Data Security

Peace (of Mind) in Our Time

• By Joseph C. Panettieri
• 10/01/07

Take notes! These five key security trends will reshape how universities defend their databases in 2008 and beyond.

In the ever-changing world of computer security, Jon Allen never sits still. As information security officer at Baylor University (TX), Allen recently embraced encryption software to strengthen the university’s overall security framework.

“You can’t be in reaction mode when it comes to security,” says Allen. “You always have to be watching the market for new advances—from both the vendor community as well as the hacker community.”

That’s for sure. Allen is quick to note that there’s no silver bullet to information security; universities must continue to keep their antivirus, anti-spyware, firewall, and patch management systems in good working order. But that’s not all, he explains: These days, the largest target for hackers appears to be university databases (see “The Big Target”). Now, universities are searching for new solutions to safeguard those systems. In fact, at least five key security trends are emerging across the higher ed landscape:

1. Encryption. Many universities are following Baylor’s lead by leveraging encryption technology—not only on desktops, but also on database servers.
2. Information Leakage. There’s also a concerted push under way to stop so-called information leakage via e-mail.
3. Wireless. Colleges are revamping their WiFi networks to disable rogue access points and other weak links that may provide an open doorway to databases.
4. Appliances. A range of security appliances can inspect network traffic and stop database information from falling into the wrong hands.
5. Open Source. The open source development model is moving into network security devices and applications, providing group collaboration against hackers.

Together, these five leading trends provide a comprehensive data security framework for today’s universities. However, universities also must leverage best practices and common sense for effective IT security (see “People Are Still Your Best Defense”).

The Encryption Challenge

During a typical year, 81 percent of US businesses lose one or more laptops containing sensitive information, according to the Ponemon Institute and Vontu, a San Francisco-based provider of data loss-prevention products.

“It’s a safe bet that figure is similar in higher ed,” says Ed Golod, president of Revenue Accelerators, a technology consulting firm in New York. “Universities are the most unwired organizations in the world. So it’s hardly surprising when laptops, notebook computers, and other mobile devices are used outside of the office—and wind up disappearing.”

Still, losing a notebook often isn’t the real problem. Of greater concern is recovering— or at least protecting—databases, Excel spreadsheets, and other types of confidential information residing on the systems. That’s where encryption software enters the picture. In a typical scenario, encryption software scrambles data so that they can’t be read by probing eyes. The encrypted data could reside in a server database, or on a desktop or notebook, and can only be decrypted by the appropriate software “key.”

Yet, in the 1990s, most encryption software placed too much “overhead” on hardware and software, slowing down systems and impeding productivity on servers, desktops, and mobile computers. “The very people who expected to benefit from encryption wound up complaining that it either was too complicated, too slow, or too expensive to deploy campuswide,” recalls Golod. But the times they are a-changin’. Faster hardware coupled with improved encryption software has set the stage for broad adoption of encryption technologies. Baylor, for one, has embraced PGP’s Whole Disk Encryption technology (www.pgp.com) to protect data stored on its desktop and laptop computers, along with the PGP Universal Server for centralized management of its encryption applications.

“One of our key requirements was a solution that supported both Windows and Mac OS X,” says Baylor’s Allen. “PGP passed that test with no problem at all. We’re impressed with it so far, and we’re finding that our users are happy with it as well. PGP provides security without causing any headaches for our users.”

“Encryption certainly has gained popularity, especially for safeguarding faculty laptops,” offers Paul Zindell, a network security specialist at CDW-G, the government- and education-focused division of CDW. “But there are some challenges. For small mobile devices that don’t have much processing power, encryption remains wishful thinking. But for PCs and servers, it’s becoming more and more of a mainstream option.”

Find the Leak

Another big IT security trend focuses on information leakage—which involves the deliberate (or accidental) movement of data off of university systems. For instance, a university administrator may accidentally send confidential financial information to a consultant whose e-mail address closely resembles that of a peer employee.

“At one time or another in our careers, we’ve all made the honest mistake of forwarding a message to a person who shouldn’t see it,” notes Andy Honl, a senior product marketing manager at data security giant Symantec.

But as privacy and compliance concerns grow, universities must take steps to stop such information leakage. Not by coincidence, most traditional security software companies—from McAfee and Symantec, to Websense—now offer solutions that block confidential data from leaving designated servers or desktops. Ideally, software that blocks information leakage must look beyond e-mail systems, and also must stop users from moving data from a PC to a USB (universal serial bus) thumb drive, CDROM, DVD, or other type of mobile or portable device.

Wireless Worries

Contrary to some speculation, WiFi networks have proven to be just as secure as traditional wired networks. The trouble with WiFi, however, frequently involves misconfigured devices and/or rogue wireless access points that provide an open door into a university’s network.

