A Utah university found a solution to enable secure access to the campus network – while cutting down on help desk calls, reports Greg Masters.
Institutions of higher learning present a daunting challenge for the IT security pros charged with running network operations. Not only students and faculty, but visitors as well need to access a university's wireless network using their personal devices.
The challenge for a college in Utah was how to give 30,000 students, 5,000 faculty and various guests easy access to network resources for which they are authorized – without jeopardizing security or overwhelming the IT staff.
Utah Valley University (UVU), located in Orem, Utah, is the second largest institution of higher learning in the state. The campus is home to seven colleges and many other programs and institutions. With the explosive growth of personal devices, the Home of the Wolverines sought a flexible, fully automated solution that would address bring-your-own-device (BYOD) issues.
For several years the IT staff relied on a legacy network access control (NAC) solution that was not designed for a BYOD environment, says Duke Heaton (left), network engineer II, network infrastructure team at UVU. This legacy system required an agent to check devices for security compliance, he says, and students disliked it because it was slow and intrusive. As a result many stopped bringing their laptops to class.
Additionally, as more and more students attempted to access the network with their mobile devices there was a significant increase in the number of calls to the help desk because of associated network access and security problems. In fact, more than 50 percent of all calls to the IT help desk were related to problems logging onto the wireless network on campus, and the majority of those calls were about the NAC agent.
BYOD has become an integral part of the higher education experience, says Heaton. “Students and faculty members expect to be able to use their personal devices on campus to access their university's wireless network, not just for convenience, but increasingly to take advantage of new learning opportunities made possible with mobile technology.”
Colleges and universities need to make it easy for them to do it, he says, even when thousands of students and other users are demanding access. Additionally, different kinds of visitors – from contractors to high school students – also need access to university resources using their personal devices, he says.
Heaton, along with Ray Walker, associate vice president and CIO at UVU, began a search for a solution. They examined nine or 10 NAC vendors. Their key priorities included being able to quickly and safely allow student-owned devices onto the campus network while providing 100 percent visibility into all mobile devices connecting to the network. It was also necessary to enable a fast, automated, self-service registration process for thousands of student-owned devices, automatically provisioning the appropriate level of network access for faculty, students and guests, and confirming devices were fully protected before gaining access to the network. It was also imperative that the choice be available at a price the school could afford – and could justify to university management, Heaton says.
After detailed evaluations, they selected Network Sentry from Bradford Networks. “It has the capabilities we were looking for to address UVU's key BYOD challenges,” says Heaton.
The solution, Heaton says, combines visibility into every device and user accessing the network, with the ability to set flexible, granular policies for access control, according to device status and user role. Students registering for the first time, enter their login credentials. Then, Network Sentry scans their machine, checking for the latest operating system patches, service packs and anti-virus software.
If everything is up to date, the solution logs them onto the network. If any software is out of date, a message appears, informing the user that they need to update their device and to click on a link to launch the update. “This is a simple process that users can do themselves without calling the help desk,” Heaton says.
Scanning continues unobtrusively in the background making future logins almost instantaneous, he adds. The next time a user open their laptop to access the network, the connection is automatic, using Network Sentry to identify the machine, the user and whether the device continues to comply with access requirements. If everything is in order, the user gets instant access to the network resources they are authorized for, according to their role.
The platform automatically identifies and profiles all devices and all users on a network, providing complete visibility and control, says Frank Andrus (below), CTO, Bradford Networks.
Network Sentry is a software-based platform that can be deployed in one of three ways: Pre-installed on hardware appliances; as a “virtual appliance” deployed in a customer's virtual server environment; or as a cloud-based solution (security as a service, or SaaS).
The Network Sentry deployment went smoothly, Heaton says. “In the first 10 days of operation, we had more than 5,500 user registrations and 6,600 unique personal devices using the automated BYOD solution to access the UVU network.” And, he adds, within two months the campus had more than 20,000 users and 30,000 unique devices registered.
A new student life building and a new classroom building will have BYOD built in as Heaton's team continues to integrate mobility into the university experience. They also plan to expand the use of BYOD in the classroom by allowing students to take tests online using their personal devices.
“We also hope to expand Network Sentry to our wired networks in the near future, allowing automated access control for PCs used by university staff as well as nearly a thousand infrastructure devices campus-wide,” Heaton says. “Currently, those devices have to be manually configured and assigned to the right VLAN. With Network Sentry, we will just have to plug them in.”
What new threats does UVU face? Heaton says while there are always new viruses, spyware and other malware emerging, the biggest threat is from the sheer scale. BYOD is not a one-to-one user-to-device ratio, but increases the number of potential threats exponentially, he says. “Students often have multiple devices (a smart phone, tablet device, a laptop PC, etc.) that they want to bring on the network, with a corresponding increase in potential threats.”
This flood of personal devices makes it virtually impossible for Heaton's IT staff to take action manually when a device is a threat to the network. “We're going to need automated solutions that can manage the software on each device, detect security breaches and use network access control to instantly identify the offending device and isolate it from the network.”
By providing full-automated network access for UVU students, faculty and guests, Heaton says his team now provides a network experience worthy of a major university. “Students are much happier with their network service – and with the university for providing it.”
A comment on UVU's Facebook page sums it up, he says: “Finally – a good wireless network on campus!” The bottom line, he says, is that automated, secure BYOD really works. “That's good for our students, for our IT department and for the university as a whole.”