Universities that get security right
- 11 May, 2011 06:15
Professor Corey Schou was working in his school's library when he realized his computer was picking up a particularly strong Wi-Fi signal.
Normally that would be welcome news. But Schou knew that spot was usually a dead zone, which meant something was probably amiss. So Schou, a professor of informatics at Idaho State University, set out with some of the school's IT workers to solve the mystery.
Turns out a young man in a nearby coffee shop was causing trouble. "He was running an access point and broadcasting without credentials on the same address as the university's access point, and people were logging in," Schou says.
Fortunately, the offender didn't access any protected information. That's because Idaho State, like a number of increasingly tech-savvy institutions of higher learning, had gone beyond deploying routine security systems, such as email filters and firewalls, and had adopted better, smarter and quicker ways to detect and repel would-be hackers.
Universities have no choice but to be on the forefront of IT security, Schou says. They simply have too many user constituencies to serve, too many different types of sensitive data to protect, too many computing and handheld platforms to support, and too many people trying, either for sport or for ill intent, to break down the their digital defenses.
Higher ed, hackers' dream
Typical educational institutions house a treasure trove of material -- from HR records and student files to research data, much of which is proprietary and some of which may even be classified if it's related to work done on behalf of the U.S. government. They also have financial data, such as credit card numbers from students, alumni, parents and visitors. And if they have health clinics, as most colleges and universities do, they have medical records, too.
Moreover, would-be hackers aren't just attracted to all of that valuable data. Some have their eyes on the vast and powerful computer systems that universities maintain -- infrastructure that they can use (and have used) for their own purposes if they're smart and stealthy enough.
"At any given time, I'll have 30 or 40 folks doing things [on our network] that might be moving toward antisocial. They're looking at what I've got, seeing what's open," says Schou, who serves as Idaho State's security adviser and as the associate dean of the college of business.
This all happens in an IT environment that's typically supporting tens of thousands of devices of all makes and models, with a mandate to be as open as possible to facilitate communication, cooperation and collaboration.
It's not surprising, therefore, that breaches happen with some regularity on university campuses. According to data analyzed by Application Security, a database security company, there have been 435 reported breaches that affected 8.5 million records at U.S. institutions of higher education since 2005, the year that the Privacy Rights Clearinghouse and other organizations started tracking such events.
Alex Rothacker, director of security research at the New York-based Application Security, says a bump in reported breaches so far in 2011 could indicate a new level of sophistication in attacks. "The bad guys are looking for this information because it's very valuable. They've figured out how to monetize it," he says.
Why university security matters
Colleges and universities face a number of IT security challenges that have, until now, been unique to their own sector, says Frank Kenney, vice president of global strategy at Ipswitch, a Lexington, Mass.-based security vendor that works with a number of high-ed institutions. Specifically, those challenges include the following:
• Colleges and universities have hundreds, even thousands, of new users coming onto their networks every year, with an equal number of users departing.
• They support nearly every kind of device available in the consumer market, and they contend with a young population that's much more likely to engage in risky behavior online.
• They often have decentralized IT organizations, which makes it difficult to deploy standard technologies or to adopt and enforce standard policies.
Many IT executives in other sectors have been able to avoid such challenges, Kenney says, but that's changing. "It's happening in healthcare, government and the financial sector, and traditional businesses are right behind them," Kenney says.
The growing use of consultants, coupled with shorter job tenures, means some companies are seeing turnover that mirrors that of colleges with their constant ebb and flow of students and visiting faculty members.
Beyond that, thanks to the consumerization of IT and advances in mobile technology, corporate IT shops now support computing environments featuring multiple software platforms and a variety of untethered hardware devices -- environments similar to the ones their counterparts in education have dealt with for years.
And, of course, corporate IT shops now must accommodate their newest users, the millennials, and their demands for online activities (and their greater acceptance of online risks) -- something colleges have considerable experience with.
Given the breadth and depth of the new similarity between corporations and higher education, Kenney says, it's no wonder corporate IT leaders are increasingly looking at universities for best practices when it comes to managing security in a complex environment.
IT leaders in higher education are developing security best practices that involve multilayered approaches that combine technology-based defenses, data management policies and user education to protect internal information and resources from those who seek to do harm.
"At first, it was all about what the technology can do, so we had things like firewalls. But now it comes down to high-level governance and risk management," says Rodney J. Petersen, senior government relations officer at EDUCAUSE, a nonprofit that promotes the use of IT to advance higher education.
Like their counterparts in corporate America, leading IT security officials in higher education are thinking beyond their department walls in a search for solutions. They're elevating security to the executive level of risk management, where they can assess risk, assign differing levels of security access, and develop user policies that work with the technology-based safeguards they deploy.
Jinx P. Walton, director of computing services and systems development at the University of Pittsburgh, sums up her approach by saying, "It's always going to be a combination of various tools, processes and education. It's layered security models."
At Pitt, Walton deploys a number of technologies and sets policies that are standard in IT security. For example, she uses intrusion-detection and antivirus tools. But she has also implemented more advanced strategies to keep university data and infrastructure safe.
One she calls "zones of trust." Starting in 2007, Walton and her staff started looking department by department, unit by unit, at what work was done by whom. IT first determines what kind of information is required for the work conducted in each zone and then sets up networks and firewalls that ensure that workers can access only the information they need.
Depending on the job, access requirements and the sensitivity of the material, some of a worker's data may be stored on servers while other information is kept on a workstation.
The zones also protect employees' own work, Walton says. "These firewalls work in a two-way fashion: protecting the user from accessing information that he doesn't need to have access to, and supplying the required level of security for the work that the individual does," she explains.
