To meet their particular needs, universities and colleges take security measures that are based on letting everything enter the network unless there's a need to keep it out. That's in contrast to the typical corporate stance of keeping everything out unless there's a need to let it in. William Boni, a vice president of information security and protection at Motorola who has been looking into campus security methods, likens the academic approach to a cellular membrane.
"Firewalls are a wall and keep things out," Boni said. "But a cellular membrane allows things to pass while keeping the bad things out."
Rather than block the whole network off with a firewall, some universities create "zones of trust." A university's network would have different levels of security and required authorisation, depending on the sensitivity of the campus information. That approach could let someone see course information, but stop them from looking at student records.
"There are situations where people segregate into different zones...and there is dynamic control of the access between the zones," said David Ladd, senior program manager at Microsoft's External Research Programs for Trustworthy Computing. "This is more an advancement in policy than a technological advance."
Trust zones call for good authentication, and the security of passwords and identifiers is being looked at closely by some bodies.
Caltech has stopped using social security numbers as unique identifiers, Bevier said. In addition, a number of universities are testing out federation, in which authenticated users at one school can use their ID or password to access libraries, computer labs or other systems at another school belonging to the group, said Rodney Petersen, the security task force product coordinator at Educause, a nonprofit organisation that focuses on IT in higher education. In Maryland, for example, a student can have access to online resource information from any of the 13 state university libraries through the use of a bar code, he noted.
Institutions are also taking steps to separate their residential and campus networks. The measure was originally introduced to free up bandwidth on campus networks, but it's since been found to also improve security, Petersen said.
Another approach is to quarantine all PCs until they've been checked out. The Massachusetts Institute of Technology has 50,000 computers on the network that have no firewalls. Like many universities, it places all computers in isolation when they first try to log on to its system, said Jeff Schiller, MIT's network manager. The machines are automatically scanned for the appropriate security updates on the machines, and once cleared, are able to get on to the network.
A number of institutions used to report spending US$100,000 to US$200,000 to troubleshoot IT security issues at the start of the school year, but the cost has fallen by more than half since the quarantine technique has been put into play, Educause's Petersen said.
Without firewalls in place, MIT has to focus on taking care of security at the application and host level, Schiller said. Passwords and administrative information on its network are always encrypted, and the openness of the system is taken into account during the university's in-house software development.
"When we develop applications, we assume the network cannot be trusted. With a corporation, they assume it can," Schiller said.
4%
1%
