At the same time, IT teams are asked to protect one of the most challenging environments on the Internet-the student dorm network. Meanwhile, within other parts of the university network, employees are dealing with extremely sensitive details about students, professors, staff members and even patients, at those schools with hospitals attached. As a result, organizations are tasked with meeting compliance regulations over that vast and varied trove of information entrusted to the institution. But security and compliance goals are often limited by the resources at hand, as security teams tend to be perennially understaffed and underfunded.
A Culture of Sharing
Universities are built to share knowledge and information, and that often runs counter to IT security principles. In spite of that, security leaders are tasked by trustees and school executives to protect sensitive data not just in administrative systems, but also in those that support classroom learning and cutting-edge research. Students and professors may not like it, but the fact is that the information they hope to share is usually legally owned by the university. What’s more, in some cases of sensitive research conducted in concert with government cooperation, national security issues may even present themselves around the corresponding data. As a result, there will always be boundaries in how research data can be used and disseminated.
Nevertheless, the culture issue always seems to rear its head, putting security folks squarely in the middle between university administrators and the professors and researchers who deal with data day in and day out. No vendor could ever presume to claim that technology can solve such a tough issue in organizational politics. But the kind of tools that security staff members use and how they use them can make a difference between engendering ill will from users or flying under the radar until a security problem presents itself. Ultimately, security’s directive is to help researchers protect their research-no researcher wants his work to be compromised. But the work to do so requires balancing integrity, privacy and security with information-sharing activities necessary at a world-class research facility.
Take vulnerability scanning, for instance. In a higher-education environment, active scanning is essential for many parts of the organization, but for some it may be problematic. For example, often in the research environment there exists a large amount of cutting-edge, first-generation and home-grown code cobbled together. An active scan could serve to knock down these systems, and potentially ruin experiments in the process if the system is connected to any kind of instrumentation. But IT security teams could use passive scanning technology without as many repercussions to users. A passive scanner could watch for systems that should never interact with the Internet. That way, if there’s a centrifuge whose manufacturer shipped with Windows 98 and Internet Explorer 6 without ever providing updates, that system could run-but passive scanning could help IT ensure it never connects online.
Passive scanning could also be used to look for anomalies in traffic, such as unusual spikes in transmitted data. For example: If a well-respected university has a relationship with a government facility that has a department sending 200 MB of data out per week to that facility and it suddenly sends 2 TB of data to a different region, that could raise a red flag. It’s a level of due diligence that doesn’t require a heavy hand but which could give security staff a jump start in potential incident response or forensics.
Additionally, passive scanning could help identify so-called “shadow” IT infrastructure running on a sensitive network. The technology helps to instantly identify hosts connecting to the network without waiting for scheduled scans, making it useful for detecting end-user devices, virtual infrastructure and cloud applications.
Hostile Dorm Environment
In addition to all the intellectual property issues surrounding research and classroom networks, universities with on-campus dorms also contend with one of the most challenging networking environments on the planet: the student housing network. No matter the institution, the immutable fact is that young students will always operate within the most dangerous parts of the Internet. They’re often engaging in illegal downloads from P2P, they frequently visit malware-infected sites, and they tend to download questionable applications.
All of this is done on personally ownedsystems with little to no oversight from the IT department. And yet, these systems are accessing the sketchiest part of the Internet while connected to the institution’s network, which frequently also runs university-owned systems that are put at risk by lapses in student judgment. It’s a tricky proposition for security personnel to protect the school’s network under the circumstances, but protect it they must. They may also need to have enough visibility to block illegal activity on the network and deal with problems that crop up, such as Digital Millennium Copyright Act takedown notices.
Again, this is a situation where passive scanning can help tremendously. A passive scanner can help an infosec department keep tabs on the network to enforce policies, identify potential problems and provide enough information for security experts to blacklist malicious machines on the network.
Broad Compliance Demands
Due to the wide range of activities necessary to keep an active campus humming, higher-education institutions tend to fall under one of the broadest sets of compliance requirements of any industry. Payment card systems processing thousands of transactions per day put these institutions under the purview of Payment Card Industry Data Security Standard. Every school entrusted with medical records must contend with HIPAA requirements, even those without medical facilities but which offer self-funded or managed health plans. And those with hospitals, clinics or medical testing facilities face even more scrutiny under the regulation.
Meanwhile, partnerships with government agencies may require compliance with security frameworks such as the Federal Information Security and Management Act, as well as those developed by the National Institute of Standards and Technology and additional government regulations. Finally, affiliation with private-sector entities could also place additional third-party security demands on systems housing shared information.
One major security capability that’s cut universally across the vast majority of these regulations is visibility. Auditors checking for compliance want to see that organizations are monitoring activity and cross-checking that against regulations. A combination of active and passive scanning, integrated within a unified monitoring dashboard can ensure that a higher-education organization can easily scan against set policies based on a myriad of regulatory requirements. And these policies don’t just have to be set against regulations-they can also be tuned to security frameworks or internal policies set to reduce organizational risk.
Maintaining Visibility Across Segmentation
Segmentation is critical for any enterprise that handles a wide range of traffic and information, but it is doubly true for those in education. The previous three challenges we’ve laid out conspire to make it absolutely essential for any higher-education infosec departments to segment networks to set up different zones of defense and limit the scope of compliance requirements. Hostile dorm networks should be run entirely separately from networks that house Banner, PeopleSoft or other grading or administrative systems. And hospital networks and payment system networks must be partitioned off into their own zones so that institutions don’t break the bank trying to get a too-large section of the network in compliance with PCI or HIPAA.
At the same time, though, such rampant segmentation can pose visibility problems. After all, segmenting the network is essentially imposing silos on the network for the sake of security, and silos always cause management headaches. Unless done right, it can be difficult to scan and condense security reports across all of the different segments of the network. Educational organizations must seek out some sort of unifying platform to help in the process, lest security efforts grow overly burdensome and disjointed.
Lack of Resources
Perhaps the challenge that seems the most insurmountable for higher-education security staff is the issue of limited resources. Universities consistently must operate underfunded and understaffed while facing one of the most difficult security environments anywhere. As such, IT staff must constantly hunt for ways to improve security efficiency wherever they can.
While it may take work to set up on thefront end, automation of scanning, reporting and alerting are critical to getting the most out of security investments. Institutions can do more with less through routine discovery scans that look for machines never before seen on the network and dumping relevant data about them into an assets list. This can make it easier to spot problem systems earlier and to identify noncompliant configuration issues. In particular, organizations should work with tools that allow for a greater degree of customization to find the information that an administrator needs.
Higher-education institutions operate under a unique combination of security and compliance requirements. The independence of their user communities and breadth of their endeavors often make security implementation a tall order. But implement they must. Even beyond complying with PCI, HIPAA and other requirements, educational institutions must act proactively to secure their environments, because being compliant does not mean that you are secure. The moment something goes wrong is too late for putting security in place, and waiting until then can cause irreparable damage and significant unexpected costs.
Provided by Tenable. To learn more, visit www.tenable.com/secure-campus.