Data Security

Peace (of Mind) in Our Time

Peace (of Mind) in Our TimeTake notes! These five key security trends will reshape how universities defend their databases in 2008 and beyond.

In the ever-changing world of computer security, Jon Allen never sits still. As information security officer at Baylor University (TX), Allen recently embraced encryption software to strengthen the university’s overall security framework.

“You can’t be in reaction mode when it comes to security,” says Allen. “You always have to be watching the market for new advances—from both the vendor community as well as the hacker community.”

That’s for sure. Allen is quick to note that there’s no silver bullet to information security; universities must continue to keep their antivirus, anti-spyware, firewall, and patch management systems in good working order. But that’s not all, he explains: These days, the largest target for hackers appears to be university databases (see “The Big Target”). Now, universities are searching for new solutions to safeguard those systems. In fact, at least five key security trends are emerging across the higher ed landscape:

  1. Encryption. Many universities are following Baylor’s lead by leveraging encryption technology—not only on desktops, but also on database servers.
  2. Information Leakage. There’s also a concerted push under way to stop so-called information leakage via e-mail.
  3. Wireless. Colleges are revamping their WiFi networks to disable rogue access points and other weak links that may provide an open doorway to databases.
  4. Appliances. A range of security appliances can inspect network traffic and stop database information from falling into the wrong hands.
  5. Open Source. The open source development model is moving into network security devices and applications, providing group collaboration against hackers.

Together, these five leading trends provide a comprehensive data security framework for today’s universities. However, universities also must leverage best practices and common sense for effective IT security (see “People Are Still Your Best Defense”).

The Encryption Challenge

During a typical year, 81 percent of US businesses lose one or more laptops containing sensitive information, according to the Ponemon Institute and Vontu, a San Francisco-based provider of data loss-prevention products.

“It’s a safe bet that figure is similar in higher ed,” says Ed Golod, president of Revenue Accelerators, a technology consulting firm in New York. “Universities are the most unwired organizations in the world. So it’s hardly surprising when laptops, notebook computers, and other mobile devices are used outside of the office—and wind up disappearing.”

PEOPLE ARE STILL YOUR BEST DEFENSE

WHAT’S THE WEAKEST LINK in your university’s security architecture? The answer often has little to do with technology, and a whole lot to do with people. Certainly, a hacker can probe your network for weak links. But in many cases, hackers use “social engineering” techniques to trick people into sharing passwords and other confidential information.

Take the case of Kevin Mitnick, a convicted hacker who spent much of the 1990s breaking into highly secure networks from Sun Microsystems, Motorola, and other technology companies. While Mitnick was a skilled technician, he also spent a considerable amount of time working the phones pretending to be company employees who had lost their passwords. On several occasions, Mitnick even tricked network administrators into sending or revealing password information. How can schools keep their campus communities from falling prey to such determined hackers and their techniques?

In order to combat social engineering, universities should remind students, staff, and faculty to:

  • Never share or write down password information.
  • Never communicate confidential information over the phone, or via e-mail or any other communication system.
  • Always confirm the identity of callers who are seeking confidential information that you handle.

Still, losing a notebook often isn’t the real problem. Of greater concern is recovering— or at least protecting—databases, Excel spreadsheets, and other types of confidential information residing on the systems. That’s where encryption software enters the picture. In a typical scenario, encryption software scrambles data so that they can’t be read by probing eyes. The encrypted data could reside in a server database, or on a desktop or notebook, and can only be decrypted by the appropriate software “key.”

Yet, in the 1990s, most encryption software placed too much “overhead” on hardware and software, slowing down systems and impeding productivity on servers, desktops, and mobile computers. “The very people who expected to benefit from encryption wound up complaining that it either was too complicated, too slow, or too expensive to deploy campuswide,” recalls Golod. But the times they are a-changin’. Faster hardware coupled with improved encryption software has set the stage for broad adoption of encryption technologies. Baylor, for one, has embraced PGP’s Whole Disk Encryption technology (www.pgp.com) to protect data stored on its desktop and laptop computers, along with the PGP Universal Server for centralized management of its encryption applications.

“One of our key requirements was a solution that supported both Windows and Mac OS X,” says Baylor’s Allen. “PGP passed that test with no problem at all. We’re impressed with it so far, and we’re finding that our users are happy with it as well. PGP provides security without causing any headaches for our users.”

“Encryption certainly has gained popularity, especially for safeguarding faculty laptops,” offers Paul Zindell, a network security specialist at CDW-G, the government- and education-focused division of CDW. “But there are some challenges. For small mobile devices that don’t have much processing power, encryption remains wishful thinking. But for PCs and servers, it’s becoming more and more of a mainstream option.”

