Rewriting the IT RulesBy Dennis McCafferty | Posted 03-14-2011
Rewriting the IT Rules
who: Kim Cary, CISO, Pepperdine University
what: Cary oversees information security for the school's 8,500 students and 2,000 faculty and staff.
where: Malibu, Calif.
why: Cary's experiences as a university-based IT security officer, dealing with the challenges of a heterogeneous, highly mobile user base, serve as harbinger of things to come for the broad business computing environment.
This would be an ideal setting for a corporate office park in California: Several dozen buildings--all with sublime views of the Pacific Ocean--spread across nearly 140 acres in Malibu. Each structure's architecture is harmonious with the local community, built in Spanish Colonial designs with stately stucco walls and red-tiled roofs.
In this case, however, the campus doesn't serve the needs of industry. It's the home of Pepperdine University. Like many venues for higher education, Pepperdine strives to present far more than aesthetic appeal. In addition to a strong focus on business, education, law and other academic disciplines, the school remains committed to providing the very best in IT network services for its 8,500 students and 2,000 faculty and staff.
Given that this is California, the level of tech sophistication among end users is high, creating a great deal of demand on the network infrastructure. This, plus the heterogeneous nature of the device environment on campus, creates challenges with respect to securing it all. And that's where Kim Cary steps in.
"We attract students and faculty members who are interested in all forms of technology," says Cary, who, as Pepperdine's chief information security officer (CISO), oversees an enterprise that accommodates often-mobile users on 12,000 endpoints. "We will have people here who will connect with every kind of device imaginable. So we need to keep up with what these devices are and what they're capable of doing."
Like government agencies and high-profile corporations, a college-based network can be very appealing to hackers. The Pepperdine system ensures that all devices tapping into the network are both recognized and approved. Cary and his team secure a network spanning more than 400 switches and 650 wireless access points from multiple vendors. The dorm network is composed of Xirrus APs, while an Aruba network is being deployed for the academic and administrative facilities. In fact, Cary says he will soon replace 300 Cisco Aironet APs with Aruba APs, which will upgrade the 802.11b WiFi network to deliver 802.11a/b/g/n service to priority academic areas.
Faculty and staff have Secure Sockets Layer (SSL)access to the PeopleSoft Enterprise portal, as well as a variety of apps, including Kronos electronic timecards, Lynda online training and professional development software, and Turnitin, an online plagiarism-detection program.
A Network Sentry security system from Bradford Networks was deployed in 2008 to help Cary and his team ensure that the network is accessed only by its intended users.
Cary spoke recently with CIO Insight's Dennis McCafferty to share his strategy for dealing with challenges such as student/faculty mobile demand on the enterprise, information security, and how trends such as cloud computing are rewriting the IT rules for colleges and private companies alike. Here's what Cary had to say:
cio insight: How do you accommodate the breadth of students seeking to access the university's network?
Kim Cary: We essentially have two kinds of students--about 2,500 who live on campus, and the rest who come in during the day or evening for classes. Our commuter students may attend any of five campuses in Southern California, all linked together on the same network. Either way, they're going to create a high level of demand on our wireless network. If they commute, for example, they're going to be coming in just in time for class. They need to look up that last reference or add a thought to the paper and then quickly print it before class.
The network security system has to make this easy for them, while still being secure. We want them to have the kind of campus experience they need. The high-speed WANs tie the campuses into one giant network that runs from Ventura County through Malibu to Orange County. We have to secure student access throughout the entire network, using automation to handle problems quickly and communicate to the users in real time any issue their computer has and how to fix it.
cio insight: Do you need to restrict the kinds of devices permitted to connect to the network, or the ways they can be used?
Cary: No. The students use their computers, WiFi smartphones and iPads as part of their learning, life and recreation. We make sure all of these devices can get on our network securely, without a hassle. It's a challenge to accommodate such a wide variety of products, but we won't dictate what they can and can't carry. The only [activity] that we don't allow on our network is peer-to-peer file sharing of copyrighted works, and, of course, anything else that's illegal. Otherwise, we don't throttle their access to educational resources, communications or entertainment.
We feel providing first-rate wireless services is of vital importance for the university. This will become even more important in the future. One of the dynamics of being here in Malibu is that we are responsible for reducing our traffic footprint on the local roads. Future plans call for us to increase the percentage of residential students. The quality of their wireless network and Internet experience will be an important factor in their education and campus life.
cio insight: How do you ensure that the user on a student computer really is a student?
Cary: Our system allows us to connect our switches and access points to our identity infrastructure. When a user registers a computer using his or her ID and password, we know whether the person is a student or faculty/staff and should be allowed production network access, or whether the person is a guest and should have limited access.
cio insight: What do you do with that information?
