Laying a Secure Foundation for Student Privacy and Access
IT teams are under intense pressure to not only protect their networks from viruses and other malicious code, but also to ensure that students don’t access illegal content or have their privacy jeopardized. This is a pretty tall order for groups often tight on money and staffing.
“IT teams have even more challenges on campuses this year with the explosion in distance learning, wireless devices, and multimedia applications on the network,” says Phil Hochmuth, senior analyst at the Boston-based Yankee Group consultancy. “They have to figure out how to straddle the line between open access and data protection.”
So to achieve this complex goal, universities and colleges alike have to guarantee end-to-end visibility of all the parts of their networks and have access controls in place to ensure the safety and integrity of student academic, medical and financial records, Hochmuth says.
It’s a reality that is not lost on Brian Kelly, information security officer at Quinnipiac University (Conn.). Kelly and his team have been working around the clock to shore up the college’s network so it meets or exceeds U.S. federal, state, and industry security standards by the start of the fall semester. In addition to protecting the privacy of student and employee sensitive information, Kelly and his team also have to address issues involving social networking and illegal downloads. It’s a lot for a small staff to undertake yet Kelly says not doing so would put the university at risk.
For instance, Quinnipiac plans to discontinue outsourcing the back-end transaction system infrastructure for its ATM-like Q-Card, which is used for on-campus transactions. But that means Kelly and his team have to first incorporate the recently updated Payment Card Industry (PCI) Data Security Standard guidelines into their security strategy, such as determining what sensitive information can and cannot be stored and how to carry out audits on all transaction procedures.
It is just one part of the incredibly dynamic security puzzle that higher education IT executives have to piece together. What follows is advice from Kelly and other experts to help you lay the groundwork for a safe and secure higher education enterprise.
No matter where your university operates in the world today, chances are you fall under one or multiple government or industry privacy mandates. They can range from loose guidelines to strict rules that have financial penalties. For instance, Quinnipiac not only has to account for PCI regulations, which have serious repercussions if not met, but also the newly enacted Family Educational Rights and Privacy Act, or FERPA, and the recently reauthorized Higher Education Act (HEA). FERPA provides a framework for how to protect student privacy while HEA includes restrictions regarding copyrighted material.
You must understand how data is to be protected under all relevant orders and account for that in your own security strategy. For example, some mandates require all data at rest to be encrypted. Others demand that you be able to audit details about who has had access to certain information.
“We take the strictest regulation that applies to us and make it our benchmark,” Kelly says. He also looks to his peers such as the IT team at Yale University and the non-profit association Educause for direction.
You should also understand your risk tolerance levels. What would happen if you were to have a data breach? According to some international, national and state rulings, you would have to notify your user base and even suffer financial fallout. Kelly says that because some of his students are from other states such as Massachusetts, he has to follow a myriad of data disclosure laws. Knowing the ramifications of data loss and privacy infractions will dictate how many layers you put into your defense-in-depth security strategy. Obviously, the more sensitive your data, the more checkpoints you’ll want for protection.
One of the trickiest parts of having an open, yet secure, higher education network is policing access. You have to make sure that if a student is using the school library’s wireless network, they can’t tap into administrative files or that if a faculty member is updating grades, he can’t search a student’s medical record.
“You want users to be able to check their test scores from their iPhone, but not get into other areas,” Hochmuth says.
The best way to address this is to use centralized tools that automatically manage user access based on roles. “You can set policies that map to specific users across your network topology. That way, if a breach occurs, you’re not guessing based on MAC and IP addresses ? you can tie it back to an actual user and remedy the situation,” Hochmuth says.
Kelly says this is especially critical when you’re talking about stopping illegal downloads ? being able to limit who, internally and externally, can access applications such as peer-to-peer file sharing, goes a long way to thwarting piracy. Then, violations do occur, it’s just as important that you have tools in place to identify the offenders so you can educate them about copyright infringement dangers.
A daunting task in higher education is not just tracking the large number of users, but also the plethora of devices, on the network. IT teams must account for the security of everything, including smartphones, laptops, voice over IP phones, and online gaming machines.
To do so, IT teams must use endpoint management tools to automatically locate these devices across the network, check their configuration, virus and patch status, and quarantine them if they pose a threat. Centralized policies should determine their level of access to network resources.
“With centralized endpoint management, if you need to make a policy change, you can do so quickly without having to go out and re-configure dozens of nodes or hundreds of endpoints,” Hochmuth says.
As more country, state, and local governments tune into the need for student and employee privacy as well as copyright protection, harsher mandates, and oversight are sure to follow.
Therefore, higher education IT teams should ensure that they can monitor, track, audit and generate reports on all activity surrounding student records and digital content. “You need visibility into what types of traffic you are supporting, what is connected to what, which devices can see which other devices, and who can do what,” Hochmuth says. “The more this is woven into the network infrastructure, the easier and more cost-effective it will be secure the enterprise and meet compliance and regulatory demands.”
As he preps for the inherent audits involved with PCI and state data privacy laws, Kelly says being able to quickly draw reports and see where there are potential vulnerabilities, such as malware and viruses, is mission-critical. “We’re not auditing just for the auditors, we’re auditing to make sure our students and content are protected.”
No one questions that as faculty members tap into multimedia applications and students continue to push the boundaries, there will be more work for IT teams overall. But higher education can temper this by using tools that automate routine tasks and aggregate and analyze information in a single console.
Rather than going door-to-door to examine syslogs from each security device, IT teams can use unified threat management software to gather data from firewalls, proxy servers and switches into a single database. Using preset thresholds, the IT team is then proactively alerted if events warrant their attention.
For instance, Quinnipiac’s threat management system alerted Kelly to problems stemming from YouTube usage. He was able to quickly track it back to a faculty member who proved the necessity of the application. He then adjusted the application’s priority level and user roles so that students would have appropriate access and performance levels.
Hochmuth says unified threat management tools are key to the success of advanced educational application rollouts. “When it comes to securing higher education environments, you can’t have an approach that’s too narrow,” he explains. “You have to be able to reconcile from a single console what your firewall is seeing with what your intrusion prevention system is seeing and what’s happening on your VPN.”
Monique Lucey is senior manager, Solutions Marketing, for 3Com.