May 08 2012

University of Louisville Takes Realistic Approach to Security

Security chief recognizes that’s it’s up to her team to ensure files are encrypted.

Brenda Gombosky is realistic about her role as a security professional.

As director of IT enterprise security at the University of Louisville, she fully understands that for many users, security is an afterthought. She also realizes that the security landscape has changed in the past three to five years.

"Not long ago, all the data resided in the data center behind a firewall," says Gombosky, who manages security for about 9,000 faculty, staff and student workers. "Today, the data is everywhere on and off campus, and the threats are more pronounced. Recognizing that we could only do so much with security awareness, we realized we needed to encrypt the data."

Gombosky and her team decided that encrypting at the file level was not enough protection. That's why a little more than three years ago she opted for full-disk encryption from GuardianEdge, which later became Symantec Endpoint Protection following an acquisition by the large software maker in 2010.

"You can't depend on end users to encrypt files; their main concern is getting their job done, not security," Gombosky says. "That's why encryption has to be built into the desktop."

Now, most of the 33 percent of staff who work with sensitive data use the Symantec endpoint product. The software is installed on university-issued desktops, notebooks and mobile devices. By encrypting the full hard drive, the endpoint product helps the university comply with various government regulations and industry standards: the Health ­Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA) and the Payment Card Industry Data Security Standard.

"The great thing is that all of this happens without slowing down the user's machine," Gombosky says. "They don't even know it's there." Gombosky adds that when it comes to security, it really pays to go with a leading provider such as Symantec. She says the software maker offers discounts for educational institutions, plus they stay current with all of the most recent malware and virus attacks.

"You do the initial investment, pay the maintenance and get the updates," she says. "Also, if a user forgets his encryption password, we can recover a password and get it unlocked. There's just peace of mind knowing you are dealing with a reputable company as opposed to freeware."



The percentage of IT professionals who say their organization's endpoints are more vulnerable to attack now than they were the year before

SOURCE: 2012 State of the Endpoint (Ponemon Institute, January 2012)


The spam rate of the education sector, considered the most spammed industry vertical

SOURCE: Intelligence Report (Symantec, March 2012)


The percentage of organizations that experienced best-in-class performance by establishing consistent policies for encrypting data at rest in the back end, in motion on the network, and in use at the endpoints

SOURCE: "Encryption without Tears" (Aberdeen Group, March 2012)


The percentage of organizations surveyed that reported losses of more than $100,000 in the past 12 months from an endpoint attack

SOURCE: "The State of Endpoint Protection" (Forrester Research, October 2011)


The percentage of organizations that installed security software following a breach caused by an employee-owned mobile endpoint device

SOURCE: "Mobile Consumerization Trends & Perceptions" (Trend Micro, February 2012)