You are here

Business Technology

John Arpino, Assistant Director of Engineering Research and Development, at George Washington University

It’s no secret to university CIOs: digital is here to stay. But with decades of investment in legacy AV equipment, keeping up with the latest digital technology infrastructure can be a real challenge. Converting and updating an entire campus’ AV system is a sizable, but increasingly necessary, investment requiring both time and resources.

Darren Hayes, Computer Information Systems program chair at Pace University

Hackers are often portrayed in the media as pale skinned, basement dwelling lone wolves, creating nuisance viruses that disrupt networks. But Darren Hayes, Computer Information Systems program chair at Pace University, says times are changing. “These people are rapidly being replaced by sophisticated government-backed infiltrators and criminal cyber-spy rings that can inflict far more damage than a Distributed Denial of Service that takes a network offline.”

Like many other agencies, city police departments are contending with shortages of time, money, and personnel, while the lives of their citizens (and of their officers) depend upon the ability to get the job done right. This balancing act is a challenge university and college police departments can relate to. ECM is helping some city police departments optimize their resources so they focus on what they do best—saving lives.


JUST THREE YEARS AGO A group of higher education's IT people and financial managers teamed up to take on a new project. Their mission: To develop open source financial management software that could keep a general ledger, run payroll, or perform any other basic financial function.

THERE'S A NEW TYPE OF workspace these days. It's a "virtual office" in cyberspace that allows files to be accessed and worked on from anywhere. The concept has morphed into education, allowing students in disparate locations to work together. The innovation fits well with new trends in learning.

REMEMBER THE BULKY day planner? The mini-black notebook was derigeur for the business executive of the 1980s. The portable planners were stuffed with addresses, agendas, day planners, and to-do lists. Today these applications, and many more, are now online, thanks to calendaring software.

Having the right web address means everything when running a website. A URL-that string of characters following the http://-should be easy to remember, or at least easy to guess at. In the world of higher ed, prospects, students, alumni, and other online visitors simply want to type in a school name, follow it with a .edu, and splash onto a desired homepage.

The internet and e-mail are a blessing and curse. Both improve communication and access to information; they are the de facto communication and entertainment tools of modern life.

But when personal communication and entertainment cross into professional hours, the employer can suffer. Online shopping, gaming, and chatting are fairly innocuous ways to waste time.

Other network-based activities can be more problematic for colleges and universities. For example, if faculty or staff use the university network to gamble, download music, or view child pornography, it can harm the university's reputation or possibly result in a lawsuit. Any of the scenarios cost time and money. At the same time, higher ed operates with a sense of freedom unmatched in the corporate and K-12 arenas.

Objectionable content to the corporate or K-12 world can be considered academic research.

The business world has tapped into software solutions to help curb online behavior and catch those who fail to abide by policy. The Center for Business Ethics at Bentley College (Mass.) says 90 percent of employers observe electronic behavior. Virtual oversight can go several steps further. More than three-quarters of employers watch web surfing. "About one-third of large commercial enterprises monitor [or sift through] staff e-mail," says Craig Carpenter, senior director of corporate marketing with Mirapoint, an IT security company.

Higher ed has been slow to embrace high-tech surveillance tools. Monte Robertson, president and CEO of Software Security Solutions, surveyed the company's higher education customers and found that none scanned e-mail for content. Carpenter hypothesizes that higher ed is reluctant to deploy surveillance software because it smacks of censorship. Academic freedom is a right in the university environment, explains James Hammond, vice president of Information Technology at Winthrop University (S.C.).

Content that is objectionable in the corporate or K-12 environment can be considered academic research. For example, a faculty member may view child pornography websites to conduct research for a psychology or sociology course.

"Higher ed cannot draw too many lines in the sand because it encroaches on academic freedom," continues Hammond. Academic freedom can become a rallying cry for monitoring foes. The University of Southern Mississippi endured a firestorm when its president directed a lawyer to monitor some faculty e-mails during an internal investigation.

The ideal solution balances academic freedom and protection. Most colleges and universities do require faculty and staff to agree to policies about e-mail use. The typical policy specifies that the employee does not own e-mails and permits the employer to read e-mails.

At this point, however, few universities enforce these policies with monitoring software, says Carpenter. Is higher ed flirting with danger by not using surveillance solutions? "Absolutely," opines Carpenter. But the tide could turn as universities wrangle with compliance issues.

One reason behind the near-universal business use of surveillance technology is the need for regulatory compliance. Similarly, universities could begin to adopt technology to boost compliance. FERPA (Family Education Rights Protection Act) will influence universities, predicts Carpenter. "Universities have not gotten their arms around FERPA and need to develop an understanding of its requirements," he says.

Initially passed in 1974, FERPA protects the privacy of student information such as health records and grades. Surveillance technology could be used to identify FERPA breaches. Winthrop currently complies with FERPA through policies that describe how to handle and release sensitive information. In addition, software "flags" alert users to sensitive information and tell any employee how to view the information.

