Mobile Computing | Feature
The New Varsity Letters: BYOD = NAC + MDM
To protect sensitive data in the BYOD era, schools must take a more closed, corporate approach, blending network access control and mobile device management.
By its very nature, education is "open." In contrast to the corporate world, schools provide access to a wide range of information--to a wide range of people. But, for better or worse, times are changing. For many network administrators in higher ed, open access has become a hornet's nest, and the era of limited lockdown has begun. And, increasingly, schools are looking to the business world for models on how to protect themselves and their constituents.
A case in point is New York Law School. Until the smartphone craze picked up, the school supported about 3,000 devices for its 1,500 students and 200-plus faculty. That figure jumped rapidly to 7,000 devices--mostly wireless--forcing Peter Trimarchi, NYLS's technical director, to take a hard look at the vulnerability of his network and its attendant devices.
"Over the last six months to a year, NYLS has been looking at this as a security issue," explained Trimarchi. "From a holistic security approach, we're monitoring computers. So we had to ask ourselves why we were not also doing this for mobile devices? Why weren't we securing our network completely?" Other issues loomed, too, such as how to deal with lost or stolen devices, how to make sure sensitive content doesn't fall into the wrong hands, and what to do about devices that become infected.
As a first step, Trimarchi and his team initiated a mobile device management (MDM) pilot that will continue through the summer, after which it will be "married" with a budget. The new system should be in place by next fall.
Under consideration are MDM products from a number of vendors, including ForeScout, the school's current network access control (NAC) provider. "The NAC appliance handles--but is not limited to--our web authentication, and our internal device wired and wireless security policies," explained Trimarchi. "MDM, on the other hand, is focused around mobile devices."
ForeScout MDM is a cloud-based solution that complements NAC capabilities. Like many other institutions, NYLS plans to uses NAC as a foundation for its security strategy, combined with MDM to secure data on BYOD devices. Paired together, a school should be able to manage everything on its network with unified visibility and control.
Among the features that NYLS requires of any MDM solution is the ability to authenticate devices, to track where they are on the network, to "wipe" them if they're lost or stolen, and to distinguish between what belongs to the university and what is personal. "If it's a user's own device, we want to wipe only what's corporate, while leaving personal data intact," noted Trimarchi. This is especially important for devices belonging to faculty, who often have access to shared drives and specific application needs. "We want faculty to be able to access things--to map network drives to devices--but we also want to protect them."
On the faculty side of device management, other important requirements include password policies, the ability to remotely locate devices and to detect jailbroken or rooted devices (which allow the device to install and run third-party applications). In addition, Trimarchi wants the ability to block personally identifiable information, track data usage for expense management, and get inventory reports. To reduce pressure on IT support staff, he also wants a self-service portal where users can reset their own passwords.
For students, the requirements are slightly different. Students will be able to authenticate via an active directory, enabling them to connect to the e-mail system. A physical help desk will also be available to assist students with issues.
Given how lax students can be when it comes to software updates, peer-to-peer file sharing, and antivirus software, the ability to quarantine mobile devices that don't adhere to school standards is a critical component of any MDM solution. "By next fall, we're hoping that students will be able to authenticate each of their devices and be subject to the policies we put in place," continued Trimarchi. "If a phone is hacked or has a virus, for instance, we can block it or quarantine it, and we can assist the student in cleaning up the device."
The change from the educational ideal of open information to a more closed, corporate approach is a "huge thing," according to Trimarchi. "With a virtual private network, you get whatever the machine throws out. But, with products like ForeScout, you have to meet certain requirements. If you don't adhere to the policy, you don't get on the network."
For schools considering a similar, holistic approach to security, Trimarchi advises schools to "look at what's out there and try it out. Kick the tires on all vendors." As part of the due diligence process, he recommends that IT shops check blogs and ask questions about vendors in technical forums. And when it comes to a contract, make sure that the company is committed to everything it says it can do.
Regardless of which vendor a school chooses, though, it shouldn't expect a fire-and-forget solution. Once the new policies are in place at NYLS, for example, Trimarchi estimates a six-month adjustment period. "People will come to me with ideas," he predicted. "We'll make adjustments. We'll be tweaking it."
He noted that, even now, Samsung is making a watch that will be able to get on the network. "We can't get ahead," said Trimarchi ruefully. "We're always behind."