X

Schooled in security

Universities are looking for ways to protect networks while maintaining a free flow of data and ideas--an idea businesses could learn from.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
8 min read
For universities, network security is a tricky balancing act.

Academic institutions want to maintain the free exchange of ideas and information between faculty, students and researchers, both on campus and from university to university. That presents a challenge for keeping networks secure. Unlike businesses, schools can't rely on using the typical firewall to keep threats out.

"Universities try to foster a more open environment, so individuals have freedom to do things like collaborate on research or do things with other universities," said Michael Gavin, a senior analyst at Forrester Research. "Universities, as a result, are reluctant to put in security that would prevent people from collaborating."

News.context

What's new:
Universities are suffering attacks as they try to balance sharing of information on networks with the need to secure data.

Bottom line:
New approaches to security could mitigate the problem--and be a lesson for corporations looking for ways to protect information without having to shut out an increasingly mobile work force.

It adds up to a dilemma that could be putting college systems at risk. Earlier this month, the University of North Texas was hit by hackers who accessed the housing and financial aid records of nearly 39,000 students and alumni. California State Polytechnic University in Pomona and the University of Colorado also reported breaches in August--the latest in a spate of incidents at academic institutions.

As they face these attacks, IT professionals at college campuses are developing specialized means to keep information and data secure. They're coming up with ways to let a variety of users with different machines and different levels of authorization connect easily to their networks. That's striking a chord for companies coming to terms with an increasingly mobile work force, and corporate America is finding it can learn a thing or two from universities about managing security matters.

Academic institutions have a long history of operating open networks, which has fueled the belief that compared with companies, they receive a higher dose of spam, along with viruses and other security attacks, experts said.

"Universities do seem to be big targets for would-be intruders," said RuthAnne Bevier, a computer security specialist in ITS network systems security at the California Institute of Technology. "I think this is probably for several reasons. One is that universities often intentionally have open networks with no perimeter firewall."

So if computers on a university network are running vulnerable software, the odds are good that outside attackers can reach the machines and exploit any flaws, she said. The high-speed connections typically used on campus systems also contribute to making attacks easier, security experts said.

Bevier added that though companies may also have some of the same issues as universities, the key difference is that computers used in an academic setting aren't necessarily configured with security in mind. Partly that's due to an institution's mixed community of staff, students and visiting researchers, all of whom often use their own computers on the network, with varying degrees of security software loaded on them.

"While many universities may have a central organization for managing computers, that organization generally does not have control over all, or even most, of the computers on the network," Bevier said. "Or its role may be in more of an advisory capacity, with little ability to enforce security measures or policies."

Opposite approaches
To meet their particular needs, universities and colleges take security measures that are based on letting everything enter the network unless there's a need to keep it out. That's in contrast to the typical corporate

stance of keeping everything out unless there's a need to let it in. William Boni, a vice president of information security and protection at Motorola who has been looking into campus security methods, likens the academic approach to a cellular membrane.

"Firewalls are a wall and keep things out," Boni said. "But a cellular membrane allows things to pass while keeping the bad things out."

Academic break-ins

Some recent security incidents at universities and colleges in the United States.

University of Colorado at Boulder
August
Hackers accessed a server containing names and Social Security numbers used for ID cards of students, professors and researchers.
Sonoma State University
August
Intruders broke into seven campus workstations containing the personal information of approximately 62,000 students, alumni, applicants and employees, then used the breach to gain unauthorized access to workstations outside the campus.
California State Polytechnic University at Pomona
August
School notified 31,077 students, faculty, employees and alumni of a security breach in two servers that contained names and Social Security numbers.
University of Southern California
June
Online application database hacked, exposing the Social Security numbers and other sensitive information of approximately 270,000 candidates.
Stanford University
May
Network hacked by an outsider, putting personal information of about 10,000 people at risk.
George Mason University
January
More than 30,000 of its students, faculty and staff were put at risk of ID theft after hackers broke into one of its servers.