Find the Leak

Another big IT security trend focuses on information leakage—which involves the deliberate (or accidental) movement of data off of university systems. For instance, a university administrator may accidentally send confidential financial information to a consultant whose e-mail address closely resembles that of a peer employee.

“At one time or another in our careers, we’ve all made the honest mistake of forwarding a message to a person who shouldn’t see it,” notes Andy Honl, a senior product marketing manager at data security giant Symantec.

But as privacy and compliance concerns grow, universities must take steps to stop such information leakage. Not by coincidence, most traditional security software companies—from McAfee and Symantec, to Websense—now offer solutions that block confidential data from leaving designated servers or desktops. Ideally, software that blocks information leakage must look beyond e-mail systems, and also must stop users from moving data from a PC to a USB (universal serial bus) thumb drive, CDROM, DVD, or other type of mobile or portable device.

Wireless Worries

Contrary to some speculation, WiFi networks have proven to be just as secure as traditional wired networks. The trouble with WiFi, however, frequently involves misconfigured devices and/or rogue wireless access points that provide an open door into a university’s network.

“It wasn’t long ago that every university wanted to boast it had a wireless campus,” recalls CDW-G’s Zindell. “Many schools spent a lot of money unwiring their campuses—but they forgot to lock down those wireless networks.”

One common wireless attack on college campuses involves the so-called “man-in-the-middle” hack. In this scenario, a hacker typically sits in a university courtyard or campus quad area. He then sets his laptop to broadcast a free WiFi signal. Unsuspecting students, faculty, and staff members using notebooks may mistake the hacker’s wireless signal for a legitimate campus WiFi network. Those who latch on to the hacker’s signal may wind up sharing passwords, financial information, and other confidential data without ever realizing it, notes Paul Henry, VP of strategic accounts at Secure Computing, an enterprise gateway security provider.

“These days, the big focus for universities is to detect rogue wireless access points,” says Zindell. “We’re seeing more and more universities use centralized management tools to tie down their wireless networks.”

At a Glance: TRENDS IN IT SECURITY

Encryption. It got off to a slow start in the 1990s. Encryption systems were too complex, and they dragged down the performance of servers and desktops. But these days, encryption technology is going mainstream and is even built into Windows Vista.

Information Leakage. The big fear of many university administrators and technologists: information leaving campus via e-mail systems, USB thumb drives, and other mobile storage devices. Most security vendors now offer software that halts such information leakage.

Wireless. There’s no doubt that, increasingly, confidential information flows across wireless networks. Looking ahead, the big challenge involves safeguarding smart phones and other mobile devices that don’t run traditional PC security software.

Appliances. The security market is now flooded with appliances that promise enhanced security. But choose wisely. As recently noted by Jay Chaudhry, vice chairman and chief strategy officer for enterprise gateway security provider Secure Computing, more than 80 percent of security appliance vendors will either go out of business or be acquired within the next three years.

Open Source. It’s pushing beyond Linux, Apache, and e-mail. Next up, open source code will increasingly land in security servers and appliances. That could lead to better collaboration among security experts around the globe.

Charleston Southern University (SC), for instance, deployed next-gen WiFi solutions from Xirrus in order to provide secure video and audio streams of its athletic teams in action. At one point, the university considered deploying fiber-based networks across its athletic fields. But the Xirrus solution provided secure, centrally administered WiFi coverage to the fields for roughly $15,000 less than the fiber alternative, recalls Rusty Bruns, chief information officer at the university.

WiFi isn’t the only wireless security challenge facing today’s universities, however. Increasingly, university technologists and administrators are discovering they also must understand how to safeguard smart phones that rely on the GSM (global system for mobile communications) standard, notes J. Keith Fowlkes, vice chancellor for information technology and CIO for The University of Virginia College at Wise. “We’re looking at mobile phones and other types of devices to reach out to faculty, staff, and students in a time of emergency,” says Fowlkes. “But we need to know those communications will be secure.” As this story went to press, UVA-Wise was issuing a request for proposals for a voice over IP (VoIP) network. That system, Fowlkes notes, will need the potential to support and manage GSM devices over a secure connection.

Not by coincidence, many vendors are enhancing their technologies to safeguard wireless VoIP environments. In August, Enterasys Networks, for one, unveiled its new Secure Open Convergence platform, which protects IP telephony networks (both wired and wireless) from security threats.

