2. Evolving BYOD policies
As smart watches and other wearable technologies start making their entrance into the market in 2015, colleges and universities will need to review their bring your own device (BYOD) policies to ensure that they balance the need for security with the need for access, says Renee Patton, U.S. public sector director of education at Cisco, San Jose, Calif. “The policies define what access should be available. As more devices come on campus, you have to make sure those devices are trustworthy.”
Some devices, like wearable health monitoring devices, have no reason to access the college or university network, so shouldn’t have access to network resources, Patton adds. “Administrators have to understand the trends and transitions. They need to continue to adapt. They need to make sure that security software is installed on those devices and that is configured properly by enforcing limited access for unsecured devices.”
The device management will get only more complex in the future as the Internet of Things (IoT) evolves. Cisco estimates that the number of connected devices will mushroom from about 15 billion today to more than 50 billion by 2020. [Read: “How to prepare for everything.”]
Ron Woerner, director of cyber security studies at Bellevue (Neb.) University, adds limiting access to those resources necessary for faculty or students. A professor may need access to grades of the students in his class, but not to their grades in other classes. Similarly, a student may need access to his or her grades, but not the grades of classmates.
3. Increasingly layered security
Antivirus and antimalware protection are commonplace, but still offer only a base level of protection, security experts agree.
Network monitoring is increasingly important to catch threats that can slip past antivirus and antimalware programs.
Santa Clara (Calif.) University, for example, employs algorithms to analyze network traffic and to send alerts to security staff about suspicious activity, says Robert Henry, the university’s chief information security officer. Network traffic analysis helps identify spikes in network use and other activity outside of the norm.
The variety and number of attacks are increasing, says Neal Moss, system network analyst for BYU-Hawaii. Rather than random attacks, hackers are targeting specific parts, specific servers, etc. Higher education financial and human resources departments are top targets because of the depth of the personal information that they contain. So colleges and universities are using multiple firewalls in order to separate serves from one another and limiting the applications that users can access.
“They key for us is using zero trust,” Moss says. “We treat everyone as bad guys trying to get at my stuff. We only allow specific applications to communicate with users.” The applications automatically reject any modifications a user attempts to make.
Woerner also recommends enhanced penetration testing to examine if all physical and technology controls are in place and to ensure that commonly available information (i.e., university calendar) is separate from sensitive information (i.e., employee payroll).
(Next page: The cloud; physical security)