Over the last few weeks, students across the country have descended upon universities and college campuses for the start of a new school year. The quiet days of summer are over as the halls fill with teachers, pupils, administrators, and the largest audience of all: technological devices.
IT is omnipresent in every higher education institution. It drives research projects, powers administrative systems, and it’s on every desk and in every pocket. The result is a complex, almost chaotic environment. Thousands of machines are connecting to an institution’s networks every day, using academic resources - accessing webmail, playing games, and even running experiments. If there’s something you can imagine a computer doing, it’s being done on an academic network somewhere.
However, managing these networks is a more complex challenge in an industry that is often squeezed of financial resources. In many cases campus networks are being run with equipment that’s decades old, and without significant IT management support. Updating this infrastructure to cope with the demands of a modern, hyper-connected, student body is essential – with demands only going to increase. Already students and staff are carrying an average of three or four devices, and the number is only expected to grow.
There’s no way for higher education to mandate hardware and software. Students will always bring their own computers and their own software and so will many staff members. Recent attacks on academic networks illustrate cash-strapped universities can be a problem – not only for the networks, but also for their users. Higher education institutions are easy targets due to the vast personal data stored, open campuses, diverse/global populations and desirable brand names to shatter. A new 2017 survey reports that 81% of organizations in the education sector suffered two or more cyberattacks in the last 12 months. Some reported upwards of 10 attacks. It took almost half (45%) of the organizations almost a full business day (6hrs) or more to mitigate the problem. More recently, cyber terrorists targeted several universities across the country with a series of bomb threats to campus printers and fax machines causing mass evacuation. Hackers took advantage of the archaic technological environment and used it to their advantage.
So why are academic networks at risk?
- They’re expensive to run. Network infrastructure is never cheap, and upgrades can also require significant building work. Monetary pressures make it easier to focus on operating costs rather than necessary capital expenditure. The result is that modern security tools and services aren’t installed, and organizations rely on integrated solutions that may not have enhanced security like more specialized hardware and software.
- Networks designed a decade or more ago don’t have the capacity required when working with the multitude of devices at scale. High connection and disconnection rates from devices roaming between wireless access points across a campus results in a heavy load on network services, allowing intrusions to be hidden in the high volume associated with “normal” operations and traffic.
- The variable demand on academic networks, between term and research time, makes it hard to plan for normal operations. Designing for one operating scenario risks degrading the other, especially as the overall demand is hard to predict from year to year.
Blocking networks and services may seem to be a quick fix solution, limiting access in order to control bandwidth and protect network resources. But like all many obvious solutions, there’s a significant downside, with a risk of false positives as a result of blanket blocks. After all, there’s no black hat hacker more determined than a student who can’t get to his or her Gmail account.
So what’s the answer?
The obvious solution is segregating academic and casual traffic, offering separate virtual network segments for administration, for research, for teaching, and for personal use, using access control to switch users from one network type to another, and applying appropriate security controls for each network.
Much of this can be done at a low level, using the internet’s familiar IP address system to identify and segregate devices, using them as part of a set of network access control policies. Automatically delivered to every device that connects to a network, their addresses can be used as a key that opens access to appropriate resources, keeping trusted and untrusted devices separate. Modern IP address management tools can automate much of the process, keeping track of devices and ensuring they’re treated appropriately as soon as they connect to a network. Tying these tools to other security features can help solve other problems, for example quarantining devices that don’t meet security standards in networks that only let them download and install security patches.
Recent advances in networking technology have made managing complex networks a lot easier. Instead of expensive proprietary network hardware, open standards-based x86 systems as used by cloud providers are quick and easy to deploy, using software-defined networking techniques to deliver a network that can be reconfigured on the fly, responding to user demand, and controlling access to protected resources. Technologies developed for the public cloud are now ready for our networks and campuses, bringing the lessons of the Facebooks of this world to academia.
The same developments have improved support for many for the common protocols that underpin our networks. Improved security tooling can do much more than a firewall, protecting resources from denial of service attacks, while pinpointing complex intrusions and data thefts. With new data protection regulations on the horizon, applying these protections to networks stops being optional and becomes essential.
It’s also now possible to use automation to manage those network services and protocols more effectively, taking lessons from large scale corporate ‘bring your own device’ deployments. Businesses, such as Microsoft, use a simple web form with an email authentication loop to grant access to visitors and to personal devices, while others use device identification techniques to automatically segregate unapproved hardware onto partially managed network segments, using the same network hardware but unable to access corporate resources. It’s a model that could work well in academia, controlling access to resources via approved devices and giving the rest of a user’s fleet of hardware access to the wider Internet.
With a wide area campus network, where students and staff share resources, there’s a need to manage costs and reduce risk. It makes sense to consider how a campus network can be both designed and managed, to keep resources safe, and to give as many devices access as possible without increasing costs and risks. Universities need to join modern times by taking advantage of modern network hardware and software to deliver a dynamic, responsive, and, above all, secure network – and at a price that doesn’t break the budget.