For CIOs and security administrators in academia today, that's a fact of life. Competition for college applicants is fierce, and high-end technology, including bountiful wireless access, is a key selling point.
It doesn't take an advanced degree to realize the many security challenges posed by wireless technology. Hundreds, even thousands, of machines seek access to college networks each day. End users' roles and privileges vary widely, and unlike businesses, colleges are generally expected to provide at least some network access for all.
An Insider View: From Near Chaos to a Culture of Security at Dartmouth
True story: When I arrived at Dartmouth College a little more than 2 1/2 years ago, the college had just one protected subnet for critical business systems that was secured with a firewall. As at most colleges and universities, almost every other system was directly connected to the Internet and thus unprotected, unless its respective owners had the security savvy to protect it somehow.
Though there hadn't been any confirmed data thefts, the warning bell had sounded a couple of times. When the Welchia/Nachia worm hit, it managed to compromise at least 2,000 systems on our network, generated significant traffic, caused major network and application availability issues and took several months to clean up.
In another incident, we discovered some nefarious activity while doing routine network traffic analysis. Some outside attackers had co-opted two development servers and turned them into file-sharing nodes. At the peak, these servers were using 20-30 Mbps of our Internet link. We had recently purchased bigger pipes, which these systems quickly tried to consume.
Even worse, one of the co-opted file-sharing nodes had a trust relationship with several other systems containing sensitive data. While the intent of the attackers was clearly illicit file sharing, the possibility of data theft was a warning shot across the bow.
Dartmouth had tried to address campus-wide IT security several times over the years. Committees had been formed, and they produced many excellent recommendations. Unfortunately, these recommendations were applied on an ad hoc, department-by-department basis. It became clear that an organized, sustainable, campus-wide initiative was needed.
APPLYING CORPORATE TECHNIQUESMy experience prior to Dartmouth had been in the corporate world, so I decided to apply an approach that worked well in that environment. We escalated our concerns, along with a comprehensive security proposal, to the executive level. For us that was the IT board of directors, the CIO/CTO, the provost and, eventually, the president of the college. We were careful to get buy-in and support at every level before going to the next-highest one.
The Welchia/Nachia worm and the potential data breach had been blessings in disguise. They got everyone's attention and provided the incentive to take action. Still, it took us almost three months to agree that we should automatically and dynamically block misbehaving systems. That was our first major step forward.
Since then we've worked hard to implement our security proposal. We're pushing security out to the edge, directly in front of the host as much as possible. We've hardened clients and servers; moved scattered servers into a centrally controlled, physically secured area; installed host-based security agents; implemented several layers of firewalling, intrusion detection and prevention; and added encryption, VPNs, protected networks and private network addressing where appropriate.
We recommend that everyone run antivirus and antispyware tools on a regular basis. And in the future, we'll use security agents to limit access to critical networks and systems, rejecting access to systems that haven't run antivirus and anti-spyware tools regularly.
We have also enabled wireless access and security in all 200-plus buildings on campus. As of mid-summer, we had more than 800 of 1,500-plus access points installed, and we plan to have the rest completed soon. In the end, we will have full-rate A/B/G coverage in every building on campus with at least three tiers of authenticated and secured network access.
Our IT structure is decentralized. We have more than 80 people in IT, and almost everyone has some level of security awareness, with many people performing some security functions. We just got funding for three dedicated security positions. They will be part of the new security office we recommended as part of our comprehensive security proposal. They will focus on policy and compliance and work with the functional IT people to do security well and consistently across all groups. Our budget will be more than $1 million a year for the first few years.
We've come a long way. We have figured out much of the technology side, and now our new security office will build security into the culture. I'm really proud of what we have accomplished, though there is still plenty to do. n
-- Jason Jeffords is director of security services at Dartmouth College in Hanover, N.H. Write to him at InsiderView@ciodecisions.com.
Moreover, the egalitarian tradition of universities and colleges demands that institutions accept a variety of hardware platforms and software. "A lot of the machines [used to access college networks] aren't owned by the university," says Jack Suess, CIO at the University of Maryland, Baltimore County, and co-chair of the Security Task Force of Educause, a Boulder, Colo., nonprofit advocacy group for the strategic use of IT in higher education. "Essentially, we're not allowed to standardize."
In addition, the academic community has a strong tradition of wide-open information sharing, which is good for the educational process but hell on CIOs. "Students, researchers and faculty want to do whatever they want to do," says Nathan Hall, IT security administrator at the State University of New York (SUNY) College at Oneonta. "We need to be open but secure, and every week there's a new question" about how those demands can be reconciled.
Clearly, security is a hot topic on campus, and with good reason. In Educause's "2005 Current Issues Survey," university technology executives declared "security and identity management" their second most important long-term strategic issue (behind funding, the perennial winner). It was also at the very top of the list of issues with the "potential to become more significant." However, in a disconnect that may help explain why security is such a pressing problem, respondents ranked security only sixth on the list of issues they spend time on.
CIOs at midsized colleges are devoting the lion's share of their security attention to authentication. According to Educause, 73% of institutions have adopted multiple-use passwords, which are entered each time a user logs on. Many have also implemented a "quarantine" strategy that offers limited Internet access to virtually any user in the geographic area. This allows colleges and universities to meet public-service and openness expectations while protecting their networks.
One such institution is Seminole Community College in Sanford, Fla., which has several campuses as much as 22 miles apart. Any one of Seminole's 32,000 students and 175 faculty members can get basic Internet access, but they must establish an account using Novell NDS if they want to enjoy all network services.
Those simply seeking bare-bones Internet access are "connected to a separate VLAN [virtual local area network] that will only connect you to the Internet and meter your bandwidth," says Seminole CIO and Vice President Dick Hamann. If a hacker eschews registration and tries to attack the campus network, "I can't ID them," Hamann says, "but at least they're outside our firewall." Both SUNY Oneonta and Ohio Wesleyan University in Delaware, Ohio, use an appliance from Burlington, Mass.-based Bluesocket Inc. for authentication. The device sits between the data source and the campus' wired network and manages security via a single university-wide ID and password. Jason LaMar, IT director at Ohio Wesleyan, says this single login and the ability to easily add and drop users were the product's primary appeals.
This was first published in August 2005