Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Don't Risk IT: Modernize Campus Infrastructure to Address Cybersecurity

491 views

Published on

Campus Technology whitepaper on the importance of modernizing infrastructure to reduce cybersecurity risks.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Don't Risk IT: Modernize Campus Infrastructure to Address Cybersecurity

  1. 1. Don’t Risk IT: Modernize Campus Infrastructure to Address Cybersecurity Industry Perspective
  2. 2. INDUSTRY PERSPECTIVE Replacing outdated infrastructure with modern, secure technology reduces security risks by creating a trusted network at every layer. It also improves efficiency, productivity and service delivery—and can better position institutions to attract students.
  3. 3. 3DON’T RISK IT: MODERNIZE CAMPUS INFRASTRUCTURE TO ADDRESS CYBERSECURITY Don’t Risk IT: Modernize Campus Infrastructure to Address Cybersecurity Updating the campus network conveys myriad benefits— including security, capacity and status. Aging network infrastructures are common in higher education, where refresh cycles often focus on the more visible components of the network. As major security breaches at colleges and universities continue, institutions are realizing they’re taking unnecessary risks by operating network equipment beyond the end of its supported life. Replacing outdated infrastructure with modern, secure technology reduces security risks by creating a trusted network at every layer. It also improves efficiency, productivity and service delivery—and can better position institutions to attract students. A recent Cisco security report found many organizations “relying on network infrastructures built of components that are old, outdated, and running vulnerable operating systems—and are not cyber-resilient.” To generate greater awareness and help IT leaders in higher education address these issues, Campus Technology and Cisco have partnered for this Industry Perspective about modernizing the higher education network. For this report, Campus Technology interviewed Stephen Orr, an eighteen-year Cisco veteran who is a Distinguished Systems Engineer for Cisco’s U.S. Public Sector Theater, on the need for modernizing infrastructure in higher education. The Digital Transformation Technology and mobile devices are everywhere on college campuses these days. Today’s students expect fast, pervasive wireless connections as good as if not better than their home networks. Students bring all sorts of devices with them to campus and fully expect seamless network connections. At the same time, the cyberthreat landscape is continuously evolving. Serious attacks have spread to higher education, and threats are becoming more complex and sophisticated. A network breach today is no longer merely an inconvenience. It can derail operations; disrupt the lives of students, faculty and staff; and undermine trust in your institution. Although the digital transformation has expanded the online attack surface, it can also provide improved cybersecurity. Technology is also evolving at a rapid pace to counter new and evolving cyberthreats. A security-driven network refresh to replace outdated equipment can help eliminate vulnerabilities, mitigate risks and allow higher education institutions to take advantage of the efficiencies of new technology to attract new students. Risks and Consequences Hardware and software developers have built on decades of experience to support new capabilities, provide smarter infrastructures and leverage new technologies like the Internet of Things. The goal remains to provide for securely creating, collecting, delivering and using data on a large scale and at high speed. While there are new features and equipment being added, however, the old ones don’t disappear. E-mail and web applications are no longer considered cutting edge, but every day, students and faculty rely on them. The availability of these applications and the networks that support them remain critical to the campus network infrastructure. The legacy infrastructure supporting these functions has been resilient and often demands little attention; but with complacency comes risk. As equipment becomes outdated and reaches its end of supported life, it becomes less efficient, less productive and less secure. Simply put, legacy systems were not designed to withstand the threats of today’s online adversaries. During their supported life, vendors routinely issued security patches and updates to protect those systems against evolving threats. Once they are no longer supported, obsolete platforms are unable to meet current cybersecurity requirements. Outdated infrastructure doesn’t support modern applications and innovation, and lacks the resiliency to survive today’s threat environment. Modern cybersecurity is about risk management. This requires eliminating and mitigating risks wherever possible, and knowingly accepting those that remain. You can’t manage risks that you can’t see, however, and you can’t trust an outdated network to send you correct information. “If you don’t have a trusted infrastructure, you can’t trust the information you’re getting from your equipment,” says Stephen Orr. “You’ve got to trust the hardware, and you’ve got to trust the software that’s running on it. If a device has been tampered with, you can be getting incorrect telemetry. That’s a huge threat vector.”