“It wasn’t long ago that every university wanted to boast it had a wireless campus,” recalls CDW-G’s Zindell. “Many schools spent a lot of money unwiring their campuses—but they forgot to lock down those wireless networks.”

One common wireless attack on college campuses involves the so-called “man-in-the-middle” hack. In this scenario, a hacker typically sits in a university courtyard or campus quad area. He then sets his laptop to broadcast a free WiFi signal. Unsuspecting students, faculty, and staff members using notebooks may mistake the hacker’s wireless signal for a legitimate campus WiFi network. Those who latch on to the hacker’s signal may wind up sharing passwords, financial information, and other confidential data without ever realizing it, notes Paul Henry, VP of strategic accounts at Secure Computing, an enterprise gateway security provider.

“These days, the big focus for universities is to detect rogue wireless access points,” says Zindell. “We’re seeing more and more universities use centralized management tools to tie down their wireless networks.”

Charleston Southern University (SC), for instance, deployed next-gen WiFi solutions from Xirrus in order to provide secure video and audio streams of its athletic teams in action. At one point, the university considered deploying fiber-based networks across its athletic fields. But the Xirrus solution provided secure, centrally administered WiFi coverage to the fields for roughly $15,000 less than the fiber alternative, recalls Rusty Bruns, chief information officer at the university.

WiFi isn’t the only wireless security challenge facing today’s universities, however. Increasingly, university technologists and administrators are discovering they also must understand how to safeguard smart phones that rely on the GSM (global system for mobile communications) standard, notes J. Keith Fowlkes, vice chancellor for information technology and CIO for The University of Virginia College at Wise. “We’re looking at mobile phones and other types of devices to reach out to faculty, staff, and students in a time of emergency,” says Fowlkes. “But we need to know those communications will be secure.” As this story went to press, UVA-Wise was issuing a request for proposals for a voice over IP (VoIP) network. That system, Fowlkes notes, will need the potential to support and manage GSM devices over a secure connection.

Not by coincidence, many vendors are enhancing their technologies to safeguard wireless VoIP environments. In August, Enterasys Networks, for one, unveiled its new Secure Open Convergence platform, which protects IP telephony networks (both wired and wireless) from security threats.

Appliances Come of Age

Meanwhile, UVA-Wise is using a mix of security solutions from Aruba Networks and Fortinet to safeguard its existing network. While Aruba provides a secure wireless infrastructure, Fortinet delivers a unified threat management (UTM) appliance that includes firewall, antivirus, intrusion prevention, VPN (virtual private network), spyware prevention, and anti-spam capabilities. “Fortinet is the key to our security architecture,” says Fowlkes. “It’s an affordable option with a great feature set.”

Fortinet isn’t the only security appliance catching on with universities. Hofstra University (NY), for instance, uses Campus Manager—a network access control (NAC) appliance from Bradford Networks—to manage, secure, and control all devices that attempt to access Hofstra’s network.

“The solution profiles all the devices on the network, manages that information in a database, and then assigns the appropriate security policies to each device,” says Jerry Skurla, VP of marketing at Bradford Networks. Using NAC appliances, many universities are helping students to register and configure their PCs for campus networks even before they arrive for fall or spring semesters, Skurla notes.

Open Source Grows Up

Most university technologists are fluent in Linux, Apache, and other mainstream open source options. But looking ahead, open source security devices and networking gear likely will gain momentum within academic settings. One prime example: StillSecure has launched an open source platform that supports a secure firewall, intrusion prevention, WiFi, and VPN services. Known as the Cobia Unified Network Platform, the system is free to universities, businesses, and home users, according to StillSecure CTO Mitchell Ashley. Universities and other customers can pay a commercial fee to purchase the vendor’s software bundled with hardware and related support services. Early adopters include the University of Arkansas, the University of British Columbia, and the New England School of Law (MA).

Open source software provides several potential benefits in the world of security. For starters, any programmer is free to probe the open source code for potential bugs or security holes. The programmer can submit a fix to the problem, which is then incorporated into the product’s code base. Another potential upside: Open source solutions parallel the open, collaborative nature of academia. People across the world can share ideas and new concepts on security.

But open source security solutions remain in their infancy. “You’ll see more traditional, commercial products dominating the security market for the next few years,” predicts Golod at Revenue Accelerators. “But like any good university, you’ve got to keep your eye on the horizon for the next big thing. It’s safe to say more security innovations will come from the open source arena, because so many programmers are now switching to the open source model.”

::WEBEXTRAS ::
Head online for these on-demand webinars:

• Extending the Vision: Large- Scale WiFi: Securely Connecting the Entire Campus Community
• Campus Data Security: Making the Assessment, Finding the Holes
• Unexpected Quick Wins in 802.1x: Simplify User Experience, Reduce Helpdesk Workload, and Automate Secure Guest Access
• Data Protection in the Real World: Guarding the Institution While Maintaining Academic Integrity