As students and administrators seek anytime, anywhere access to the cloud, higher ed IT teams must face their fears and get to work.
The influx of tablets, smartphones and other devices on campus is a potential breeding ground for security breaches. IT staffs building a BYOD environment should take the following steps to ensure security.
Take the time to develop a written policy, both to get buy-in from all departments and colleges, and to have something specific on hand before the IT department finds it necessary to cut off access to devices that are insecure or not supported. The policy should include which devices are supported or not supported; whether waivers are necessary for unsupported devices; which software is required, such as antivirus or encryption products; what standards of behavior are expected, such as encrypting proprietary data; and to what extent unsupported devices will be supported.
Most wireless access points will let IT managers set up two types of accounts: user accounts that can access internal networks and separate guest accounts that can access only the Internet. This lets only authenticated users access the internal network, while allowing everyone else to remain connected to the outside world. Some access points will synchronize with Microsoft Active Directory or other user databases, while some may require separate access control lists. Many access points will also let IT managers prioritize traffic, ensuring that some guests watching movies won’t disrupt Voice over Internet Protocol or other internal traffic that may be sensitive to network congestion.
Network Access Control (NAC) tools verify that devices attempting to connect to the network meet prescribed criteria. They can check for the latest version of an operating system or antivirus signature and whether proper applications are installed. If a device is not correctly configured, the NAC can block access completely, or allow access only to a segregated guest network. NAC tools can also place restrictions depending on the type of device being used, letting approved smartphones or tablets connect while blocking others.
In addition to login passwords, consider internal firewalls to make sure that departments or data that needs protection resides behind additional security. With the right equipment, even unauthorized devices that connect to the main network can’t scan for devices or servers to attack on a protected network. For example, the accounting department can run on a separate network where they can access the Internet and other parts of the regular network, but outside users won’t be able to see the clients or servers in the critical departments.
There are multiple levels of encryption, from per-file encryption to built-in database encryption that encrypts entire databases or only fields that need additional protection, such as Social Security numbers. Whole-disk encryption keeps entire systems safe, even if devices are stolen. This is useful for people who log in from portable devices, or who travel with data on USB drives. On the server side, database encryption ensures that even if data is accessed from a compromised device, any data copied is encrypted. Encryption systems are easy to use. Rather than requiring a long password that must be entered before accessing the data, the password is stored on a separate device, or associated with a fingerprint or other biometric data.