IT Bounty Hunters
George Washington University and Virginia Tech are tracking down servers that aren’t managed by IT in an effort to improve legal compliance and ensure data security.
Colleges and universities – like many businesses and government agencies – are using more servers than ever before. Oftentimes these systems spring up without the knowledge and oversight of IT departments, and that can present security risks.
A growing number of institutions are launching audit programs in an effort to round up rogue servers and bolster security. Colleges and universities that are taking steps to track down and protect non IT managed systems are reaping the benefits – increased network and data security and more effective regulatory compliance.
Several years ago, George Washington University in Washington, D.C., launched a program to bolster security, including gaining more centralized control of its servers. The institution had discovered a proliferation of servers outside the domain of central IT. That presented a risk, especially when the rogue servers contained highly sensitive data, such as financial information.
The university's IT department began an audit of servers on campus, asking all departments to provide information about each server and the data it contained. The audit showed that there were more than 230 servers outside central IT, and many contained high-risk data.
The exercise wasn't just an attempt to find non IT controlled servers, but to learn whether data was sufficiently protected, says Krizi Trivisani, director of systems security operations and chief security officer (CSO) at the university.
“We were looking for whether there was confidential data on those servers, and whether there were any security vulnerabilities,” Trivisani says.
As part of its security review, GW developed a classification scheme for departmental servers and desktop devices that assigned a value to each system based on the confidentiality of data it housed. “By classifying data, you can assess risk and impose the appropriate level of security based on that category,” Trivisani says. “This provides us with a framework to comply with regulations and internal security policies.”
Following the audit, most of the rogue servers with confidential data were brought into the central IT data center. The few that remain outside “have been brought to a level of security that we require for systems in our data center,” adds Trivisani.
In fact, all servers at GW – inside and outside IT – have to meet stringent security standards. IT provides a checklist of all physical and information security requirements. The standards are such that many departments opt to turn their servers over to IT, Trivisani says.
A Challenging Balancing Act
Conducting the server audit and security review involved several key challenges. One was balancing the need for academic freedom and privacy with the need for enhanced security. It was important that IT communicate with other departments about the importance of security.
“We didn't want administrators to view the project as the IT group's attempt at taking over their computers,” says Gary Golomb, GW's senior forensics engineer. “We wanted to ensure they were secure and offer a way to move them into the data center if the administrators felt that would be an easier way of meeting GW's requirements for security.”
IT initially met with resistance from some departments, says Trivisani. When they realized IT was trying to improve server security, though, many were open to either turning servers over to IT or improving security on their own.
Another challenge was technical: the need to automate the analysis of servers.
“There are far too many of them to even think twice about doing this as a manual process,” says Golomb. “Yet, at the time, there were little to no tools to enable us to do that. Additionally, much is generated by auditing hundreds of systems, so we needed some way of managing that data and creating reports.”
Don't Be a Privacy Outlaw
One of the biggest drivers of server audits is regulatory compliance, says Bob Hillery, co-founder and senior security analyst at Intelguardians LLC , a Washington, D.C., security consulting and services firm.
“There's the whole privacy issue; colleges and universities are saying, ‘We could get sued [or fined] if we lose the students' private information,' ” Hillery says.
The Family Educational Rights and Privacy Act (FER PA) requires institutions to protect such data. Hillery says other regulations that could apply to colleges and universities include the Health Insurance Portability and Accountability Act (HIPAA ), aimed at securing electronic patient information, and the Gramm-Leach-Bliley Act, which protects consumer financial data.
“Everybody I've ever talked to at colleges and universities has already known [security] was a problem,” Hillery says. “They know major portions of their networks are not secure. I think the liability [issues are] starting to get the board of trustees' attention.”
To automate the auditing and security review process, Golomb developed a software application called Safety Analyzer. The software, which GW offers free to other colleges and universities, looks for security vulnerabilities and personally identifiable information, such as Social Security numbers. More recently, GW began using a commercial software product to find and secure sensitive data – on servers and on desktop and notebook computers.
Virginia Tech is right in step
Virginia Polytechnic Institute and State University – better known as Virginia Tech – in Blacksburg, Va., also is conducting security reviews of all of its departments, beginning with those that handle credit card transactions.
The primary goal of the initial review is to ensure compliance with the Payment Card Industry (PCI) Data Security Standard – to which institutions must adhere – by improving the security of systems containing private financial information. But the university will benefit as well by getting a better handle on its growing number of servers and securing all of them, says Randy Marchany, director of the IT Security Laboratory at Virginia Tech.
“We have a central IT data center that houses the critical administrative functions. But there's no restriction in our environment as to whether an individual university department wants to put up and maintain its own servers,” Marchany says. The university is especially concerned about the security of those departmental servers, he adds.
In conducting the review, the IT security office is working closely with an internal audit group. Marchany says all desktop computers and servers on campus must meet minimum security standards, including having a host-based firewall, some sort of automated patching facility and up-to-date antivirus software.
The security review will ensure that devices abide by the security policy and are overseen by an IT person. “What we're really doing with this review service is making sure a department has a computer support person [overseeing servers and PCs],” says Marchany, “and if they don't, we strongly recommend that they move over to the centralized hosting server provided by central IT.”
Those departmental servers that don't comply with security requirements will be shut off if they create a risk to the department or to the university. “These machines could be exposing data, and they need to be updated,” says Marchany.
The security review, which will expand to all departments, is expected to reveal between 300 and 600 servers that are not under the domain of central IT, Marchany says. As part of the review, each department must provide IT security with a list of its machines, functions and potential security risks.
“We have a copy of every department's risk analysis, [which is] a technology asset list,” Marchany says. “In that list they specify which are servers. We use that as the first cut.” Once they've located departmental servers, the IT team conducts regular vulnerability scans of the campus network – using vulnerability scanning software – to find out which machines have vulnerabilities.
The university launched the review program in May 2006 and plans to conduct security reviews about once every 18 months. While many of the departments take security seriously, “the discouraging part was [learning] there are still departments that don't seem to consider departmental IT support as a necessary function of life,” Marchany says. “They might have one system administrator responsible for 500 machines in one department.”
In fact, one of the key challenges is trying to convince departments with limited budgets that they need adequate departmental IT support if they're going to operate their own IT infrastructure, says Marchany. His suggestion to managers considering a security review is to get backing from senior management at the institution. It's also important to educate departments about security policy and provide training in server and PC security.
Says Marchany: “The IT security review is a service that helps the department secure its computers to hopefully reduce the chances of a security breach.”
How to Make a Server Audit Successful
- Get backing for the auditing project from senior management. An auditing project is like any other; it is likely to be more successful if it has the support of the president, board of regents and others in key positions.
- Ensure the effort is properly funded. Work with the vice president of finance or someone else in budgeting the initiative.
- Use software tools whenever possible to help automate the process of conducting an audit to save time and resources.
- Educate all departments about the need for a server audit. Make sure they understand it's important to improve security and operations of the institution. Collaborate continuously with departments about the audit program.
- Provide training so that department heads and staffers understand the importance of security for all servers and computers on campus.