  4. 4. 4 INDUSTRY PERSPECTIVE Reframe the Legacy Mindset Legacy systems often represent significant capital expenditures that support mission-critical operations. Appropriations for timely upgrades can be difficult when budgets are tight. There’s often reluctance to tamper with critical systems as long as they’re working. “Aging network infrastructures increase security risks in several ways,” says Orr. Besides hardware that has moved beyond end- of-life support from its vendor, the use of gray market equipment in higher education is also a risk. Institutions seeking to save expenses on infrastructure upgrades may purchase third-party equipment that matches their legacy infrastructure. Doing that, says Orr, means “injecting an unknown entity into the network that might have been modified in some way unknown to the buyer … The equipment could be modified or the software could be modified, maliciously or otherwise. It’s a buyer-beware situation, because you don’t know what you are getting.” Security-Driven IT Modernization IT leaders at colleges and universities face additional challenges in creating safe, secure networks, says Orr, who is himself a former higher education IT architect. “Within higher ed, you have that constant balancing act of providing an open and free educational environment in which students are able to browse the Internet in a non-restrictive manner.” At the same time, he says, most higher education institutions are also a business with other interests, such as research and other academic interests. Those typically run on the same network. Institutions must protect those interests from potential threats. Also, most universities are bound by basic federal security regulations and requirements regarding student social security numbers, health records, and credit card information. Given the risk of operating an aging, end-of-life or gray market infrastructure and the advantages offered by new and trustworthy platforms designed with security in mind, there’s no reason to risk your institution’s critical data on legacy equipment. Cisco has been innovating networking products for more than 30 years and has a large installed base in networks around the globe. As networks threats have evolved, Cisco responded with a Secure Development Lifecycle to ensure security is built into the underlying architecture of solutions and embedded throughout the enterprise. Ensuring this security and helping institutions build a trusted infrastructure from end-to-end is a continuous process. As new products are developed and existing products are updated, security is embedded into every platform. The solution is creating a trusted end-to-end infrastructure on campus, says Orr, in which each piece of equipment is trustworthy and deliberately added. This helps ensure nothing has been tampered with or altered. To keep all its platforms secure, Cisco keeps them up-to-date as part of its Secure Development Lifecycle program. First Things First Networks are not simple. Not all elements are the same age or have the same requirements, and not all assets are equal. A security-driven network refresh requires an understanding of where your network is right now and where you want it to be. This requires planning. Setting security policies—determining and defining what security means for your institution, and how it will be implemented—is a critical first step. “Everybody talks about security, but it’s a very amorphous word,” says Orr. Start by defining the basics, he suggests. Ask, “What are you trying to secure? What are you trying to protect the network from? What are the different threat vectors? And finally, how will the security policy be implemented once it is established?” Then build on that awareness to make risk-based decisions about what to do and when to do it. Orr outlines eight essential steps, including: 1 Use Network Telemetry: As part of an overall security strategy to address inside attacks, says Orr, “one of the most underutilized tools within the network is network telemetry.” Very few institutions turn on telemetry tools such as Cisco NetFlow to understand what normal day-to-day traffic looks like and immediately spot anomalies. “With telemetry, you get visibility into what’s going on in your network,” Orr said. With NetFlow, Cisco builds telemetry into its routers and switches, which provides a baseline of network activity.
  5. 5. 5DON’T RISK IT: MODERNIZE CAMPUS INFRASTRUCTURE TO ADDRESS CYBERSECURITY 2 Patch and upgrade: This is just basic good cybersecurity hygiene. 3 Harden the infrastructure: Apply best practices and good security policy. Replace default settings to ensure services and access are appropriately limited, and then monitor configurations. Make sure any new equipment can perform Image Signing and Secure Boot, utilize a Secure Device Identity and provide Runtime Defenses 4 Identify equipment approaching end of supported life: Products that aren’t patched and updated by their vendors create vulnerabilities in the network. 5 Combat malware with network-enforced policies: “If you have a maliciously acting endpoint, you don’t want to wait until the client’s trying to get out of the network to block it,” says Orr. Instead, track and stop the attack as close to the client as possible. Prevent it from being injected into the network. “The only way you can do that is by utilizing the network as an enforcement point,” he says. 6 Create a trusted platform: When you’re ready for a network refresh, select devices with secure unique device identifiers, such as Cisco Secure Boot, which can handle a secure boot and image sign-in. That says the software and hardware is valid and that nothing has been tampered with. “Then you know that it is a truly trustworthy device,” says Orr, “and you can build that chain of trust throughout the entire enterprise.” 