Catch a clue from an EDU: Universities that get security right

In these days of consumer gadgets and mobile access, corporations can learn a lot from how universities deploy multiple layers of security.

1 2 3 4 5 Page 5
Page 5 of 5

Beyond that, Clark is in the process of deploying security information and event management (SIEM) software from ArcSight that will analyze all logs and produce reports, offering visibility into what's happening with Georgia State's hundreds of servers, thousands of workstations and 40,000 network nodes.

"We want robust and scalable and security, and this is what we need to do," Clark says, of GSU's multiple, ongoing efforts.

Baylor and others: Shift focus from device to data

At Baylor University in Waco, Texas, Jon Allen is shifting his attention from device to data.

To be sure, the school's information security officer still uses firewalls and anti-malware tools to try and keep all desktops, laptops and handheld devices safe. But he's most interested in concentrating on data itself. "We're looking at wrapping security around data," he says -- classifying data and assigning it escalating levels of security that stay with it as it travels.

"It's not [just] looking at how to secure a new device on the network," Allen explains. "I have to look at how information flows, because the most fundamental piece we need to control is the data."

Allen acknowledges that Baylor's philosophy is still evolving into an actual practice and has yet to reach its full potential. The practice, which has its roots in risk management, allows the university to identify which data carries a low occurrence/low impact risk and which should be assigned to a higher category of concern. "If it's a low occurrence but has a big impact if something happens, then it's categorized as high risk," he explains.

Baylor isn't the only higher-ed institution that uses data classification to manage risk and security. Tom Davis, the chief security officer at Indiana University, has assigned members of his team to work with high-ranking individuals from each area of the institution who have responsibility for broad swathes of data. Their goal is to determine what standards and restrictions are required for different types of data, Davis says.

Likewise, Georgia State's Clark started focusing on data back in 2008. She says her team took a year working with so-called "data stewards" in each area to study which professionals needed access to what data and how much protection should be assigned to safeguard that data.

"We need to start thinking differently about what other things we can do to protect our data," Allen says. "For a long time, we were putting out fires, but what would be better is to find the combustible before it even starts to smolder."

That's a philosophy that applies not just to data classification but to universities' security efforts in general -- to stay out in front of the ever-changing landscape of threats.

"The people leading the way understand that it's not a single product" that will make their myriad systems secure, says Michael Maloof, CTO at TriGeo Network Security, a Post Falls, Idaho-based security software firm that counts institutions of higher education among its clients. "There's no one thing, no silver bullet. It's a layer of things, and it's an ongoing process."

Pratt is a Computerworld contributing writer in Waltham, Mass. You can contact her at

Copyright © 2011 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5
Shop Tech Products at Amazon