Similarly, the post-9/11 SEVIS (Student and Exchange Visitor Information System) requires all colleges and universities receiving government funding to monitor foreign students' e-mail communications and transmit student information to the Department of Homeland Security. Surveillance programs could help colleges comply with SEVIS by tracking and organizing online communication and activities, says Chronicle Solutions Chief Operating Officer Sophie Pibouin.

But sweeping changes and a draconian monitoring system may not fly at most colleges and universities. Instead, higher ed may be best served by adapting surveillance solutions and developing policies to meet their unique needs rather than simply mirroring corporate practices.

Colleges and universities do have a number of options for monitoring e-mail and internet use. In fact, some may already own options. A number of higher ed customers, for example, rely on Mirapoint's Email Server and Edge Security Appliance for protection against spam, viruses, worms, and hacker attacks. Those features comprise 95 percent of the product's functionality. The other 5 percent? E-mail surveillance. But few higher ed users opt to turn on the surveillance functionality.

One plus of the surveillance system is that it can be used on an as-needed basis. Winthrop University relies on Mirapoint's Email Server and Email Security Gateway for multiple purposes, including monitoring ingoing and outgoing mail for spam and viruses. University policy defines e-mail as private except in the case of an ongoing legal or internal policy investigation.

At Winthrop, if campus police present a valid request or an employee is suspected of violating policy, the university maintains the right to wiretap a mailbox. For example, if a full-time faculty member begins teaching at another university without securing appropriate approval, the university could launch an investigation and tap the employee's inbox. The university might turn on surveillance functionality if a faculty or staff member is engaged in activities that conflict with the university's mission.

"We monitor for investigative purposes only." - James Hammond, Winthrop University

In addition to e-mail monitoring, the system can create rules to scan for specific objectionable words or block attachments or certain addresses. "We don't monitor e-mail as a preventative measure, nor do we regulate objectionable words or contents. We monitor for investigative purposes only," says Hammond. The combination of policy and technology is a good fit for the university's needs.

Another software option is Chronicle Solutions' netReplay system. The company recently launched the network content recorder. The system plugs onto the network behind the firewall and can record all user digital communication, including e-mail, web pages, and chat messages. The netReplay system can also categorize communication to streamline network monitoring. For example, the system administrator can define policies and set the device to send an alert if a user accesses a child pornography site.

Some systems, such as Mirapoint's Email Server and Edge Security Appliance, wrap monitoring functionality into a larger package. Security, mail hardware, software, and support cost approximately $1.25 monthly for each user at a site with 10,000 users. Others, like netReplay, represent a new system. Its costs include the price of the appliance, a fee per user monitored, and an annual maintenance fee. Chronicle Solutions, a provider of network monitoring solutions, says it extends a significant higher education discount.

Employee surveillance can be a touchy subject. Poorly defined and communicated policies could have a negative impact on employee relations or lead a to a media fiasco. One need only recall the recent Hewlett-Packard corporate scandal to imagine the media and public relations nightmare that can occur in the wake of a poorly conceived surveillance program.

And like any technology, surveillance systems are not perfect. It is possible to increase the odds of a successful deployment. Insiders offer the following advice about optimizing a monitoring system:

Make sure surveillance tools are available. "Understand the local monitoring policy, or in the absence of a policy, make one," says Hammond.

Don't take faculty and staff by surprise, says Pibouin. The university needs to clearly define and communicate monitoring policies. It helps to market the system as a means of protecting employees and the university's reputation.

Be sure to research the system's accuracy and reliability, says Robertson. Calculate all costs, and investigate legal ramifications and requirements.

An online monitoring or surveillance policy that outlines the rights of the university is a 21st-century essential. Colleges and universities can tap into fairly new software solutions to support the policy and simplify the process of sifting through online communication if a need arises. The combination of a well-articulated policy and carefully deployed software need not impinge on academic freedom and can protect the university, staff, and students-without breaking the bank.

Laptops are a modern marvel. They are portable, able to process amazing amounts of data, but, oh, so easy to steal. At least 600,000 laptops are stolen every year, according to a technology firm that helps protect data and locate missing machines. According to the Federal Bureau of Investigations, 97 percent of those stolen laptops are never recovered.

That means a lot of data ends up in the wrong hands.

Several software companies specialize in recovery and security, making products that either lock thieves out of certain files or destroy stolen data. Some recovery services even trace stolen laptops and help recover them.

The stolen laptop will call back to an office every 15 minutes to reveal its location.

Given the proliferation of laptop programs in higher education, it makes sense that IT managers are looking to these services to protect assets.

The recent headline-grabbing case of the laptop flinched from the Department of Veterans Affairs was notable, in part, because the machine contained 26.5 million personnel records. In a rare turn of events, the laptop was recovered.

