers so they can document their work in the classroom.
Krissy Lukens, instructional technology specialist in St. Norbert's education department, says the laser etching offers a conspicuous and indelible reminder that the cameras need to be returned.
“I thought we needed a way to visually distinguish the Flip cameras owned by the college from ones students own, and make it harder for the cameras to walk,” Lukens says. “I had experience with laser etching when I worked at a public school where we etched notebooks, calculators and all sorts of things. The etching has definitely helped us keep tabs on the cameras.”
The etched logos are both more eye-catching and more permanent than asset tags, which can be peeled or scraped off a portable device, says Lukens. As the number of its portable devices increases, the education department plans to do more laser etching, but also is looking into adding a barcode scanning system, she says.
“The number of devices we use has multiplied – students check out equipment like GPS devices, scientific meters and tools, and even some robotics,” Lukens says. “The laser etching has been great for us. We'll continue with the etching, and we'll add a more electronic system as well.”