At Ferrum College, a school in Virginia, a Juniper Networks-based network-access-control deployment makes sure that access to sensitive data is based on who the users are, not where they are or which devices they're using. The new user focus on security, however, required an overhaul in people and processes as well, says Ferrum's CIO Christine Stinson.

This story is part of a special Security Trend Watch issue, in PDF format. Download now.

Before the Juniper network, Ferrum used what Stinson calls family-style computing. "We were a small campus, and everyone knew everyone. So, if you needed access to something, you would go over to the computer-services desk and say, 'Hey Tim, I need access to this,' and Tim knew you and would give you access," she says.

That changed as the campus grew, and Stinson began the move to user-focused security. She assigned ownership to all the data stores on campus, removing access from IT 's purview. "I tell everyone that your data is like a horse," she says. "We're the stable. We keep your data, we feed it, we clean up the mess after it. But you determine who rides it." (Compare Network Access Control products.)

Now, when requests come in for access to particular databases or files, the data's owner has to sign off on giving that access, as does the CIO . "I review everything, sign off on it, and only then does administrative computing grant the access," Stinson says. Perhaps more importantly, the college also instituted a formal process for reviewing access. "Every six months, we review all of the access that's been given," Stinson says. "If there's not a need for the person to have access, we make sure we close it out. All of these processes needed to be in place first. Otherwise, the network segmentation wouldn't have made any difference in our security posture."

Stinson made sure she had buy-in from each data owner and user by making them all play a part in building the processes. "One thing I've learned is that if I simply announce a change, there will be a lot of resistance to it," she says. "So instead, I identified all the people who created databases and met with them as a group. I explained what the new privacy and security requirements were that were imposed on us legally. Then we developed consensus on what an ideal process for managing data access would be."