Higher education IT departments adopt multilayered security strategies to defend core infrastructure and applications.
Multilayered Security Strategies
Today, with the massive influx of smartphones, tablet PCs and netbooks on campus, security officers such as Cuyahoga Community College's John Dolinar have to strike a delicate balance between keeping the network open and insulating core applications and infrastructure from security threats.
“We have little control over what devices our 40,000 students bring to school, so instead we have to focus on protecting what we own,” says Dolinar, manager of the college's Office of Safe and Secure Computing in Cleveland. Dolinar's top priorities are securing data center infrastructure, the network, and campus applications and computers for the college's 5,000 faculty and staff.
How does he get such a complex job done? By using a multilayered security strategy.
This tiered approach encompasses traditional client-based antivirus and personal firewalls, as well as layers of network-based tools. Some of the management tools he uses include content filtering with Websense's security gateway; spam and virus filtering with Symantec's Mail Security for Microsoft Exchange; and multiple devices that do log correlation and ensure visibility across the enterprise.
“Our target is less on blocking or locking down the devices, workstations and computers and more on protecting what users are accessing, such as servers, databases and storage,” Dolinar says. “For instance, all of our Internet traffic goes through the Websense web security gateway.”
He credits Websense, which was introduced last year, for a reduction in help desk support tickets. Websense filters out malicious content and lets him automatically enforce policies that dictate what devices can and cannot do on the network.
Scott Crawford, managing research director at consultancy Enterprise Management Associates, says adopting a multilayered security strategy that addresses all vulnerable network access points is an important aspect of IT security in higher education. Such a strategy must also recognize how the nature of the endpoint has changed in recent years.
“A few years back, a device-centric approach that concentrated on keeping patches up to date might have been sufficient,” he says. “But now, endpoints are becoming so diverse and distributed that securing them based on such limited legacy approaches is becoming increasingly untenable.”
Add to this the fact that students often have multiple consumer devices such as a smartphone, notebook or a netbook.
In light of this unpredictability, Crawford urges IT to pay attention to two important areas: access control and monitoring. He says the security technology that academic institutions invest in should help them ensure authorized use of the network and have complete visibility into the network to deal with threats as they appear.
He says e-mail filtering tools such as those from Cisco, Symantec, Trend Micro and others can go a long way toward guarding users from phishing. Web content filtering can similarly protect campus networks, while technologies such as desktop virtualization can secure IT resources in higher education by keeping them in the data center. On campus-owned systems, tools such as application whitelisting let IT managers limit systems to allowed or recognized software, which works to keep malware under control.
At Quinnipiac University in Hamden, Conn., the IT team is considering using multiple antivirus tools to handle potential zero-day attacks. “There is often a situation where one antivirus vendor is slightly ahead of another with their updates,” says Brian Kelly, the university's information security officer.
Like Dolinar, Kelly has been told to keep the network as open as possible – especially for the 6,000 students living on campus. “Being able to provide access for them is a differentiator between us and a competitor,” he says. “We want them to have access to the things they would have on their home broadband network.”
That desire has forced Kelly to segment the network into virtual LANs so that consumer activities such as Pandora and NetFlix streams don't jeopardize mission-critical applications. “We definitely do a lot of network access control to make sure that we're isolating traffic,” he says.
Kelly has also placed HP TippingPoint intrusion prevention systems at ingress and egress points to monitor inbound and outbound network traffic. “They've been very helpful with identifying zero-day attacks,” he says. He uses Aruba Networks' wireless controllers to deal with role-based authentication and access to wireless networks.
The threat of zero-day attacks is also a major challenge for Link Alander, associate vice chancellor of technology services at LoneStar College System in The Woodlands, Texas.
Alander says he's put up a traditional firewall (Cisco's PIX) and cordoned off DMZs to protect the college's five main campuses, 19 satellite campuses and 90,000 students. Alander also has monitoring, traffic trending and antivirus software deployed. But he still faces an uphill battle. “What I see is that viruses are exponential, and phishing has become extremely professional and relentless,” he says.
Alander is careful to watch that his multilayered security architecture doesn't get out of hand. He says it's easy to get so many tools in place that it's hard to respond, so he consolidates tools wherever possible. For instance, he has traded numerous endpoint management tools for Symantec Endpoint Protection, and he has switched an IPS system that didn't interoperate with other devices in the enterprise for one that did.
“We have to make sure that the security alerts coming from these tools can be automatically correlated, otherwise we'd have to have our staff do that,” Alander says. He stresses that consolidating and automating event correlation keeps his multilayered security strategy under control.
Educate Your Users
Link Alander, associate vice chancellor of technology services at LoneStar College System, says user education is the main ingredient to a successful multilayered security strategy. He believes that all the security tools in the world won't help if users don't understand the dangers facing them.
“Students, faculty and staff all have to be aware of the risks of Internet consumption. It's up to senior leadership to communicate to them the threat landscape,” Alander says. For instance, he recommends teaching users about phishing scams, viruses and their potential impact on the user.
Scott Crawford, managing research director at consultancy Enterprise Management Associates, agrees. “User education is critical because most students have no idea how their online actions affect the institution and their own future,” he says.
Both believe that network security should be a part of orientation and reinforced on a regular basis.