BYOD security challenges are old mortarboard for universities
Businesses are only now discovering problems education has coped with for years
By John P. Mello Jr.
"Many of us in higher ed find it very funny when we see how BYOD has dominated so much of the security press lately," Mike Corn, chief privacy and security officer at the University of Illinois (UI) at Urbana-Champaign, said in an interview. "We view that with amusement because Bring Your Own Device has defined our environment almost since the beginning of personal computing."
The magnitude of BYOD at a university the size of UI would likely give a corporate security administrator fits. Not only is there a large annual turnover rate -- some 10,000 new students arrive on campus each year -- but each has an average of 3.5 personal devices in tow.
"We work in an environment where we're used to having a huge number of personally owned devices on the network," Corn said.
While most universities have had their students use their own hardware for years, a big bump in corporate BYOD occurred in 2010 when tablets began to proliferate. "When the iPad came on the market, everyone brought it to work and expected to do work on it," Gord Boyce, CEO of ForeScout Technologies, said in an interview. "Universities have always had students bring their own devices, but they have less control over those endpoints.'
One reason universities have less control over those endpoints is because a higher education network needs to be more open than a corporate network. "Because of our nature, the idea of throttling information is anathema to us," Corn said.
That can pose security problems, not only for the university but for vendors trying to address those problems. "When we bring some of these appliance vendors in and begin pumping some of our network traffic through a device, they ask us, 'Why are you pumping white noise through my device?'" Corn said.
Because of the nature of universities, the amount and variety of traffic on our network has a completely different flavor to it than a corporate network, Corn explained. "Universities are not good models to compare with corporations," he said. "We're more like municipalities."
The proliferation of devices and network traffic is challenging university security shops. "What's become necessary for them to do is to track all the digital footprints of any user of any device who authenticates on their network," said Rob Reed, worldwide education evangelist for Splunk.
The problem with that kind of tracking is that the analysis of its results isn't often performed in real time. That means security incidents won't be discovered until after they occur -- the equivalent of closing the barn door after the horses have bolted.
However, Reed noted, "If you've got 10 horses in the barn and one or two get out before you lock the gate, then it's better to keep eight by looking backwards than none by not looking back at all."
While universities may be veterans in dealing with the security demands of BYOD, a more recent challenge to their defenses has been an increase in attacks from overseas. "That's absolutely been the case over the last 18 months," Dave Jevans, chairman and CTO of Marble Security, said in an interview.
"A lot of it is coming from overseas actors who are interested in gaining access to projects that universities are working on," he observed. "There's also some speculation that some of it is to track students from foreign countries."
That activity has prodded some schools to reassess their defensive efforts. "We've been taking a closer look at our intellectual property portfolio in relation to our risk posture," UI's Corn said. "We're trying to be much more threat-agent focused. Rather that focusing on 'Are we patching appropriately?' we're looking at who is going to attack us and what are the ways they'll do that.
"My fear is that we have not paid enough attention to the professional state actors," he said. "And I'm sure we are being targeted by some of those."
Read more about data protection in CSOonline's Data Protection section.