A history professor, for example, wouldn't need -- and therefore wouldn't access to -- servers that store confidential student data, such as financial aid records. "His firewall zone might not open to the secure sites that we have open to the university's own network," Walton explains, adding, "Nothing's wide open anymore."
Penn State: Adopt authentication and encryption
Other institutions of higher learning are creating similar high-tech partitions.
Pennsylvania State University, for example, has set up an ePay virtual work environment to handle payments made to the college by credit cards. Employees who handle credit card data must do that work in a virtual space partitioned off from other applications, explains Kathleen R. Kimball, senior director of security operations and services at Penn State.
Employees access the virtual ePay environment from their regular computers by simply hitting an onscreen icon. "It switches you into the environment where you can work [securely] with credit cards. The credit card information is segregated from other [data]," Kimball explains.
Penn State IT workers built the virtual network to support the ePay workstations two to three years ago to comply with Payment Card Industry Security Standards Council guidelines, but Kimball says she has seen more uses of this type of setup. "This might be something for regular computing for sensitive university data," she says.
But it doesn't end with virtualization. Like other institutions, Penn State is using multiple strategies to fend off threats. As part of that effort, the university is trying to expand its use of two-factor authentication as well as its use of encryption programs, Kimball says.
The school is also using data loss prevention technology, which enables IT to look for packets that contain sensitive data, such as Social Security numbers, as it flies by so workers can deal with any traffic that isn't legit. Penn State is also using scanning technology to search for sensitive data in places it shouldn't be.
Some users are resisting these measures, and that resistance sometimes crops up in surprising places. Kimball says. For example, some computer science researchers don't want encryption programs on their machines because they think such systems can hurt performance. Kimball maintains that the performance hit is minimal.
That kind of resistance isn't unusual at universities, says Ipswitch's Kenney, explaining that, when it comes to IT policies, faculty members may have sway that even senior executives in commercial corporations don't often have.
Georgia State: Focus on people, process and technology
Tammy Clark, chief information security officer at Georgia State University in Atlanta, says she has adopted a three-pronged approach: people, process and technology.
"You can't leave one of them out," she says, noting that Georgia State was one of the first higher-education institutions to adopt the ISO 27000 series of standards for information security.
Clark says the school uses the usual technologies, such as encryption software and anti-malware tools. But she adds that Georgia State started beefing up its protections two years ago, because the latest malware -- which may be carried in email phishing links, website URLs or instant messages -- can evade traditional defenses.
Specifically, GSU is focusing on improving its architecture and training its data center employees (who are on a 24/7 schedule) to monitor reports coming from the school's suite of security software and to handle first-level incidence response regardless of when hackers launch their attacks.
As part of this effort, the college last year deployed a vulnerability assessment system, QualysGuard from Qualys Inc., to get an overall view of the school's IT security status. In addition, the school invested in a penetration testing platform, Core Impact Pro from Core Security Technologies, to probe for vulnerabilities.
And late last year, Georgia State installed a bot detection program that analyzes traffic and can, for example, display command-and-control activity originating in regions of the world that spawn a high level of malware, such as Russia.
Beyond that, Clark is in the process of deploying security information and event management (SIEM) software from ArcSight that will analyze all logs and produce reports, offering visibility into what's happening with Georgia State's hundreds of servers, thousands of workstations and 40,000 network nodes.
"We want robust and scalable and security, and this is what we need to do," Clark says, of GSU's multiple, ongoing efforts.
Baylor and others: Shift focus from device to data
At Baylor University in Waco, Texas, Jon Allen is shifting his attention from device to data.
To be sure, the school's information security officer still uses firewalls and anti-malware tools to try and keep all desktops, laptops and handheld devices safe. But he's most interested in concentrating on data itself. "We're looking at wrapping security around data," he says -- classifying data and assigning it escalating levels of security that stay with it as it travels.
"It's not [just] looking at how to secure a new device on the network," Allen explains. "I have to look at how information flows, because the most fundamental piece we need to control is the data."
Allen acknowledges that Baylor's philosophy is still evolving into an actual practice and has yet to reach its full potential. The practice, which has its roots in risk management, allows the university to identify which data carries a low occurrence/low impact risk and which should be assigned to a higher category of concern. "If it's a low occurrence but has a big impact if something happens, then it's categorized as high risk," he explains.
Baylor isn't the only higher-ed institution that uses data classification to manage risk and security. Tom Davis, the chief security officer at Indiana University, has assigned members of his team to work with high-ranking individuals from each area of the institution who have responsibility for broad swathes of data. Their goal is to determine what standards and restrictions are required for different types of data, Davis says.
Likewise, Georgia State's Clark started focusing on data back in 2008. She says her team took a year working with so-called "data stewards" in each area to study which professionals needed access to what data and how much protection should be assigned to safeguard that data.
"We need to start thinking differently about what other things we can do to protect our data," Allen says. "For a long time, we were putting out fires, but what would be better is to find the combustible before it even starts to smolder."
That's a philosophy that applies not just to data classification but to universities' security efforts in general -- to stay out in front of the ever-changing landscape of threats.
"The people leading the way understand that it's not a single product" that will make their myriad systems secure, says Michael Maloof, CTO at TriGeo Network Security, a Post Falls, Idaho-based security software firm that counts institutions of higher education among its clients. "There's no one thing, no silver bullet. It's a layer of things, and it's an ongoing process."
Pratt is a Computerworld contributing writer in Waltham, Mass. You can contact her at firstname.lastname@example.org.