Security | Feature

Blurring the Lines of Network Security

The proliferation of laptops, tablets, and smartphones on campus challenges higher ed IT departments to balance network protection with a culture of openness.

• By Vanessa Hua
• 10/20/11

In today's consumerized IT environment, the line between personal and IT-controlled devices has blurred. The typical user has four devices that function interchangeably for business and personal tasks, noted Brian Contos, director of global security strategies at Internet security provider McAfee. "The upside for the organization is its users are always connected," he said. "The drawback is that the same device you're using for personal shopping or printing out banners for school is probably the same platform you're leveraging for sensitive or confidential information."

How are organizations approaching the security challenge? Eighty-four percent of enterprise and government entities allow employees to use iPads, iPhones, Facebook, Twitter, and IM to conduct business, according to a recent survey of corporate and government employees from Proofpoint, a cloud-based e-mail security firm, that was conducted by Osterman Research. Seventy-three percent of the survey respondents stated that they are using a combination of policy and trust as their security strategy; 51 percent have implemented strategies that leverage policy, technology, and trust; and 11 percent are relying on "employee good judgment" alone.

Users' good judgment is not enough for most colleges and universities, where IT administrators are turning to security solutions that include segmenting network access controls, encouraging users to install security software on their devices, using tools that allow administrators to erase data or lock down devices, and running virtual machine environments for remote access. Still, the culture of openness in higher ed requires that IT balance network protection with convenience for campus constituents.

"The nature of academia is basically to be wide-open--getting access to what you need and whatever you want," said Mike Khalfayan, associate director of information security at the University of Rhode Island, whose department oversees three campuses in Providence, Kingston, and Narragansett. "We try to support the majority of devices, but it's almost impossible to handle," he added, though the university aims to support "at least 98 percent."

To better manage the multitude of devices accessing the campus network, URI began rolling out a WPA2 secure wireless network for students, staff, and faculty in January. IT administrators published a notice on the URI portal announcing the deployment and set up a feedback account to help troubleshoot problems.

With the help of a network access control solution from ImpulsePoint, users are now automatically directed to Cloudpath Networks' XpressConnect solution, which configures each device to the secure network. If a device doesn't support WPA2 (for instance, a gaming console), administrators can dynamically assign a role to regulate access based on the identity of users and when they are connecting.

Users accessing the network remotely (say, from home) go through an extra layer of security precautions. "Instead of allowing direct access, we make sure they go through security steps to access the network, and can only access certain areas of the network," Khalfayan said.

The university also maintains an unencrypted network open to guests, with limited bandwidth and access to ports. Guests--who range from government employees to cheerleading camps that bunk down on campus during the summer--can access Webmail from their mobile devices.

However, the ease with which guests can hop on--no name or password required--has attracted campus users who should be accessing the secure network. To encourage migration to the secure network, guest access expires at 10 p.m., and IT security staffers have "hit the pavement" to educate recalcitrant users.

As for mobile devices such as smart phones, which are increasingly targeted by malware attacks, URI is still formulating its security strategy. Through monthly newsletters and internal wikis on security awareness, the university has recommended users install mobile security applications from vendors like Lookout, Norton, and others. For centrally managed devices issued by the university to faculty and staff, URI is piloting a solution that can wipe devices remotely if an employee has left or, "for whatever reason, isn't playing nicely," Khalfayan said.