DIGITAL SIGNAGE IDEA: NEWS AT 11

At Creighton University, four 40-inch LCD screens are installed in two of the college's busiest areas. Two are mounted to the ceiling of a high-traffic hallway. The others sit side-by-side in the main entryway as one large presentation, tickers flowing from one screen to the next. The screens provide news, weather, and market updates to students as they move between classes.

Appliances Come of Age

Meanwhile, UVA-Wise is using a mix of security solutions from Aruba Networks and Fortinet to safeguard its existing network. While Aruba provides a secure wireless infrastructure, Fortinet delivers a unified threat management (UTM) appliance that includes firewall, antivirus, intrusion prevention, VPN (virtual private network), spyware prevention, and anti-spam capabilities. “Fortinet is the key to our security architecture,” says Fowlkes. “It’s an affordable option with a great feature set.”

Fortinet isn’t the only security appliance catching on with universities. Hofstra University (NY), for instance, uses Campus Manager—a network access control (NAC) appliance from Bradford Networks—to manage, secure, and control all devices that attempt to access Hofstra’s network.

The BIG TARGET

THE DAYS OF INTERNET joyriding are over. University databases—which contain Social Security numbers and other confidential information— are now prime targets for hackers. Think it can’t happen on your campus? Here’s a sampling of recent break-ins:

March 2005: Harvard (MA), MIT, and Stanford (CA) business schools’ admissions are hacked.

March 2005: California State University-Chico is hacked; information on students is stolen.

June 2005: The University of Southern California online application system is hacked.

October 2005: Hacker accesses University of California-Berkeley research being performed for Department of Social Services; data on 600,000 people is exposed.

October 2005: The University of Georgia is hacked; information on 1,600 employees, including Social Security numbers, is accessed.

May 2006: Ohio University officials discover that the university’s database had been compromised for over a year; hackers gained access to the personal data of more than 300,000 alumni and other individuals.

December 2006: UCLA alerts 800,000 current and former students, faculty, and staff that a database containing their personal information has been accessed by a hacker for more than a year.

May 2007: It’s revealed that more than 22,000 student records may have been compromised when a hacker infiltrated a University of Missouri database.

May 2007: The University of Colorado-Boulder acknowledges that nearly 45,000 student names and Social Security numbers were exposed to potential identity fraud when a worm attacked a computer server at the university.

June 2007: The University of Virginia discovers a security breach in one of its computer applications that resulted in the exposure of sensitive information belonging to nearly 6,000 current and former UVA faculty members.

Sources: Bill Wall, HackWire, SecurityProNews, SearchSecurity.com, TGdaily.com, UVA Today.

“The solution profiles all the devices on the network, manages that information in a database, and then assigns the appropriate security policies to each device,” says Jerry Skurla, VP of marketing at Bradford Networks. Using NAC appliances, many universities are helping students to register and configure their PCs for campus networks even before they arrive for fall or spring semesters, Skurla notes.

Open Source Grows Up

Most university technologists are fluent in Linux, Apache, and other mainstream open source options. But looking ahead, open source security devices and networking gear likely will gain momentum within academic settings. One prime example: StillSecure has launched an open source platform that supports a secure firewall, intrusion prevention, WiFi, and VPN services. Known as the Cobia Unified Network Platform, the system is free to universities, businesses, and home users, according to StillSecure CTO Mitchell Ashley. Universities and other customers can pay a commercial fee to purchase the vendor’s software bundled with hardware and related support services. Early adopters include the University of Arkansas, the University of British Columbia, and the New England School of Law (MA).

Open source software provides several potential benefits in the world of security. For starters, any programmer is free to probe the open source code for potential bugs or security holes. The programmer can submit a fix to the problem, which is then incorporated into the product’s code base. Another potential upside: Open source solutions parallel the open, collaborative nature of academia. People across the world can share ideas and new concepts on security.

But open source security solutions remain in their infancy. “You’ll see more traditional, commercial products dominating the security market for the next few years,” predicts Golod at Revenue Accelerators. “But like any good university, you’ve got to keep your eye on the horizon for the next big thing. It’s safe to say more security innovations will come from the open source arena, because so many programmers are now switching to the open source model.”

::WEBEXTRAS ::
Head online for these on-demand webinars:

  • Extending the Vision: Large- Scale WiFi: Securely Connecting the Entire Campus Community
  • Campus Data Security: Making the Assessment, Finding the Holes
  • Unexpected Quick Wins in 802.1x: Simplify User Experience, Reduce Helpdesk Workload, and Automate Secure Guest Access
  • Data Protection in the Real World: Guarding the Institution While Maintaining Academic Integrity

comments powered by Disqus