College Gives BYOD Users Secure Network Access

By Matt Santill   

Prior to joining South Florida’s Broward College as chief information security officer (CISO) in 2011, my work experience was primarily in corporate America. Our goals were always focused on bringing shareholder value by reducing risk. However, in higher education, it’s all about ensuring the success of our students, and that requires a more open IT environment.

Another difference between enterprise and education IT security is the large number of unmanaged devices connecting to an educational network. It is pretty common in other industries to limit network access to corporate-owned devices only—or to have policies in place to limit bring-your-own-device (BYOD) risks—but that’s not the case in education. Your obligation to secure information becomes much more difficult when you have little control over the endpoints connecting to the network.

Here at Broward, the smartphone revolution is upon us, making mobility and BYOD the day-to-day norm. Nearly all of our 68,000 students and our 3,000 faculty and staff access our network through their portable devices, making it difficult to determine what type of user is on the other end. Out of 20,000 devices on the network at any given time, approximately 12,000 are personally owned.

This, in itself, was a sizeable challenge. Add on the fact that staff members in a college environment may have access to sensitive data—such as health records, social security numbers, credit card information and more—and the difficulty heightens exponentially. We restrict data access to the minimum necessary, but it gets complex for those who do have access to privileged information. We are currently meeting this challenge through technologies such as network access control (NAC).

Finding the Right NAC Solution

To maintain a secure network environment, you must be able to determine what type of users are connected to the network and what type of devices they are using—whether it is a personally owned or college-issued device, for example. This is particularly important for Broward because we don’t have control over what types of software students and staff are running on their personal machines.

Having this knowledge and visibility gives us insight into the activity on the network and the true level of security. This is the main benefit we sought when we decided to search for and implement a NAC solution. We wanted complete network visibility and control over all devices—including personally owned ones.

To determine which NAC solution we would ultimately implement, we engaged with Gartner. They recommended several vendors, and we considered and reviewed the various NAC products, including those from our wired and wireless network providers. Both, however, lacked the essential discovery and inspection functions we needed, as well as support for both our wired and wireless networks.

When we did a proof of concept with ForeScout CounterACT, we realized there was a lot to gain with this solution. First and foremost, we liked its agentless option because we didn’t want to manage agents on the thousands of devices accessing our network. We were also drawn to the immediate visibility that was provided without having to run reports.

With this appliance, we can immediately see which user is logged in on each device, giving us the instant visibility we wanted. With this information, we can establish the difference between a student connected on a personally owned device and a faculty member or regular staffer using a corporate-issued device.

The system also allows us to see the open ports and processes running on the machines. We can perform a search from the CounterACT console to show any application running on our network or any process that is running on a machine—and it’s instantaneous.

Another feature we liked was Threat Protection, which is essentially an intrusion detection system. It gives us a singular pane of glass to see all the vulnerabilities on our network and isolate those machines that are at risk.