This content is part of the Essential Guide: An IT security strategy guide for CIOs

University IT departments struggle to stay always open, always secure

It's double duty for university IT departments today: Maintain a culture of accessibility while protecting against an ever-growing number of threats.

Hofstra University's Robert Juckiewicz considers everyone in his IT department a consultant. And he means everyone, even the machine room operator.

The data processing admin, "who you might think is not much of a consultant," can in fact help store your data, back up your systems and restore them in case of an emergency, said Juckiewicz, vice president of IT at the Hempstead, N.Y., school.

"Our challenge is how we get a culture not only within our department but within the university that says, 'You got an idea about technology? Go talk to IT.'"

In theory, the campus could serve as an adjunct IT department. Today's college students -- born as the Internet went mainstream -- are the most technically sophisticated generation in history, and tech-savvy professors and staff can download low-cost or free cloud-based applications or even write their own apps. That requires IT teams at higher-education institutions to not only be watchful in an environment that encourages the free flow of information but also to educate students and faculty on the extraordinary threats to data security.

Robert JuckiewiczRobert Juckiewicz

Information security is the No. 1 issue for college and university IT departments, according to a report by professional association Educause. But it hinges on how well IT delivers service to its customers, who have high expectations for technology. If IT "cannot be agile enough in its review and implementation of cloud services, the path of least resistance for users may be to go it alone, without institutional IT involvement," Juckiewicz said. In the process, users can unwittingly put institutional or individual data at risk.

Often called "shadow IT," the tendency to look beyond the central IT department for software and other technology became more widespread in organizations once people started bringing smartphones and tablets to work and using them to accomplish work tasks. Cloud applications available over the Internet, software as a service, made it even easier for departments -- outside of university IT departments -- to get whatever they wanted. It has happened in every industry, and higher education is no exception.

University IT departments use Hofstra as a guide

Hofstra is structured to make application sprawl more difficult. IT at the university -- with approximately 11,000 students and 3,400 faculty members and staffers -- is centralized; there are some IT staffers at the medical and law schools, and they shop around for applications, but IT has to approve anything they want to buy.

Non-IT staff and faculty members are another story.

"There's nothing that would prevent a department user from going out and getting a Web service from Amazon," Juckiewicz said, referring to the top public cloud provider, Amazon Web Services. "They're cheap enough and their services are being supported better [so] you don't have to have significant technical staff."

So Juckiewicz and his team use their collective expertise to help people in the university community make good decisions about technology. For faculty members who are curious about an attractive application and download it, there's software that prompts the user to justify why it's being downloaded. For students, IT gets more playful. In October, which President Barack Obama designated National Cyber Security Awareness Month, the team held a student fair studded with Internet safety talks and swag like T-shirts and mugs. To get people to go, it did a phishing expedition: a phony email that informed students the IT department needed to verify their Wi-Fi connections.

"That took you to a webpage that said, 'Hey, you've been phished. Here's what you should be careful about,'" he said. "That brought in some students who said, 'Well, OK. I saw you did that, and I clicked on it. You told me it was not a good thing to do, so help me learn more things.'"

Give 'em what they want

Eric Hawley, CIO at Utah State University, handles shadow IT at the school of nearly 30,000 students and roughly 2,800 faculty and staff by not calling it that -- it's a loaded term, he said, implying turf tension between his central IT department and other parts of the university -- and then by giving his users what they need.

Eric HawleyEric Hawley

"If they bring something to the university, and it's a service that meets a need that the systems we use don't meet, I can't argue with it," Hawley said.

An example is file hosting service Dropbox, which lets students store and share files such as papers and research projects. The free consumer version was so popular with students his team started evaluating similar services with the aim of adapting them to the university's storage, security and compliance needs. He went with Google Drive and, for more sensitive information,, because of its support for the healthcare privacy law known as HIPAA. The accounts are big -- storage on Google Drive for students is unlimited, and Box is 50 gigabytes per account -- and students get to keep them when they leave.

"I try to find those areas where we can partner with another platform -- whether it's [Microsoft] Office 365, whether it's Google, whether it's Box -- and see if together we can provide a service that's better than the consumer service alone is," Hawley said. "If it is, then we'll try to adopt that and market it, and students come over because they recognize the benefit."

File it, share it, keep it secure

The Texas A&M University System is trying to wean its nearly 200,000 users -- approximately 134,000 students plus faculty, staff and partners -- off downloadable services like Dropbox and Box. Danny Miller, CISO for the 11 universities, seven state agencies and health science center that make up the system, said when he arrived from the private sector two years ago, he was warned about the "uncontrolled chaos" of a university environment.

Danny MillerDanny Miller

"When you consider how many solutions are out there, where you can just get free accounts if you want to, it's really difficult," he said. "Everybody has to be able to collaborate freely, and so how do you approach that from a security standpoint, when you really want to get a handle on data security?"

The answer was a file synchronization and sharing platform called Syncplicity, which does what the free services do but more securely, Miller said. Its storage is hybrid -- that is, part cloud, part on-premises. Users are prompted to put information into different security classes, with the most sensitive data cordoned off on the university's physical servers, and storage administrators have fine-grained control over what information is put where.

Everyone at Texas A&M is encouraged to use the system, which for them is free and, Miller said, has a "very slick" and easy-to-use interface. About a year after the go-live, adoption is gradual but healthy, he said, with approximately 20% of the university system using the application.

Miller hasn't stopped students from using the free consumer file services, and it won't. But if the vendors, known for their aggressive marketing, get huge numbers of people to sign up for the services, he could make it harder by "de-prioritizing" certain kinds of Internet traffic.

"If I see Dropbox traffic sitting on my network and I heavily want to encourage Syncplicity traffic, I can actually throw that Dropbox traffic into a priority band where [users are] only going to get 56k bandwidth using Dropbox," Miller said, referring to the speed commonly associated with dial-up Internet access of the 1990s. "Now, I'm not saying we're going do that, but I know that capability is there."

No to scare tactics

In trying to protect the university from cyberthreats that are sometimes a click or two away on a flashy website, one tactic that won't work, at least with students, Hofstra's Juckiewicz said, is scaring them with worst-case scenarios.

"They're not fearful at that age. I mean, back when I was 19, 20, nothing was going to stop me," he said. "We don't try to instill fear. We try to make them aware."

That could mean another cybersecurity fair, but for faculty and staff, Juckiewicz said, it's typically more serious chats about Internet safety and security. He hasn't held whimsical events for them -- at least not yet. If he does, he'll have to think of a clever way to get them there.

"Food works for everybody. I go to a meeting or I'll go to an affair if they have good food, so will everybody else, whether you're a student, faculty or staff member."

Next Steps

Familiar with technology, students pose challenge for college IT teams

Utah State's Eric Hawley on consolidating applications

University IT departments study up on bandwidth

Dig Deeper on IT governance