Rewriting the IT Rules
Kim Cary, Pepperdine Universityâs CISO, is on the front lines of the increasingly heterogenous enterprise technology ecosystem. Get ready: What heâs seeing on campus today will make its way into your corporation tomorrow.
who: Kim Cary, CISO, Pepperdine University
what: Cary oversees information security for the school's 8,500 students and 2,000 faculty and staff.
where: Malibu, Calif.
why: Cary's experiences as a university-based IT security officer, dealing with the challenges of a heterogeneous, highly mobile user base, serve as harbinger of things to come for the broad business computing environment.
This would be an ideal setting for a corporate office park in California: Several dozen buildings--all with sublime views of the Pacific Ocean--spread across nearly 140 acres in Malibu. Each structure's architecture is harmonious with the local community, built in Spanish Colonial designs with stately stucco walls and red-tiled roofs.
In this case, however, the campus doesn't serve the needs of industry. It's the home of Pepperdine University. Like many venues for higher education, Pepperdine strives to present far more than aesthetic appeal. In addition to a strong focus on business, education, law and other academic disciplines, the school remains committed to providing the very best in IT network services for its 8,500 students and 2,000 faculty and staff.
Given that this is California, the level of tech sophistication among end users is high, creating a great deal of demand on the network infrastructure. This, plus the heterogeneous nature of the device environment on campus, creates challenges with respect to securing it all. And that's where Kim Cary steps in.
"We attract students and faculty members who are interested in all forms of technology," says Cary, who, as Pepperdine's chief information security officer (CISO), oversees an enterprise that accommodates often-mobile users on 12,000 endpoints. "We will have people here who will connect with every kind of device imaginable. So we need to keep up with what these devices are and what they're capable of doing."
Like government agencies and high-profile corporations, a college-based network can be very appealing to hackers. The Pepperdine system ensures that all devices tapping into the network are both recognized and approved. Cary and his team secure a network spanning more than 400 switches and 650 wireless access points from multiple vendors. The dorm network is composed of Xirrus APs, while an Aruba network is being deployed for the academic and administrative facilities. In fact, Cary says he will soon replace 300 Cisco Aironet APs with Aruba APs, which will upgrade the 802.11b WiFi network to deliver 802.11a/b/g/n service to priority academic areas.
Faculty and staff have Secure Sockets Layer (SSL)access to the PeopleSoft Enterprise portal, as well as a variety of apps, including Kronos electronic timecards, Lynda online training and professional development software, and Turnitin, an online plagiarism-detection program.
A Network Sentry security system from Bradford Networks was deployed in 2008 to help Cary and his team ensure that the network is accessed only by its intended users.
Cary spoke recently with CIO Insight's Dennis McCafferty to share his strategy for dealing with challenges such as student/faculty mobile demand on the enterprise, information security, and how trends such as cloud computing are rewriting the IT rules for colleges and private companies alike. Here's what Cary had to say:
cio insight: How do you accommodate the breadth of students seeking to access the university's network?
Kim Cary: We essentially have two kinds of students--about 2,500 who live on campus, and the rest who come in during the day or evening for classes. Our commuter students may attend any of five campuses in Southern California, all linked together on the same network. Either way, they're going to create a high level of demand on our wireless network. If they commute, for example, they're going to be coming in just in time for class. They need to look up that last reference or add a thought to the paper and then quickly print it before class.
The network security system has to make this easy for them, while still being secure. We want them to have the kind of campus experience they need. The high-speed WANs tie the campuses into one giant network that runs from Ventura County through Malibu to Orange County. We have to secure student access throughout the entire network, using automation to handle problems quickly and communicate to the users in real time any issue their computer has and how to fix it.
cio insight: Do you need to restrict the kinds of devices permitted to connect to the network, or the ways they can be used?
Cary: No. The students use their computers, WiFi smartphones and iPads as part of their learning, life and recreation. We make sure all of these devices can get on our network securely, without a hassle. It's a challenge to accommodate such a wide variety of products, but we won't dictate what they can and can't carry. The only [activity] that we don't allow on our network is peer-to-peer file sharing of copyrighted works, and, of course, anything else that's illegal. Otherwise, we don't throttle their access to educational resources, communications or entertainment.
We feel providing first-rate wireless services is of vital importance for the university. This will become even more important in the future. One of the dynamics of being here in Malibu is that we are responsible for reducing our traffic footprint on the local roads. Future plans call for us to increase the percentage of residential students. The quality of their wireless network and Internet experience will be an important factor in their education and campus life.
cio insight: How do you ensure that the user on a student computer really is a student?
Cary: Our system allows us to connect our switches and access points to our identity infrastructure. When a user registers a computer using his or her ID and password, we know whether the person is a student or faculty/staff and should be allowed production network access, or whether the person is a guest and should have limited access.
cio insight: What do you do with that information?
Cary: Our network systems may detect a spambot or virus of some kind or just a misconfiguration that is interfering with other users' access. Previously, all we could do was block that computer's access on one part of our network. This was bad in two ways. First, the users didn't know they were blocked, and after hours of frustration trying to fix their connection, they would call our help desk to complain about the network. Second, when a compromised computer was moved to another part of our network -- say, from the dorm to the library--it would get around the block and unleash the evil behavior for a while until it was detected and blocked in the new location.
With the current system, when a computer is blocked, it is blocked everywhere. And more importantly to the end user, any Web access redirects the user to a page that shows the computer is blocked and what to do about it.