Related Articles

 

Protecting Student Belongings as Part of Campus Security Plan - Student security lives at or near the top of every...

 

LED Lighting A Green Way To Improve Campus Safety - As college tuition continues to rise, so do the costs of...

 

Teaching and Technology: Regaining Key Control - A key part of providing a high-quality educational...

 

Colleges and Universities as Prime Cyberattack Targets: Behind the Threat - When it comes to cyberattack targets, many think of...

 

Automating Attendance, Visitor and Asset Tracking in University Environments: Taking Attendance Like Never Before - Universities are constantly advancing technology and...

 

A.L.I.C.E at Point Park University: Alert Lockdown, Inform, Counter, & Evacuate - A man calmly walks into the Academic Hall and enters the...

 

The Safety and Sustainability Factors of Filtered Fume Hoods, Ductless Fumed Hoods, and Ducted Fume Hoods - Fume hoods are a central component in most laboratories....

 

Communications for Campus Security - As another school year approaches, security departments are...

 

The Technology of Lightning Warning Systems - Lightning warning technology has evolved over the last 23...

 

Life Safety, Security, & Operational Conflicts - Our world is full of threats. Unfortunately, some of those...

 

Video Insight Establishes $250,000 School Security Grant - A Pilot Program has been developed to help underfunded ...

 

PCI Compliance & Questions of Security - Colleges and Universities strive for PCI compliance, but...

 

Situational Awareness: The Key to Smarter Campus Risk Management - My daughter Elizabeth starts college in a few weeks, so...

 

Video Surveillance Management and Centralization: How Campuses Achieve Cost Savings While Keeping Students and Property Safe - The industry-wide migration to IP video surveillance over...

 

Upgrading Your Campus to Higher Security Credentials - Keeping a university safe and secure is one of the most...

 

7 Tips For Getting The Most Out of Your Analog Cameras With Video Encoders - Video encoders turn analog cameras into IP video - creating...

 

Private Universities are Getting Smart About Student ID Technology - Whether a card or mobile phone, credentials are becoming...

 

Understanding Testing Standards for High-Performance Entraces - There is a growing need to create entrances in our...

 

Security and Solar Window Films: Campus Safety and Other Benefits - As universities beef up security on their campuses because...

 

Choosing the Right Access Control Technology for Student Housing - One of the most important aspects of on-campus housing is...

 

Enhancing Campus Wide Radio Communications - The traditional school year comes to a close, but...

 

Campus Safety Budgeting: Improving Efficiency and Measuring ROI - When budgets are tight, accountability is crucial. As...

 

Come Together, Right Now: Advanced Lighting for a Forward-Thinking Campus - Paul McCartney and John Lennon had other thoughts in mind...

 

Advanced IP Radio Systems for Campus Security - When it comes to campus security, radio systems play an...

 

Archives > September 2017 > Addressing Top Five IT Security Challenges of Higher Education

Addressing Top Five IT Security Challenges of Higher Education

Universities and colleges face the same IT security challenges as commercial enterprises, but with a force multiplier of difficulty due to a number of challenges unique to higher education. To start, they must lock down information within institutions that are culturally hard-wired to share information for the sake of their mission.

At the same time, IT teams are asked to protect one of the most challenging environments on the Internet-the student dorm network. Meanwhile, within other parts of the university network, employees are dealing with extremely sensitive details about students, professors, staff members and even patients, at those schools with hospitals attached. As a result, organizations are tasked with meeting compliance regulations over that vast and varied trove of information entrusted to the institution. But security and compliance goals are often limited by the resources at hand, as security teams tend to be perennially understaffed and underfunded.

A Culture of Sharing

Universities are built to share knowledge and information, and that often runs counter to IT security principles. In spite of that, security leaders are tasked by trustees and school executives to protect sensitive data not just in administrative systems, but also in those that support classroom learning and cutting-edge research. Students and professors may not like it, but the fact is that the information they hope to share is usually legally owned by the university. What's more, in some cases of sensitive research conducted in concert with government cooperation, national security issues may even present themselves around the corresponding data. As a result, there will always be boundaries in how research data can be used and disseminated.

Nevertheless, the culture issue always seems to rear its head, putting security folks squarely in the middle between university administrators and the professors and researchers who deal with data day in and day out. No vendor could ever presume to claim that technology can solve such a tough issue in organizational politics. But the kind of tools that security staff members use and how they use them can make a difference between engendering ill will from users or flying under the radar until a security problem presents itself. Ultimately, security's directive is to help researchers protect their research-no researcher wants his work to be compromised. But the work to do so requires balancing integrity, privacy and security with information-sharing activities necessary at a world-class research facility.

Take vulnerability scanning, for instance. In a higher-education environment, active scanning is essential for many parts of the organization, but for some it may be problematic. For example, often in the research environment there exists a large amount of cutting-edge, first-generation and home-grown code cobbled together. An active scan could serve to knock down these systems, and potentially ruin experiments in the process if the system is connected to any kind of instrumentation. But IT security teams could use passive scanning technology without as many repercussions to users. A passive scanner could watch for systems that should never interact with the Internet. That way, if there's a centrifuge whose manufacturer shipped with Windows 98 and Internet Explorer 6 without ever providing updates, that system could run-but passive scanning could help IT ensure it never connects online.

