Everyone agrees: Achieving a secure, efficiently managed network is tough, especially in higher education.
“I came from healthcare, and the interesting thing about healthcare and the corporate world is that it’s easier to essentially say, ‘This is my asset. I’m going to protect my asset. Everybody else I don’t trust,’” says Larry Brandolph, associate vice president and CISO at Temple University.
On a college campus, it’s much harder to restrict network access in the same way a corporate CISO might, he says. With students across the globe, Brandolph can’t simply cut off all traffic from a given geographical area. And because BYOD has become so prevalent, he can’t assume that users’ devices meet a certain security rigor.
“My attack landscape becomes off-premises, on-premises, every device,” he says. “If I keep narrowing down, what can I protect? And to me, it’s about the data and the database.”
Several trends have converged to complicate network management, says David Escalante, board chairman for the Research and Education Networking Information Sharing and Analysis Center, also known as REN-ISAC, and the director of computer security and policy at Boston College.
“On one hand, end-user devices are getting more mobile, and more server applications are going to reside off campus in the cloud,” says Escalante. “But on the other hand, you will have more devices on campus related to the Internet of Things — relatively dumb computing devices that can’t be easily managed or updated — and that will require the network to protect them to a great degree. What you can assume is ever-increasing bandwidth demand and an ever-increasing number of network events to monitor.”
IT teams are overcoming these challenges with a new generation of solutions designed to secure and simplify network management. In a fast-paced, multithreat environment, leaders are making stability and proactivity cornerstones of their security strategies.
Campus Network Demands Can Make Security Complicated
Temple’s networking is complex, to say the least, covering a main campus with more than 85 buildings, a separate health sciences campus, 40-plus additional spaces across Pennsylvania and 40,000 students.
Brandolph describes a spiderweb that’s a mix of building-to-building fiber connections laid by Temple directly and third-party fiber connections that link Temple’s Center City Campus, School of Podiatric Medicine and Ambler Campus. Within that web, each building floor connects to an intermediary complex for the building and that, in turn, ultimately connects to the central data center.
Internet sources include both commodity internet and Internet2, the nonprofit consortium that serves educational and research institutions.
Brandolph relies on numerous vendors to provide technology to build and maintain Temple’s network. Recently, his team upgraded to a new firewall, as the previous solution was nearing the end of its life and required exorbitant maintenance. In the shift, Brandolph saw an opportunity to help his team get more proactive.
Using the National Institute of Standards and Technology’s Cybersecurity Framework as a basis for assessing their network, Brandolph’s team picked six key items that would improve Temple’s security posture over three years. Using that as a guide, Brandolph chose a Palo Alto Networks solution that takes a next-generation approach to security.
“It’s a much more robust platform and more stable within our environment,” he says. “We are not seeing the downtime we saw before.”
The upgrade also prompted the university to take better advantage of its existing distributed denial of service defenses. “We’ve learned new features and capabilities on the denial of service attack side to complement the firewalls,” says Brandolph.
Campus Cybersecurity Is a Moving Target
Pittsburg State University’s IT team has also pivoted in response to the increased emphasis on network security, says Network Engineer Eric Springer. The Kansas institution, which serves about 6,625 students, has over time moved from a flat architecture to one that’s increasingly segmented. About three years ago, the team upgraded to Fortinet firewalls.
Overall, the security strategy at Pitt State is a matter of adapting, says Scott Parish, a senior network engineer. “The threats changed, and we were seeing more malicious URLs coming in via email and other avenues,” he says. “We needed a next-gen firewall that would monitor the URLs and block them.”
More recently, CIO Angela Neria and her team determined that the university’s open wireless network was a liability.
“We had Cisco infrastructure for our wireless. We added Cisco’s Identity Services Engine so we can authenticate users to our Active Directory,” Parish says. ISE is highly flexible and adaptable, so Pitt State hired a consultant to assist with the initial configuration.
Staff can use ISE to establish granular access controls — to define, for example, that a user in a particular Active Directory group connecting to a specific access point has a certain type of access.
“Once you get your policies set up, it’s very easy to maintain,” Parish says.
Tight Security Means Strategic Hardware Upgrades
The network upgrades at Temple and Pitt State shared an important goal: a proactive security footing. That’s a priority for every institution, Escalante says, but getting there takes a good degree of forethought. The sheer number of events and data can be overwhelming. At Boston College, Escalante says he may see in excess of 13,000 events per second.
Intelligent next-gen devices are a start to solving the problem. But even with that equipment in place, IT staff must make the decisions that guide the specific strategy, says Escalante: “Figure out what’s important to you in your particular institution and environment.” Broad agreement does not yet exist on the best indicators of network security, so each CISO has to make those judgments individually.
At Johnson County Community College, Vice President and CIO Tom Pagano envisioned a network that would be stable, redundant and recoverable. He has spent the first three years of his tenure at JCCC, which serves nearly 40,000 students in Overland Park, Kan., methodically working toward that goal.
An effective defense requires the ability to adapt and pivot as threats evolve, say Pittsburg State University’s Angela Neria and Scott Parish. Photography by Dan Videtich.
In part, that has meant moving about half of his systems to the cloud. It also meant engaging in a series of comprehensive technology audits.
“I kicked off a series of projects three years ago called Operationalizing Security,” says Pagano. “We did a lot of foundational things around change control, process improvement, making sure we had the right meetings with the right people.” After 18 months of audits, the team turned to the work of uplifting JCCC’s Microsoft environment.
“Now we can take on a lot more advanced threats and do a lot more efficient and advanced threat protection with regard to use of artificial intelligence, automated phishing analytics, automated geography analytics and, most recently, improved password reset and multifactor authentication,” Pagano says. “We’re knocking down a lot of stuff before it ever hits our door.”
Photography by Colin M. Lenton.
Peer-to-Peer Support Helps Universities Stay Secure
A robust support network is a valuable complement to any security strategy. For example, when Temple’s IT staff upgrades a network, they don’t just consider the capabilities of the technology; they also take into account the vendor relationship.
“You have to have a good partnership with your vendors,” says Brandolph. “They need to feel accountable, just like your employees do.”
Colleagues at other colleges can also be a resource. “We’re a small school,” says Pitt State’s Parish, “but there are people looking at your network all the time.” As Neria points out, smaller institutions face the same threats as their larger counterparts.
With everyone experiencing similar challenges, information sharing becomes a powerful low-tech tool. Organizations like REN-ISAC can help institutions stay abreast of new threats and learn from their peers. “You can talk to people who are looking at the same problems, looking at the same vendors, and compare notes,” says Escalante.