In the world of higher education, there have been dozens of IT security incidents, including one at California Polytechnic State University, located in the town of San Luis Obispo. A laptop, stolen in July from a physics professor's home, contained the names and Social Security numbers of 3,020 students. University officials had to send out warning letters to all students who had been enrolled in particular physics and astronomy lectures between 1994 and 2004.

While all such breaches are serious, it is especially problematic when Social Security numbers are involved because thieves can use them to obtain credit cards and make unauthorized purchases.

Last year, University of California, Berkeley, issued a notification about the theft of a laptop that contained data on 98,000 graduate students and applicants. The laptop, which had been left alone for only a few minutes, was taken from a restricted area, according to reports. The university paid a reported $2.4 million in notification costs to those whose data may have been exposed.

The topic of data theft was "interesting, but not really compelling, until privacy rules from California required disclosure," notes International Data Corp. analyst Chris Christianson.

In 2003, the state of California adopted legislation that requires all companies and organization doing business there to protect data and to notify those whose information has been compromised by a security breach. Since 2003, 32 states have adopted similar legislation, and U.S. Sen. Diane Feinstein (D-Calif.) continues to work on passing a federal law.

One campus of William Penn University (Iowa) began using LoJack for Laptops last year. The program is one of several IT security products produced by Absolute Software. The company also offers Computrace, which helps secure data and track lost or stolen portable machines. This particular WPU campus, located in West Des Moines, is geared to non-traditional students, such as adults coming back to school and working executives. Laptops are an integral part of every academic program, notes Curt Gomes, IT supervisor.

To date, this campus has outfitted 500 laptops with IT security programs. "We figure we will take any steps to help prevent a theft," Gomes says. The policy is key, considering that students are financially responsible for the laptops issued to them. Gomes estimates that the cost to replace a university laptop and related software is $2,000.

No sooner did WPU become an Absolute customer in October 2005 than the software was put to the test. A woman had her laptop stolen midmonth. Through the company's installed tracking protocol, the police were able to locate the laptop and return it within a week.

The Computrace program works as a "digital security cable," explains John Livingston, Absolute's CEO. If the stolen laptop is connected to the internet, it will call back an Absolute office every 15 minutes to reveal its location. The internet communication-undetected by the thief-also allows Absolute to send back commands that can erase files, if instructed by the laptop's owner.

This particular software, and similar programs, depends on password protection. Any user has to be correctly identified through a multiple series of passwords and other identification codes in order to enter any protected files. It is the combination of fumbled passwords and the report that a machine is stolen that sets the tracing software into action.

The software also prevents thieves from doing more mischief, like erasing the hard drive and all the software on it. Basically, Absolute's LoJack program works with computers at the BIOS stage (the basic input/output system), which kicks in before the OS, or operating system, goes to work. This means the OS is protected at all times.

"We don't disable the computer,
because we don't
want to notify the thief."
-Bradley Lide, CyberAngel Security Software

"Someone may think they are deleting everything on the hard drive or all the software, but they can't," says Gomes. Absolute's security goes as far has helping to issue search warrants or subpoenas for stolen machines.

Another company, CyberAngel Security Software, offers data protection to the University of Toledo (Ohio) and Brown University. Toledo became a client after two laptops were lost last year, compromising thousands of faculty and alumni files.

The company offers five software programs, including the CyberAngel Security program and Laptop Locks.

"Our main focus is data protection," explains Bradley Lide, president and CEO. Laptop users have to not only enter a password to gain access, but must also correctly fill in the codes for secondary and even tertiary prompts. Those who fail to log in correctly at all the various stages are denied access to files that have been pre-designated by the users as to be off limits.

"We don't disable the computer, because we don't want to notify the thief," explains Lide.

The IT team at the University of Miami (Fla.) is taking a different approach by creating a homegrown proprietary encryption system that will seal sensitive data on employees' laptops and PDAs.

The university is rolling out the program later this year to protect the information stored on the laptops of admissions counselors, attorneys, and other administrators, says Tim Ramsay, associate vice president of computer operations and telecommunications. Users will have to fill out several "scripts" of passwords and site key information to gain access to information about applicants, their SAT scores, and other data.

Two UM engineers have worked throughout the year developing the tools, which will also be used to protect the data used by the personnel at the university's medical school. Ramsay estimates that 1,000 employees carry sensitive data on laptops and portable devices.

Absolute's pricing is based on a subscription model. William Penn pays $55 annually per laptop for the recovery services, says Gomes. Education pricing is $125 for three years of coverage.

CyberAngel charges education customers $47.95 annually to protect a single laptop and $95.90 for a three-year contract. This represents a 20 percent discount off regular pricing, says Lide.

Gomes notes another benefit of the security program: Students are far less likely to "forget" to return their laptops when they graduate or leave the school, given that they will be reported as missing almost immediately.