Schooled in security

Universities are looking for ways to protect networks while maintaining a free flow of data and ideas--an idea businesses could learn from.

For universities, network security is a tricky balancing act.

Academic institutions want to maintain the free exchange of ideas and information between faculty, students and researchers, both on campus and from university to university. That presents a challenge for keeping networks secure. Unlike businesses, schools can't rely on using the typical firewall to keep threats out.

"Universities try to foster a more open environment, so individuals have freedom to do things like collaborate on research or do things with other universities," said Michael Gavin, a senior analyst at Forrester Research. "Universities, as a result, are reluctant to put in security that would prevent people from collaborating."


What's new:
Universities are suffering attacks as they try to balance sharing of information on networks with the need to secure data.

Bottom line:
New approaches to security could mitigate the problem--and be a lesson for corporations looking for ways to protect information without having to shut out an increasingly mobile work force.

It adds up to a dilemma that could be putting college systems at risk. Earlier this month, the University of North Texas was hit by hackers who accessed the housing and financial aid records of nearly 39,000 students and alumni. California State Polytechnic University in Pomona and the University of Colorado also reported breaches in August--the latest in a spate of incidents at academic institutions.

As they face these attacks, IT professionals at college campuses are developing specialized means to keep information and data secure. They're coming up with ways to let a variety of users with different machines and different levels of authorization connect easily to their networks. That's striking a chord for companies coming to terms with an increasingly mobile work force, and corporate America is finding it can learn a thing or two from universities about managing security matters.

Academic institutions have a long history of operating open networks, which has fueled the belief that compared with companies, they receive a higher dose of spam, along with viruses and other security attacks, experts said.

"Universities do seem to be big targets for would-be intruders," said RuthAnne Bevier, a computer security specialist in ITS network systems security at the California Institute of Technology. "I think this is probably for several reasons. One is that universities often intentionally have open networks with no perimeter firewall."

So if computers on a university network are running vulnerable software, the odds are good that outside attackers can reach the machines and exploit any flaws, she said. The high-speed connections typically used on campus systems also contribute to making attacks easier, security experts said.

Bevier added that though companies may also have some of the same issues as universities, the key difference is that computers used in an academic setting aren't necessarily configured with security in mind. Partly that's due to an institution's mixed community of staff, students and visiting researchers, all of whom often use their own computers on the network, with varying degrees of security software loaded on them.

"While many universities may have a central organization for managing computers, that organization generally does not have control over all, or even most, of the computers on the network," Bevier said. "Or its role may be in more of an advisory capacity, with little ability to enforce security measures or policies."

Opposite approaches
To meet their particular needs, universities and colleges take security measures that are based on letting everything enter the network unless there's a need to keep it out. That's in contrast to the typical corporate

Featured Video