Institutions of higher learning encourage openness on their networks, but find they must impose controls, says Deb Radcliff.
Late on a November 2006 night at a Charleston Southern University computer lab, burglars removed the window and bars, severed the desktop lockdown cables, and made off with more than $50,000 in computers that were never recovered. While no sensitive data resided on those computers, the incident made Rusty Bruns, CIO for Charleston Southern (left), start seeking ways to secure confidential data on more vulnerable university endpoints, particularly mobile devices.
Endpoints and mobility are but two issues that IT shops in higher education are dealing with these days, says Julie Smith, director of higher education for CDW-G, an IT products and services firm for government and education. They've also got their hands full with social networks and new media, repeatable user education, and protecting their funding from federally enforced anti-piracy demands by the RIAA (Radio Industry Association of America) and MPAA (Motion Picture Association of America).
“Universities are more open by design because we want to encourage free exchange of information, so there's less restriction and protection afforded by the network,” says Dennis Devlin, CISO, Brandeis University (right), in Waltham, Mass. “Now, protecting the endpoint, particularly user education, becomes very important.”
The challenge lies in doing more with less, while at the same time raising the level of support from the top down. For the first time, lack of resources was the number one issue holding back improvements in campus IT security, according to 151 respondents to CDW-G's third annual Higher Education IT Security Report Card released in October.
When Privacy Rights Clearinghouse started posting breach incidents in 2005, most of them occuring at universities and colleges, it became clear that outside-in security wasn't working, says Jon Allen, information security officer at Baylor University in Waco, Texas.
To better utilize its limited IT resources, Baylor University, with involvement from the business units, mapped its critical data and applied the strictest security practices to just those data sets of the highest risk. Echoing a model advocated by Jericho Forum at the RSA Security Conference in April, Allen says too many resources are eaten up inspecting all traffic and restricting access to all the data, most of which is of no financial value or threat to privacy.
“When it comes down to hardening and audit, there's only a small amount of data across the campus that needs the highest level of security,” he says. “Educational institutions are looking at directory information, non-directory information, confidential information, and government data, such as restricted research. We set a policy grid for these types of data and mapped them to their risk areas.”
Laptops, logically, became the organization's first priority, given that personal and research data gets transacted on these machines, and that Privacy Rights data shows lost or stolen laptops are the most common way leakage occurs. Additionally, in 2005, Texas enacted legislation in which organizations do not have to publicly report if the data was properly encrypted and keys properly stored.
Expect endpoint encryption to become the ubiquitous means of endpoint data protection, say industry experts. Performance impacts are negligible and inexpensive enough for education's limited resources, says Allen. Baylor University uses PGP full disk encryption on 550 of its 800 school-owned laptops, with the remainder to be encrypted by summer, he says.
A new approach to endpoint management through PCMCIA security cards [developed by the Personal Computer Memory Card International Association] was recently tested by Charleston Southern, a wireless campus since 2001. The product, called Laptop Guardian by Alcatel-Lucent, has a five-day battery-powered memory that provides an always-on VPN connection and a GPS locator signal. It can be used for administrative tasks, like holding patch and security updates in onboard memory for loading when the computer turns on.
Bruns says that if he had a tool like this in 2006, things would have turned out differently when getting the call to meet the police on campus at 1:30 in the morning.
“I was there until 3 a.m. trying to figure out what was gone, look up serial numbers and gather information for the police,” he says. “Using the same scenario, with these Guardian cards, I'd get the call, go to my computer and call up exactly where the computers are because they have their own GPS that sends a signal and encrypts the disk.”
What about WiFi?
WiFi network security is the other half of the mobility equation. With 130 wireless access points across its campus, Charleston Southern runs three separate networks for protection and prioritization. These include an open, wireless student network; a wired network for personnel and other authorized users over which sensitive data is transmitted; and a third wireless network for streaming voice and video.
Using Packeteer, a bandwidth shaper, Bruns recalls how he quickly learned to block and drop Napster, Kazaa, Morpheus and other bandwith-hogging, peer-to-peer traffic back around 2001.
“Our wireless network is open, which we want. We can do that with segmentation. But we also need to keep it safe and accessible, which is a fine line,” says Bruns.
“We weren't too popular when we locked out the music-sharing traffic,” he adds. “But when students started getting sued over illegal music downloads, I became very popular with students and administration.”
RIAA lawsuits continue to be filed against educational institutions across the country, ordering them to give up suspect IP addresses for the systems on the university network. And in February, the House passed the Campus-Based Digital Theft Prevention Requirements, section 494 of H.R. 4137, the College Opportunity and Affordability Act of 2007.
This section requires universities to certify to the Secretary of Education that it has developed plans to combat piracy, including through the use of a variety of technology-based deterrents. And, it also calls on them to offer alternatives – to the extent practicable – that make sense to that particular institution.
“Compare and contrast a university network to an ISP. Comcast isn't held responsible for behavior of Comcast subscribers,” says Brandeis' Devlin. “RIAA and MPAA label university networks as ISPs, so it's an unusual higher standard that universities are being held to – and frankly not one based on reality of numbers.”
