Schools rethink network security

Computer worms and viruses continue to besiege colleges and universities, which are responding with a range of network security improvements.

Most schools are focusing on technology fixes: Products designed to correct specific weaknesses. But those won’t be enough if the schools’ CIOs overlook “softer” but equally vital issues, such as involvement by school presidents and provosts, and security procedures that help the school’s culture and mission.

Those softer issues are getting more attention now after the worm onslaughts that hit campus networks hard last summer and fall.

These issues were laid out recently at the New England regional meeting of Educause, a consortium of higher education IT professionals. One presentation covered results of an Educause IT security survey conducted about a year ago and published in December.

But some results surely would have changed since the widely publicized attacks of worms such as Blaster last summer, says study co-author John Voloudakis, now principal at Polaris Consulting. The survey found that while two-thirds of the 435 surveyed schools require all institutional computers to have anti-virus software, only one-third required student computers to be so equipped. “This has jumped since the summer attacks,” he says, based on his talks with network executives and managers.

The attacks and public embarrassments like identify theft that victimize students and faculty are leading to a re-appraisal of how schools approach security, he says.

“People are now thinking about centralization and standardization of security,” he says. Some schools that were opposed to external firewalls are rethinking that position, for example.

“The viruses and worms have forced us to be much more rigorous in our software patching process,” says Douglas Burns, director of IS at Ohloni College, a state community college in Fremont, Calif.

Last semester, the University of Massachusetts at Amherst shut down 5,000 host computers on campus to combat various attacks. “It remains to be seen [what] the long-term impact will be” on campus awareness and priorities, says Christopher Misra, network analyst with the school’s IT office. “The awareness [of security] is coming, or [already] there, at staff and administrator levels, but it’s is still lacking at end-user levels.”

Enlisting support

Savvy CIOs are using these security problems as a way of enlisting the active support of senior management, students and notoriously independent faculty members, instead of trying to steamroll technology fixes over them.

“We let them stick their finger in the light socket and fry their hair,” says Joanne Kossuth, CIO for Franklin W. Olin College of Engineering, a Needham, Mass., school that opened in the fall of 2002. She says her staff of 12 then finds it easier to enlist support for more formalized, and rigorous, security measures.

One early decision was to forge an honor system with students. “We had one student who put up a rogue [wireless] access point, and another student reported him,” Kossuth says.

Many Ohloni College faculty members were victimized by viruses and worms as they worked with their laptops at home. College IT staff helped them recover and protect themselves, and the experience has paved the way for increased cooperation going forward, according to Burns.

These kinds of approaches build relationships of trust, which are vital to making schools more secure, and to making people feel more secure, Polaris’ Voloudakis says. “Look for incentives that help people make responsible decisions.”

One such incentive is deploying site licenses for anti-virus software, and designing simple Web sites where users can easily update anti-virus files and install patches.

What many see as traditional barriers to better IT security, such as concerns that security measures shackle academic freedom, are manageable issues when approached with the right attitude, Voloudakis says. “You help people understand that security improves personal privacy for students and faculty.”

One school has a policy to monitor all business units to uncover any personal information they might be collecting. If such information is found, the department has to give a business justification for having the information. Otherwise it’s deleted.