7 Segment the network: This is critical to accommodate the influx of consumer devices students bring to campus, especially residential halls. Since those devices typically have a lower level of security than enterprise devices, create a parallel network with a common physical infrastructure, says Orr, but a separate wireless SSID and separate virtual network infrastructure. That keeps the traffic separate and logically different, thereby avoiding mixing potentially unsecured and secure traffic. 8 Consider the broader threat: The bring-your-own-device, or BYOD, movement generally adds to the threat landscape. “With myriad devices on the network, segmented or not, you need to make sure those devices are valid, that they belong to who they say they belong to, and that they have been appropriately patched to be on that network,” says Orr. That comes back to security policy. “You need strong policies on what is going to be allowed on campus networks.” The Network as a Recruiting Tool Higher education IT leaders have one major advantage in making the case for upgrading network infrastructure—it can be a selling point for attracting students. “The next generation students aren’t To combat malware, taking a complete view of the network is essential. This is far more effective than trying to block a threat at any one place. “Today’s threat vectors are changing,” says Orr. “Threats now can come from within the network.” In simpler times, securing the network meant putting a firewall at the edge to block unauthorized outside access and setting policies that didn’t allow outside devices into the network. The era of BYOD and consumer devices clearly complicates that approach. Ransomware is one example of the kinds of new and rapidly growing threats facing higher education. At its most basic, ransomware enters the network via an email enticing a student or other user to visit a malicious website or to share information they shouldn’t. Once ransomware is on the network, says Orr, it’s very difficult to eliminate. The key is to block it in advance using strong Internet and e-mail security tools. For example, Cisco’s Open DNS checks the DNS resolution of web sites and blocks access to known malicious sites. Combating malware also means looking for problematic endpoints. In a BYOD environment, says Orr, “You want to know what type of device it is, who owns it, who is logged into it, what network they are on and what attributes they are allowed to access.” Security needs to be built at the front of the network, at the Internet edge, and all the way to the access layer. “Security needs to be pervasive,” says Orr. “It’s no longer a layer of the network. It’s a foundational and fundamental component of every device in the network.” Take a Holistic Approach
  6. 6. 6 INDUSTRY PERSPECTIVE going to want to live in a dorm or even go to a campus,” says Orr, “where network capabilities are less than what they’re used to on their home networks or from their cable provider.” Universities are already using their network capabilities, speed and reach as a selling point toward research and development and other fields. “Whether it’s Public, Private or Community Colleges,” says Orr, “the network is a recruiting tool. Institutions are using the capabilities, the speed, and network programmability as ways to attract talent.” Too many network acquisitions are based on price alone, says Orr, as opposed to how network infrastructure capability can carry the institution forward for the next three to five years. Refreshing the network should always be about looking ahead, he says, keeping in mind the capabilities points of an up-to-date network. Move from Reactive to Proactive Cisco partners with higher education institutions to help them understand the current status of their network, decide where they need to be, and chart a path to get there. Consultants can help lay out a roadmap for a security-driven IT modernization that takes full advantage of modern, trustworthy platforms. Cisco consultants can also help institutions meet and remain in compliance with applicable regulatory requirements for cybersecurity. Experts can match security capabilities of modern platforms with best practices and government regulation to ensure updated networks are not only compliant, but truly secure. “It’s about moving from being reactive to proactive,” says Orr. That includes creating a trusted network from the ground up, instituting strong security policies, segmenting the network to deal with student devices, and using network telemetry and other tools to monitor threats. It’s all part of creating a proactive approach to higher education network security. Don’t Risk a Security Breach. Don’t Risk IT. Are you entrusting your organization’s crucial data to aging, end-of-life infrastructure? Don’t Risk IT! Cisco security-driven network offerings are built from concept to completion to include built-in security to protect sensitive data. Learn more at http://demand.cisco.com/securehighered Campus Technology is one of higher education’s top information sources, with distribution across a website, monthly digital magazine, newsletters, webcasts and online tools. It’s the go-to resource for campus professionals, providing in-depth coverage on the technologies and implementations influencing colleges and universities across the nation. Content includes valuable hands-on articles, best practices, industry trends, expert advice and insightful articles to help administrators, campus executives, technologists and educators plan, develop and successfully launch effective IT initiatives. About Cisco About Campus Technology

×