Cary: Our network systems may detect a spambot or virus of some kind or just a misconfiguration that is interfering with other users' access. Previously, all we could do was block that computer's access on one part of our network. This was bad in two ways. First, the users didn't know they were blocked, and after hours of frustration trying to fix their connection, they would call our help desk to complain about the network. Second, when a compromised computer was moved to another part of our network -- say, from the dorm to the library--it would get around the block and unleash the evil behavior for a while until it was detected and blocked in the new location.
With the current system, when a computer is blocked, it is blocked everywhere. And more importantly to the end user, any Web access redirects the user to a page that shows the computer is blocked and what to do about it.
College Campus: The Future of Enterprise IT Security
cio insight: Do you feel that what you're seeing as a university-based IT security official offers a harbinger of sorts for enterprises in private industry?
Cary: Absolutely. Before too long, businesses will be greatly surprised by how much of their infrastructure and IT services will leave their corporate networks and move into the cloud. This migration is something we've been managing for three or four years now. It's our mission in IT to provide access to a comprehensive suite of tools for faculty and students to pursue learning any time and anywhere.
Today, many of the best tools for this are available in the cloud, and we incorporate these. We also host our own learning technologies when this makes for the best student experience. Some organizations may be holding back on incorporating mobile devices and Internet cloud services. But in the end, like us, many will conclude that it's best to incorporate cloud infrastructure and services from those that excel in those fields, and focus IT instead on their core business processes. For us, that focus is on education.
cio insight: But how do you allow this while still remaining in your comfort zone on network security?
Cary: Several years ago, we began to shift our security model from creating a LAN-based plantation monoculture toward security systems that can manage the Internet ecosystem and a variety of devices. In addition, we favor systems that use automation and are transparent to the end user. Most people want to use their computers, not fiddle with them.
We're not where we want to be yet. But we've made tremendous strides in security by automating patching and also by detecting, blocking and unblocking automation at the network edge.
We also emphasize security education and training, stressing the need to be smart on the Internet. Our users are coming to understand that safe use of their computers is important to help maintain trust in the university.
cio insight: What kinds of ROI metrics and/or qualitative results have automation and these new systems produced?
Cary: First, we have a "hard data" picture of the network now. Spreadsheets that list network equipment have their use, but they get out-of-date quickly. We now have a live census of every network device and how it is configured. Second, the system reveals the mix of end-user operating systems and devices by their various locations and roles. We make this information available across IT for our colleagues to use in operating their services and planning for the future.
Finally, because we know exactly which computer is connecting to the network, we can retrieve devices that [may be] lost or stolen. When someone attempts to use a lost or stolen computer to access the network, we know exactly where it is, and our public safety officers get an automated alert. They do a great job in safely retrieving the lost or stolen device. That's happened about five times now in the last six months.
Enterprise Mobility on Campus
cio insight: How significant is the faculty and administration impact on the network, with respect to mobile devices?
Cary: I can tell you that they're sometimes more avant-garde with the devices than the students are. The first place where an iPhone showed up on our network was in the executive offices. Same with the iPad. The very first day these products were available on the market, they were on our administrative networks.
For faculty, we also provision their access from our identity infrastructure. Professors can be as "on the move" as their students. Their morning might take them to different locations very rapidly. From lab to having lunch with a student or a colleague to teaching in the classroom, often using their laptop or mobile [device] in each location. Moving from place to place, they don't want to waste time logging in to access the network repeatedly. Once a faculty member's device is registered, they can get back on the network without signing in again. We use the iOS profiles within Exchange 2007 Webmail to permit remote wipe of registered devices.
cio insight: Given that students and teachers -- just like professionals in private companies these days -- are so busy and need information so quickly, is it difficult to educate them about the need to keep security in mind? How do you counter the mindset of, "I just want the best apps I can get online as quickly as possible. Security is no big deal"?
Cary: To change that perception, you need to speak to them about these issues in a clear, jargon-free way. And you need peer-case studies to show the impact [that] poor security can have on their lives. In one of our training [sessions], for example, we show how a campus computer was taken over by a Trojan, due to simple neglect, and we let them see some of the information it sent to criminals in another country. We mask sensitive details, but we tell a true story. Then we talk about simple steps or behaviors they can use to help ensure that this doesn't happen to them.
I agree with CIO leaders who say that to get buy-in on security, it's important to break open the wall of secrecy that surrounds information security breaches. In an appropriate way, you need to share examples of security failures for computers on the network. Then users can understand their role and the impact those failures have had on productivity and trust in the organization.