IT Roadmap: After years ignoring network security, Harvard Business School makes it a priority

When John Arsneault arrived at Harvard Business School about five years ago, the school’s network was a hacker’s dream.

“There was absolutely no security in place from a perimeter standpoint, an application standpoint, nobody really knew what was going on. The reason for that was security was viewed as a philosophical issue vs. a technology and process issue,” Arsneault, the school’s director of network operations, said Tuesday at Network World’s IT Roadmap conference in Boston. “Prior to [my arriving] there was literally no virus software anywhere in the school, which I know sounds absurd, but it was true.”

Help desks were receiving 10 to 15 calls a day because of virus-infected computers, and denial-of-service attacks were frequent. Now it is rare for either one of those problems to occur, Arsneault said, because Harvard Business School has implemented security measures including a firewall, intrusion detection, and virus controls at multiple layers such as e-mail programs and desktops.

Before it became clear security was vitally needed, faculty members worried security measures would prevent the fostering of collaboration, an open environment and research, Arsneault said.

“What actually drove them the other way was the number of denial-of-service attacks and outages we had. Eventually that philosophical approach to security went away,” he said.

Arsneault spoke during a session titled “Application & Content Security,” in which analyst Andreas Antonopoulos warned that enterprises are barely focusing on security of applications despite the crucial data and processes stored on application servers.

As threats move higher up the seven-layer network protocol stack toward applications, security measures must also move up the stack, said Antonopoulos, senior vice president and founding partner of Nemertes Research.

“We have the crown jewels on the most vulnerable servers,” Antonopoulos said. “Threats have been moving closer and closer to the application stack. … I’m very concerned about the applications being deployed in enterprises with no consideration being given to security.”

A lax approach to security can open the door to self-replicating worms that create bogus purchase orders, or a host of other problems, the analyst said. Nemertes Research conducts in-depth interviews with enterprises to determine which security issues are receiving the most focus. Application security appeared on the list for the first time in the past year, at No. 6, while antivirus/antispam programs and spyware was the No. 1 security concern, Antonopoulos said.

Spyware has become a huge problem because many companies rely on software-as-a-service, applications that are hosted on Web sites.

“When 90% of your enterprise applications are delivered over the Web, your browser is your most important enterprise application,” Antonopoulos said.

Inside a company’s network, servers hosting applications are patched less frequently than any other type of server, he said. Also, many companies fall into the trap of buying fancy security applications instead of investing in management, training and risk assessments, he said.