No network is impenetrable, a reality that business executives and security professionals alike must accept. The traditional perimeter focused approach to cybersecurity has often failed to prevent intrusions, especially in an application-focused paradigm.
While prevention is crucial, timely incident detection of anomalous behaviors for data ex-filtration are key. Continuous monitoring assumes the attackers are already inside of the network and using the right tools, data, and strategies to interrupt the attackers communication channels are needed to mount a successful breach.
The advent of Bring Your Own Device (BYOD) has become prevalent and a sound continuous monitoring strategy that can work in this new Internet Service Provider style network will be an essential protection strategy.
Most CISOs in the EDU world have to create an IT security model that works across 3 distinct business environments in a university: Administrative, Academic/Instructional, Research.
The Administrative environment contains the business processes that run the actual University. These include HR, Payroll, Purchasing, PR, among others. These are the same processes that you would find in any business. They require the same cyber defense architecture. We have the same cyber and physical controls as our non-Edu counterparts.
The Academic/Instructional environment provides the Learning Management Systems (LMS), which usually contains functions such as course delivery, grading, content management, grading, and assignment submission. This is where BYOD lives in our world. All students are required to own a computer and they use their computer to access their course materials.
Every August 5000-6000 new computers (an average freshman class) enter our network. Here the security model is similar to that of an ISP. We can’t control what software is installed on a privately owned machine. We can require certain conditions be met before a machine connects to our network. My counterparts in the non-Edu world will be moving to this model in the next few years. Why? C-level executives want that convenience. Younger employees will want this convenience. It’s only a matter of time.
The Research environment is a hybrid of the Administrative and Academic/Instructional environments. Intellectual property (IP) is closely guarded and protected. Researchers need the flexibility to create devices to aid their research. The manufacturing sector is probably closest to this model. There are regulatory requirements that need to be addressed in this environment.
Our challenge is to develop a security model that encompasses the requirements of the Administrative, Academic/Instructional and Research environments. It’s a challenge but one that needs to be met.