Addressing the seemingly oxymoron that university campuses are meant to be open and not feel guarded so that students can build their own culture as they grow educationally while being safe and secure, a recent panel discussion at the SANS Security Leadership Summit in Boston, “Lessons Learned from Higher Education,” was conducted and panelists actually agreed that this is possible.

Panelists included:

• Larry Wilson, CISO, UMass, moderator;
• David Escalante, director of computer policy and security, Boston College; and
• David Sherry, CISO, Brown University.

Panelists recognized that it is impossible to assume that everything on a university campus will be completely protected, but that shouldn’t stop universities from using security technologies to help ensure safety, especially security tools that are automated. The goal is not to be looked at as dictators over employees or students.

Challenge #1: A university campus is like a small city with:

• Housing – residence halls;
• Entertainment – sporting events; drama productions; socials; etc.
• Food – dining hall and restaurants;
• Healthcare – on-campus clinics;
• Money – student loans; and
• Diverse population – faculty, staff, students, donors, boosters, athletic support groups, applicants, parents, alumni, etc.

To protect these many elements on a university campus, priorities must be established and focus directed at a limited number of vulnerabilities.

Tips from the Panelists

1. Firewall off the data center from the campus network to help prevent hackers from accessing personal data.
2. Enable students by giving them what they need, but convince them to do it securely.
3. Personalize all security messages. If something bad happened to another student because he didn’t lock the door to his dorm room, for example, use this to educate other dorm residents.

Challenge #2: Cutting through vendor fog pitches.

Wilson’s strategy is to be very picky and opt for security technologies that work specifically in academic settings.

Wilson uses “ISO for process and management and SANS for technology” at UMass to focus on protecting assets more than addressing individual threats.

What are some other tips to keep the concept of an open campus while providing adequate security measures?