Passive scanning could also be used to look for anomalies in traffic, such as unusual spikes in transmitted data. For example: If a well-respected university has a relationship with a government facility that has a department sending 200 MB of data out per week to that facility and it suddenly sends 2 TB of data to a different region, that could raise a red flag. It's a level of due diligence that doesn't require a heavy hand but which could give security staff a jump start in potential incident response or forensics.

Additionally, passive scanning could help identify so-called "shadow" IT infrastructure running on a sensitive network. The technology helps to instantly identify hosts connecting to the network without waiting for scheduled scans, making it useful for detecting end-user devices, virtual infrastructure and cloud applications.

Hostile Dorm Environment

In addition to all the intellectual property issues surrounding research and classroom networks, universities with on-campus dorms also contend with one of the most challenging networking environments on the planet: the student housing network. No matter the institution, the immutable fact is that young students will always operate within the most dangerous parts of the Internet. They're often engaging in illegal downloads from P2P, they frequently visit malware-infected sites, and they tend to download questionable applications.

All of this is done on personally ownedsystems with little to no oversight from the IT department. And yet, these systems are accessing the sketchiest part of the Internet while connected to the institution's network, which frequently also runs university-owned systems that are put at risk by lapses in student judgment. It's a tricky proposition for security personnel to protect the school's network under the circumstances, but protect it they must. They may also need to have enough visibility to block illegal activity on the network and deal with problems that crop up, such as Digital Millennium Copyright Act takedown notices.

Again, this is a situation where passive scanning can help tremendously. A passive scanner can help an infosec department keep tabs on the network to enforce policies, identify potential problems and provide enough information for security experts to blacklist malicious machines on the network.

Broad Compliance Demands

Due to the wide range of activities necessary to keep an active campus humming, higher-education institutions tend to fall under one of the broadest sets of compliance requirements of any industry. Payment card systems processing thousands of transactions per day put these institutions under the purview of Payment Card Industry Data Security Standard. Every school entrusted with medical records must contend with HIPAA requirements, even those without medical facilities but which offer self-funded or managed health plans. And those with hospitals, clinics or medical testing facilities face even more scrutiny under the regulation.

Meanwhile, partnerships with government agencies may require compliance with security frameworks such as the Federal Information Security and Management Act, as well as those developed by the National Institute of Standards and Technology and additional government regulations. Finally, affiliation with private-sector entities could also place additional third-party security demands on systems housing shared information.

One major security capability that's cut universally across the vast majority of these regulations is visibility. Auditors checking for compliance want to see that organizations are monitoring activity and cross-checking that against regulations. A combination of active and passive scanning, integrated within a unified monitoring dashboard can ensure that a higher-education organization can easily scan against set policies based on a myriad of regulatory requirements. And these policies don't just have to be set against regulations-they can also be tuned to security frameworks or internal policies set to reduce organizational risk.

Maintaining Visibility Across Segmentation

Segmentation is critical for any enterprise that handles a wide range of traffic and information, but it is doubly true for those in education. The previous three challenges we've laid out conspire to make it absolutely essential for any higher-education infosec departments to segment networks to set up different zones of defense and limit the scope of compliance requirements. Hostile dorm networks should be run entirely separately from networks that house Banner, PeopleSoft or other grading or administrative systems. And hospital networks and payment system networks must be partitioned off into their own zones so that institutions don't break the bank trying to get a too-large section of the network in compliance with PCI or HIPAA.

At the same time, though, such rampant segmentation can pose visibility problems. After all, segmenting the network is essentially imposing silos on the network for the sake of security, and silos always cause management headaches. Unless done right, it can be difficult to scan and condense security reports across all of the different segments of the network. Educational organizations must seek out some sort of unifying platform to help in the process, lest security efforts grow overly burdensome and disjointed.

Lack of Resources

Perhaps the challenge that seems the most insurmountable for higher-education security staff is the issue of limited resources. Universities consistently must operate underfunded and understaffed while facing one of the most difficult security environments anywhere. As such, IT staff must constantly hunt for ways to improve security efficiency wherever they can.

While it may take work to set up on thefront end, automation of scanning, reporting and alerting are critical to getting the most out of security investments. Institutions can do more with less through routine discovery scans that look for machines never before seen on the network and dumping relevant data about them into an assets list. This can make it easier to spot problem systems earlier and to identify noncompliant configuration issues. In particular, organizations should work with tools that allow for a greater degree of customization to find the information that an administrator needs.

Higher-education institutions operate under a unique combination of security and compliance requirements. The independence of their user communities and breadth of their endeavors often make security implementation a tall order. But implement they must. Even beyond complying with PCI, HIPAA and other requirements, educational institutions must act proactively to secure their environments, because being compliant does not mean that you are secure. The moment something goes wrong is too late for putting security in place, and waiting until then can cause irreparable damage and significant unexpected costs.

Provided by Tenable. To learn more, visit www.tenable.com/secure-campus.

 

 

 

PUPN Magazine is a trademark of Flaherty Media, LLC, copyright 2017. PUPN Magazine and all contents are properties of Flaherty Media, LLC.