2008 Campus Technology Innovators: Network Security
TECHNOLOGY AREA: NETWORK SECURITY
Innovator: Ohio Dominican University
After a security breach, and before a network revamp, smart university administrators and technologists forget what they've built to date-- on purpose.
A security breach certainly can make technologists reevaluate the way they organize a network, and that's exactly what happened last year at Ohio Dominican University. On the heels of one such breach, Data Network Manager and project lead Bob Zimmerman and technology gurus at ODU undertook a from-the-ground-up comprehensive review of the university's information security posture and openly discarded all preconceived or biased views of the institution's existing strategy. With each vendor partner, the technologists painstakingly analyzed failures and inefficiencies. They left no stone unturned. The result: a brand-new approach to information security.
According to CIO Mike Young, the goal of the exercise was simple: to achieve a holistic, "preeminent" information security program that would lock down school data in a multi-layered approach that empowered the true requirements to drive the selection of tools.
"We were able to turn a very negative situation into a positive, collaborative experience," says Young, who notes that the transformation took roughly 11 months. "We seized the opportunity to formulate a brand-new approach to security that would not limit our options based on previous investments and expenditures."
Ohio Domincan seized the opportunity to formulate a brand-new approach to security-- without limiting the options based on previous investments and expenditures.
The process of revolutionizing security at ODU hinged on the variety of vendor partners that came in to evaluate different aspects of the network. With representatives from consultancy P3 Strategic, ODU technologists spent the first few months of the process reflecting on the event that had occurred, and analyzing the forensics of the security breach. During this process, Zimmerman and his colleagues were conscious to not focus on blame; instead, they sought to understand present and future threats.
Next, the IT staffers worked with Jacadis consultants to develop short- and long-term security strategies including remediation, security awareness training, network monitoring tools, and quarterly penetration tests. ODU also worked with Acunetix, which detects and patches web vulnerabilities. Finally, ODU contracted consultants from TriGeo for on-demand event management, and turned to Qualys and Bradford Networks, to automate vulnerability management and cleanse user PCs as they are logged on to the campus network. Software from Anixis provided password policy enforcement.
At no point during the IT security infrastructure transformation, says Young, did he or his colleagues anticipate that the new system would work so well, so quickly. The results, he says, have been stunning, revealing that the institution has tallied 108 specific improvements spanning just about every aspect of security on campus. As by-products of these improvements, he adds, the automation of vulnerability management has saved the campus help desk countless hours of PC cleansing, and password resets have dropped from 50 percent of all help desk calls to 20 percent. Young maintains that security remediation efforts resulting from the reports coming from the high-end tools have allowed ODU to proactively correct deficiencies "expeditiously and comprehensively."
In addition to these direct benefits, the project has saved ODU staffers countless hours of administration time. More importantly, the holistic approach has positioned the school to pass just about any audit for compliance, and has catapulted the school into a formal risk-management program. Many ODU staffers now have the opportunity to take information security awareness training, incorporating a series of lectures and workshops designed to raise awareness about security breaches and help users prevent identity theft.
"Nobody takes anything for granted anymore," Young states emphatically.
The most unexpected benefit of the initiative was the way it inspired ODU technologists to launch a formal IT governance effort to establish policies that would reinforce all of the school's new security measures and improvements. Building on this success, the school has set its sights on the next milestone: ISO 17799 certification, involving the Code of Practice for Information Security Management. Stay tuned.