Rather than block the whole network off with a firewall, some universities create "zones of trust." A university's network would have different levels of security and required authorization, depending on the sensitivity of the campus information. That approach could let someone see course information, but stop them from looking at student records.

"There are situations where people segregate into different zones...and there is dynamic control of the access between the zones," said David Ladd, senior program manager at Microsoft's External Research Programs for Trustworthy Computing. "This is more an advancement in policy than a technological advance."

Trust zones call for good authentication, and the security of passwords and identifiers is being looked at closely by some bodies.

Caltech has stopped using social security numbers as unique identifiers, Bevier said. In addition, a number of universities are testing out federation, in which authenticated users at one school can use their ID or password to access libraries, computer labs or other systems at another school belonging to the group, said Rodney Petersen, the security task force product coordinator at Educause, a nonprofit organization that focuses on IT in higher education. In Maryland, for example, a student can have access to online resource information from any of the 13 state university libraries through the use of a bar code, he noted.

Institutions are also taking steps to separate their residential and campus networks. The measure was originally introduced to free up bandwidth on campus networks, but it's since been found to also improve security, Petersen said.

Another approach is to quarantine all PCs until they've been checked out. The Massachusetts Institute of Technology has 50,000 computers on the network that have no firewalls. Like many universities, it places all computers in isolation when they first try to log on to its system, said Jeff Schiller, MIT's network manager. The machines are automatically scanned for the appropriate security updates on the machines, and once cleared, are able to get on to the network.

A number of institutions used to report spending $100,000 to $200,000 to troubleshoot IT security issues at the start of the school year, but the cost has fallen by more than half since the quarantine technique has been put into play, Educause's Petersen said.

Without firewalls in place, MIT has to focus on taking care of security

at the application and host level, Schiller said. Passwords and administrative information on its network are always encrypted, and the openness of the system is taken into account during the university's in-house software development.

"When we develop applications, we assume the network cannot be trusted. With a corporation, they assume it can," Schiller said.

Security 101
With an increasing number of businesses facing a mobile work force and a desire to share information with customers and partners, the university concept has not been lost on some Fortune 500 companies.

"We're hearing more from corporate America, and they're leaning more toward the methods used by academia," Petersen said. "Corporations are looking for ways to layer security and have more flexibility in what they've traditionally done--which is to secure everything down as much as possible."

Motorola, for one, has compared notes with security officials at the university level.

"When we were looking ahead at our portfolio and how the devices needed to connect and share information?it seemed so logical to look at universities," Motorola executive Boni said.

Boni's information security and protection team analyzed where the company wanted to be in a couple of years and determined that the best way to manage security with individual users was to concentrate on protection in laptops, handhelds and other end-point devices.

"The perimeter would have to go from being very broad to very focused, and when determining this, we felt universities do this," Boni said. "They allow students to bring their own devices onto the campus, find ways to patch them so there's no harm to others and do it without managing applications or IP addresses."

In its drive to create a seamless mobile environment for users, Motorola is also looking at zones of trust for its security architecture. Universities take the approach of "prove to me why you shouldn't have this information," while companies tend to question "why you should have the information," Boni explained, adding that though it's not done so yet, Motorola plans to examine ways to embrace the concept.

Microsoft's trustworthy computing executive Ladd noted that companies in certain sectors, such as finance or health care, may find it more difficult to adopt zones of trust on their networks. That's because they work in a more stringent regulatory climate than other large companies serving large groups of diverse customers.

Though parallels can be drawn between the security efforts under way at corporations and at universities, Ladd said the contribution colleges can make to corporations falls somewhere in the middle--not the first place he would seek to learn new security techniques, nor the last.

But Motorola's Boni believes it's a two-way street.

"Universities are getting better at protecting the sensitive information that they need to protect, while corporate America is aware that we need to do a better job at collaborative information sharing," Boni said. "There are things to be learned by both sides."