College Campus: The Future of Enterprise IT Security
Kim Cary, Pepperdine Universityâs CISO, is on the front lines of the increasingly heterogenous enterprise technology ecosystem. Get ready: What heâs seeing on campus today will make its way into your corporation tomorrow.
cio insight: Do you feel that what you're seeing as a university-based IT security official offers a harbinger of sorts for enterprises in private industry?
Cary: Absolutely. Before too long, businesses will be greatly surprised by how much of their infrastructure and IT services will leave their corporate networks and move into the cloud. This migration is something we've been managing for three or four years now. It's our mission in IT to provide access to a comprehensive suite of tools for faculty and students to pursue learning any time and anywhere.
Today, many of the best tools for this are available in the cloud, and we incorporate these. We also host our own learning technologies when this makes for the best student experience. Some organizations may be holding back on incorporating mobile devices and Internet cloud services. But in the end, like us, many will conclude that it's best to incorporate cloud infrastructure and services from those that excel in those fields, and focus IT instead on their core business processes. For us, that focus is on education.
cio insight: But how do you allow this while still remaining in your comfort zone on network security?
Cary: Several years ago, we began to shift our security model from creating a LAN-based plantation monoculture toward security systems that can manage the Internet ecosystem and a variety of devices. In addition, we favor systems that use automation and are transparent to the end user. Most people want to use their computers, not fiddle with them.
We're not where we want to be yet. But we've made tremendous strides in security by automating patching and also by detecting, blocking and unblocking automation at the network edge.
We also emphasize security education and training, stressing the need to be smart on the Internet. Our users are coming to understand that safe use of their computers is important to help maintain trust in the university.
cio insight: What kinds of ROI metrics and/or qualitative results have automation and these new systems produced?
Cary: First, we have a "hard data" picture of the network now. Spreadsheets that list network equipment have their use, but they get out-of-date quickly. We now have a live census of every network device and how it is configured. Second, the system reveals the mix of end-user operating systems and devices by their various locations and roles. We make this information available across IT for our colleagues to use in operating their services and planning for the future.
Finally, because we know exactly which computer is connecting to the network, we can retrieve devices that [may be] lost or stolen. When someone attempts to use a lost or stolen computer to access the network, we know exactly where it is, and our public safety officers get an automated alert. They do a great job in safely retrieving the lost or stolen device. That's happened about five times now in the last six months.