Laying the groundwork for a campuswide IT security service

Monday, November 15, 2010

Rhonda Thompson and Phil barak

Colleges and departments at UW-Madison are courting disaster. While everyone - users, administrators, and information technology (IT) staff - recognizes the importance of computer security, the priority usually is shifted elsewhere, due to budget and staffing concerns. That leaves gaping security vulnerabilities that mischief makers and professional hackers are eager to exploit.

To close those gaps, the College of Agricultural and Life Sciences (CALS) and the School of Veterinary Medicine (SVM) are partnering with the Office of Campus Information Security (OCIS) in a pilot test of a campuswide security service. The two-year pilot, funded by OCIS, will deploy firewalls, the latest versions of antivirus defenses, and other measures in the two colleges to ensure the security of their networks and data. The pilot, which began in June, will test the procedures for implementing security measures on a broad scale and assess their costs and benefits. It will lay the groundwork for a coordinated, flexible security service that will benefit the campus.

How colleges and departments can stay secure

UW colleges and departments can play a key role in safeguarding campus computing:

  • Encourage safe computing among staff.
  • Implement safeguards such as departmental firewalls.
  • Find it. Delete it. Protect it. Remind staff to run the free Identity Finder software to locate data on their computers that might be restricted or sensitive and then delete or encrypt it.
  • Deploy a centralized update server to automatically propagate critical software updates to departmental computers.
  • Be aware of campus resources for ensuring security. Know the campus's security principles, standards, practices and policies.

"A few places on campus are pretty secure, but any college or department with decentralized IT is probably not secure," says Phil Barak, a professor in Soil Science and Interim Director of Information Technology at CALS. "For example, OCIS told us that firewalls on anywhere from a third to two-thirds of the computers on campus are not implemented."

Until recently, CALS was no exception. When Barak assumed his IT post in March, he found that at least five academic departments and four administrative units in the college had not deployed network firewalls to protect the computers and servers of their building networks. That security gap existed even though fees paid by CALS and other colleges for use of the campus's 21st Century Network included firewall protection.

"One thing we learned from the security breach in the Chemistry Department last year was that education alone is not sufficient," says Barak. "We need technical solutions and help to implement them. OCIS is active now in accomplishing that."

"The pilot is a collaboration with OCIS and DoIT," says Rhonda Thompson, Director of Computer Services in SVM. "The benefits go both ways - DoIT develops a campus service that we and others benefit from, and we provide feedback that DoIT can use to improve and enhance it. The pilot will help us automate and improve security management here."

"At Veterinary Medicine, we were in pretty good shape, but we want to move to an even better level of security," says Thompson, who assumed her role at SVM this spring. "Our IT staff has our environment locked down fairly well; we have already deployed network firewalls and antivirus protection, for example, and are running Windows Software Update Service. We're now upgrading to the latest version of Symantec Endpoint Protection (hosted by DoIT) in both the school and hospital. In the near future, we will deploy Secunia CSI for patch management and implement firewalls on the desktop. We also expect to offer Identity Finder [which locates sensitive data stored on computers and either deletes or encrypts it] to our users on a voluntary basis. Putting these things in place will help us plug any remaining security holes and help us manage our limited IT resources more efficiently. These are all benefits for us."

"Our overworked IT staff are looking at this as a good thing," Thompson adds. "It is a lot of work up front, but the payoff will be there."

At CALS, it was a question of priorities. After becoming interim IT director, Barak worked with college administration to make security a major focus. "We made space for our IT staff to do their work," Barak says. "We created a team from across the college to walk people through the process of implementing network firewalls. We chose the right personalities for the job."

In mid-October, CALS deployed the last of its nine missing firewalls. In addition, a quick sweep with Identity Finder on a subset of CALS computers revealed hundreds of Social Security numbers, most dating from five to ten years ago, stored on dozens of machines. The data was immediately purged. "We have had very quick success here," says Barak.

"The technical piece involves two basic questions," Barak explains. "One, what do people think they need? And, two, what do they need? OCIS actually asked us what they could do for us. I can't tell you how refreshing that is. They are helping us with the actual implementation of technical solutions."

In addition to deploying firewalls, CALS is moving to Symantec Endpoint Protection v.11 with console management as its antivirus/anti-malware solution. This newer version, which enables local IT staff to track antivirus installations, is being rolled out to the first 300 computers in the college. It runs on a special server that might be too costly for many departments for this sole purpose, but the pilot is paying for the server now. Results of the test will help determine funding strategies later.

"We'll be able to determine the cost of security," says Barak. "Maybe the campus will pay for it, like other shared services. Or maybe the college will fund it. We'll know more after the pilot, but the rollout for the third or the fifth or the tenth deployment to schools and colleges across campus will be cheaper. There are economies of scale we must use."

"The message from OCIS is that departments must meet UW standards of protection, and OCIS will help them," Barak says. "I think we can bring down the barriers to have security in place."

"The pilot should give us valuable experience with deploying a range of security tools on a broad scale," says Jim Lowe, who heads OCIS. "We'll gather the metrics we need to determine the cost of a campuswide service. From there, the campus can decide how to proceed."