Devlin is referring to reports that surfaced in January about the MPAA campaign inflating its numbers. Turns out it's more like 15 percent of illegal streaming being conducted by college students – instead of the 44 percent MPAA claimed while pushing the legislation. Given that 20 percent of those students live on campus, the Electronic Frontier Foundation calculates that college campus networks account for only three percent of illegal downloads.
A spokeswoman for the MPAA admits that the organization was in error in regards to their originally stated number of illegal streaming, but asserts that as soon as the MPAA "learned about the error in the report we issued a press statement and clarified the correct numbers with members of Congress and their staff."
But the point, she says, is that even with the revision, "there is no question that college students are disproportionately responsible for digital theft of copyrighted materials. And, Congress recognized that this generational predilection for piracy represents a significant threat to our nation's economic future. Just as public universities report on binge-drinking and campus safety, it is appropriate for Congress to ask for information on their efforts to curb piracy and encourage legal behavior on their taxpayer-funded networks."
Unlike K-12 districts that enforce strict filtering policies to protect networks and children from inappropriate content, upper education's use of filtering is minimal, if at all, in keeping with the institutional philosophy of openness, says Paul Zindell, CDW-G network security specialist.
So, on college networks, gaming and social networks are embraced, even used as a training and outreach medium to educate students on safe user behavior, he adds.
“Our students have become very good users of technology and now they're getting the message about locking down their profiles and the privacy implications of where to go online, and safe computing issues,” adds Baylor's Allen. “We use everything at our disposal to drive home relevant topics to our students – eye-catching posters, web references and ‘YouTube-ish' promotional videos.”
Raising awareness and gathering support across user groups, management and leadership boards are key to balancing the many facets of risk and openness in order to become enablers for their organizations, say experts.
In that way, IT organizations will find support for critical projects that are needed. Take, for example, the development of the Brandeis Emergency Notification System – BENS.
“IT didn't drive the BENS project,” says Devlin. “Public safety and senior leadership drove it. IT proved the information infrastructure and support that made BENS possible.”
Notification: Response systems
Virginia Tech's failure to notify students and faculty of a dormitory shooting in April 2007 led to 32 deaths, follow-up lawsuits, and a tentative settlement of nearly $11 million for 60 of the families involved. When that tragedy struck, it crystallized the need for integrated, on- and off-campus notification systems – from sirens to phone trees to text messaging, say IT professionals.
In developing its emergency notification system, called BENS (Brandeis Emergency Notification System), Brandeis University applied as many redundancies as possible. As Dennis Devlin, CISO at Brandeis says, “You can never be completely sure which method is going to be the most effective way to reach people in an actual emergency.”
In a crisis, BENS would utilize all of the following methods:
1. Campus sirens and loudspeakers
2. The university website
3. Email to university email addresses
4. Voice and text broadcast to campus VoIP phones, which are ubiquitous, including in dorms
5. SMS text messages, cell phones, and email to personal accounts – done through an outside service
6. On campus plasma display screens
For a cost of about $10,000 Charleston Southern University's rapid emergency notification system uses TechRadium, which maintains contact information in an offsite database. Upon command, it sends notifications to up to three numbers per person via SMS and email. If an authorized person can't gain internet access, they can call TechRadium, which will send the notification on the university's behalf at no extra charge.
Both organizations have done test runs of the systems, and had effective results. In the case of Charleston, it was a tornado warning, from which the campus was spared when it touched down 10 miles away instead. – Deb Radcliff
Spam control: Block that access
At Moravian College in Pennsylvania, a private liberal arts institution with about 1,500 students, being proactive means actively involving students in data protection.
“The greatest threat to web security is the student,” says James Beers, the college's networking manager and network engineer. “Students are coming in not knowing the dangers. What we try to do is connect with them and give them resources to educate them. They know how to go do the fun stuff on the internet, but they don't realize that their surfing habits really affect the infections their machines get.”
Beers' solution has been to install an anti-spyware appliance from Mi5 Networks. The solution, called Webgate, automatically runs a program called SpyWash that informs users when their machines are infected. Users can scan and clean their computers without interrupting their work, and without IT involvement. Implemented in 2007, the system replaces a proxy-based solution that frequently got bogged down by traffic. The new application has shown results quickly: Spam is down by 60 to 70 percent. More important, student users have come to realize that security protection is in their best interest, says Beers. “Now, the students know it. They're aware that we're protecting them. Mi5 will either block access to a site altogether, or it lets them download a solution and run it. If there's a bad adware application, the site itself may come up, but the ad is blocked out.”
Like other IT administrators, Beers is constantly wrestling with privacy issues. “Public machines are under our control, but we have no control over student machines, and you can't enforce [control] the way you can in a corporate environment,” he says. “You can enforce it by blocking internet access -- that gets students' attention. When I get an email alert from Mi5, I can block access to a machine, the student can see why, and then they can go clean their machine.” Still, this kind of intervention has to be handled skillfully, he explains. “A computer is an extension of a student's life. I have to respect students' privacy and help them along.”