Catch a clue from an EDU: Universities that get security right

In these days of consumer gadgets and mobile access, corporations can learn a lot from how universities deploy multiple layers of security.

1 2 3 4 5 Page 4
Page 4 of 5

But it doesn't end with virtualization. Like other institutions, Penn State is using multiple strategies to fend off threats. As part of that effort, the university is trying to expand its use of two-factor authentication as well as its use of encryption programs, Kimball says.

The school is also using data loss prevention technology, which enables IT to look for packets that contain sensitive data, such as Social Security numbers, as it flies by so workers can deal with any traffic that isn't legit. Penn State is also using scanning technology to search for sensitive data in places it shouldn't be.

Some users are resisting these measures, and that resistance sometimes crops up in surprising places. Kimball says. For example, some computer science researchers don't want encryption programs on their machines because they think such systems can hurt performance. Kimball maintains that the performance hit is minimal.

That kind of resistance isn't unusual at universities, says Ipswitch's Kenney, explaining that, when it comes to IT policies, faculty members may have sway that even senior executives in commercial corporations don't often have.

Georgia State: Focus on people, process and technology

Tammy Clark, chief information security officer at Georgia State University in Atlanta, says she has adopted a three-pronged approach: people, process and technology.

"You can't leave one of them out," she says, noting that Georgia State was one of the first higher-education institutions to adopt the ISO 27000 series of standards for information security.

Clark says the school uses the usual technologies, such as encryption software and anti-malware tools. But she adds that Georgia State started beefing up its protections two years ago, because the latest malware -- which may be carried in email phishing links, website URLs or instant messages -- can evade traditional defenses.

Specifically, GSU is focusing on improving its architecture and training its data center employees (who are on a 24/7 schedule) to monitor reports coming from the school's suite of security software and to handle first-level incidence response regardless of when hackers launch their attacks.

As part of this effort, the college last year deployed a vulnerability assessment system, QualysGuard from Qualys Inc., to get an overall view of the school's IT security status. In addition, the school invested in a penetration testing platform, Core Impact Pro from Core Security Technologies, to probe for vulnerabilities.

And late last year, Georgia State installed a bot detection program that analyzes traffic and can, for example, display command-and-control activity originating in regions of the world that spawn a high level of malware, such as Russia.

1 2 3 4 5 Page 4
Page 4 of 5
Shop Tech Products at Amazon