BYOD security challenges are old mortarboard for universities

Businesses coping with security issuesÃ'Â stemming from employee use of personal devices for company work are only experiencing what universities have grappled with for years.

"Many of us in higher ed find it very funny when we see how BYOD has dominated so much of the security press lately," Mike Corn, chief privacy and security officer at the University of Illinois (UI) at Urbana-Champaign, said in an interview. "We view that with amusement because Bring Your Own Device has defined our environment almost since the beginning of personal computing."

The magnitude of BYOD at a university the size of UI would likely give a corporate security administrator fits. Not only is there a large annual turnover rate -- some 10,000 new students arrive on campus each year -- but each has an average of 3.5 personal devices in tow.

"We work in an environment where we're used to having a huge number of personally owned devices on the network," Corn said.

While most universities have had their students use their own hardware for years, a big bump in corporate BYOD occurred in 2010 when tablets began to proliferate. "When the iPad came on the market, everyone brought it to work and expected to do work on it," Gord Boyce, CEO of ForeScout Technologies, said in an interview. "Universities have always had students bring their own devices, but they have less control over those endpoints.'

One reason universities have less control over those endpoints is because a higher education network needs to be more open than a corporate network. "Because of our nature, the idea of throttling information is anathema to us," Corn said.

That can pose security problems, not only for the university but for vendors trying to address those problems. "When we bring some of these appliance vendors in and begin pumping some of our network traffic through a device, they ask us, 'Why are you pumping white noise through my device?'" Corn said.

Because of the nature of universities, the amount and variety of traffic on our network has a completely different flavor to it than a corporate network, Corn explained. "Universities are not good models to compare with corporations," he said. "We're more like municipalities."

The proliferation of devices and network traffic is challenging university security shops. "What's become necessary for them to do is to track all the digital footprints of any user of any device who authenticates on their network," said Rob Reed, worldwide education evangelist for Splunk.

The problem with that kind of tracking is that the analysis of its results isn't often performed in real time. That means security incidents won't be discovered until after they occur -- the equivalent of closing the barn door after the horses have bolted.

However, Reed noted, "If you've got 10 horses in the barn and one or two get out before you lock the gate, then it's better to keep eight by looking backwards than none by not looking back at all."

While universities may be veterans in dealing with the security demands of BYOD, a more recent challenge to their defenses has been an increase in attacks from overseas. "That's absolutely been the case over the last 18 months," Dave Jevans, chairman and CTO of Marble Security, said in an interview.

"A lot of it is coming from overseas actors who are interested in gaining access to projects that universities are working on," he observed. "There's also some speculation that some of it is to track students from foreign countries."

That activity has prodded some schools to reassess their defensive efforts. "We've been taking a closer look at our intellectual property portfolio in relation to our risk posture," UI's Corn said. "We're trying to be much more threat-agent focused. Rather that focusing on 'Are we patching appropriately?' we're looking at who is going to attack us and what are the ways they'll do that.

"My fear is that we have not paid enough attention to the professional state actors," he said. "And I'm sure we are being targeted by some of those."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsForeScout TechnologiessoftwareuniversitiesIT managementUniversity of Illinoisdata protectionconsumerization of ITBYOD

More about ForeScout TechnologiesSplunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts