Can a college campus filled with exuberant students and free-thinking professors armed to the hilt with smartphones and tablets find a way to establish business-like network security and appropriate-use expectations without crimping everyone’s style?
Broward College, a state college near Miami, has that in mind in the “Bring Your Own Device” (BYOD) strategy forged with help from the college’s chief information security officer, Matt Santill. Since he’s been there the past few years, he’s pushed to register the tens of thousands of devices that touch the campus network to determine the student and staff users, who must agree to and sign the college’s acceptable-use policy. There are requirements for anti-virus software, and a general taboo on many peer-to-peer (P2P) connections in order to prevent students from downloading video and other content across the campus network that would violate the Digital Millennium Copyright Act and possibly get both the student and the college into trouble with content owners. Monitoring is done through security gear, such as unified threat management gateways and network-access control, to enforce policy.
ForeScout’s network-access control appliance is used on the Broward campus network to block some policy violations right as they occur.
“If a student downloads materials inappropriately, we kill the process,” says Santill, adding that stopping illegal P2P connections means blocking dozens of P2P protocols. Useful advice on this can be found in the Educause guidelines. Broward’s policies get reviewed by management there.
Faculty are also allowed BYOD devices, though there’s a network domain separate from the students for them. There are controls on which devices, whether BYOD or issued by the college itself, can be used to access specific parts of the internal network, which is set up to conform to the Payment Card Industry (PCI) rules. Applications containing sensitive data is cordoned off and scanned regularly for vulnerabilities. The college-owned laptops are also equipped with self-encrypting hard drives.
“All colleges have massive amounts of sensitive data they have to protect,” says Santill. It’s not just PCI rules that apply. Healthcare data, for example, is subject to HIPAA rules, he points out. Colleges may present a different environment from traditional business, but they can benefit from—and often require--the type of security controls that enterprise use, Santill says.
In another restriction redolent of security policies seen in the enterprise, college staff are discouraged from using a personal cloud-based file-sharing services to share data. Instead, the college, which has an internal SharePoint system, makes available options that the college IT department controls for file-sharing. “We have an approved application list,” says Santill. The college also deploys data-loss prevention filters via gateway controls to block possible transmission of data such as Social Security numbers or credit cards.
Santill thinks applying corporate-style security controls on college campus networks probably still remains more the exception than the rule. But it can be done without too much inconvenience to the user, he says, though college staff may grumble more about restrictions than younger students.