In the 1930s, when Louis A. Simon designed the famous U.S. Bullion Depository at Fort Knox, he could only have hoped that the building would be so secure, so impenetrable, that generations of Americans would come to regard “Fort Knox” as the highest compliment that could be given to a structure whose purpose is to defend whatever is inside.
In the case of Fort Knox, what’s inside are the U.S. gold reserve vaults. In the case of Broward College in Florida, what’s “inside” is the personal information of more than 68,000 students, 2,000 staff and faculty, and thousands more alumni and other former community members. And it really is a modern-day Fort Knox when it comes to its approach to network security.
Playing the role of Louis A. Simon for Broward is Matt Santill. On paper, he’s Broward’s chief information security officer. Informally, he’s the school’s “Mr. No.” Santill is the reason that students, staff and faculty are no longer able to connect their personal devices to the school’s network without registering them first, he’s the reason peer-to-peer connections aren’t allowed, and he’s the reason that staff cannot use personal cloud-based file-sharing services.
Santill acknowledges to Network World that this approach – seen more in enterprises – is a rarity on college campuses. Yet, that doesn’t mean it’s unfair or overly broad. Santill’s approach to network security has kept Broward’s name off the front page and protected its students and staff – what seems to be a rarity these days.
Broward College: An Exception to the Recent Rule
It was a spring to forget for three prominent institutions of higher education, all of which were victimized by cyber-attacks:
In February, the University of Maryland announced it had uncovered a broad cyber-attack dating back 16 years and affecting more than 300,000 members of its community.
- That’s about the same number of victims of a North Dakota University hack weeks earlier, affecting students, alumni and applicants, as well as staff.
- A breach of Indiana University “only” affected 146,000 students, although that information was exposed for nearly an entire year.
Why have so many colleges and universities been targeted? According to Paul Stephens, a consumer privacy rights advocate, there are structural vulnerabilities unique to institutions of higher learning.
“Universities tend to have a more open information technology architecture,” Stephens told the Capital News Service last spring. “You have various parties operating within the system — you’ve got students, you have teachers, you have faculty, you have administration staff, and so on.
And if the scope of these attacks isn’t convincing enough, consider the costs colleges and universities face as a result of a breach – internal investigation expenses, victim restitution (i.e. free identity protection and credit services), notification and call center expenses to respond to inquiries, and maybe even fees for violating PCI and HIPAA compliance. The list goes on.
Building a Campus-Based Fort Knox
Remember the June network breach that affected some 200,000 members of the Butler University community? At the time, we explained how a “think like an enterprise” approach to network security might have prevented the breach. Does that sound familiar to the network security strategy Santill has put on Broward’s syllabus?
Santill certainly has the right approach, but has he considered students and staff who live and work off campus? Anyone who accesses the college’s network remotely could represent a vulnerability. That’s why beyond thinking about internal access, educational institutions should think like enterprises and implement solutions that secure their remote access. The first step to shoring up remote access is for institutions to consider VPNs with central management functionality, allowing administrators to automatically ensure that all devices connecting to a network are in compliance at all times, centrally roll out updates to VPN clients and certificates, and revoke network access or even deprovision a user as soon as an attack is detected.
As strong as the real Fort Knox’s immediate defenses are, you can be sure that the roadways leading up to the facility are just as heavily fortified. For any organization today, those “roadways” are the tunnels users connect through to access the network remotely. And it’s critical they remain secure.