Don't Risk IT: Modernize Campus Infrastructure to Address Cybersecurity
Don’t Risk IT:
Replacing outdated infrastructure with modern,
secure technology reduces security risks by creating
a trusted network at every layer. It also improves
efficiency, productivity and service delivery—and can
better position institutions to attract students.
3DON’T RISK IT: MODERNIZE CAMPUS INFRASTRUCTURE TO ADDRESS CYBERSECURITY
Don’t Risk IT: Modernize Campus Infrastructure
to Address Cybersecurity
Updating the campus network conveys myriad benefits—
including security, capacity and status.
Aging network infrastructures are common in higher education,
where refresh cycles often focus on the more visible components
of the network. As major security breaches at colleges and
universities continue, institutions are realizing they’re taking
unnecessary risks by operating network equipment beyond the
end of its supported life.
Replacing outdated infrastructure with modern, secure technology
reduces security risks by creating a trusted network at every layer.
It also improves efficiency, productivity and service delivery—and
can better position institutions to attract students. A recent Cisco
security report found many organizations “relying on network
infrastructures built of components that are old, outdated, and
running vulnerable operating systems—and are not cyber-resilient.”
To generate greater awareness and help IT leaders in higher
education address these issues, Campus Technology and Cisco
have partnered for this Industry Perspective about modernizing
the higher education network. For this report, Campus Technology
interviewed Stephen Orr, an eighteen-year Cisco veteran who is
a Distinguished Systems Engineer for Cisco’s U.S. Public Sector
Theater, on the need for modernizing infrastructure in higher
The Digital Transformation
Technology and mobile devices are everywhere on college
campuses these days. Today’s students expect fast, pervasive
wireless connections as good as if not better than their home
networks. Students bring all sorts of devices with them to campus
and fully expect seamless network connections.
At the same time, the cyberthreat landscape is continuously
evolving. Serious attacks have spread to higher education, and
threats are becoming more complex and sophisticated. A network
breach today is no longer merely an inconvenience. It can derail
operations; disrupt the lives of students, faculty and staff; and
undermine trust in your institution.
Although the digital transformation has expanded the online attack
surface, it can also provide improved cybersecurity. Technology
is also evolving at a rapid pace to counter new and evolving
cyberthreats. A security-driven network refresh to replace outdated
equipment can help eliminate vulnerabilities, mitigate risks and
allow higher education institutions to take advantage of the
efficiencies of new technology to attract new students.
Risks and Consequences
Hardware and software developers have built on decades
of experience to support new capabilities, provide smarter
infrastructures and leverage new technologies like the Internet of
Things. The goal remains to provide for securely creating, collecting,
delivering and using data on a large scale and at high speed.
While there are new features and equipment being added,
however, the old ones don’t disappear. E-mail and web
applications are no longer considered cutting edge, but every
day, students and faculty rely on them. The availability of these
applications and the networks that support them remain critical to
the campus network infrastructure.
The legacy infrastructure supporting these functions has been
resilient and often demands little attention; but with complacency
comes risk. As equipment becomes outdated and reaches its end
of supported life, it becomes less efficient, less productive and
Simply put, legacy systems were not designed to withstand the
threats of today’s online adversaries. During their supported
life, vendors routinely issued security patches and updates to
protect those systems against evolving threats. Once they are no
longer supported, obsolete platforms are unable to meet current
cybersecurity requirements. Outdated infrastructure doesn’t
support modern applications and innovation, and lacks the
resiliency to survive today’s threat environment.
Modern cybersecurity is about risk management. This requires
eliminating and mitigating risks wherever possible, and knowingly
accepting those that remain. You can’t manage risks that you can’t
see, however, and you can’t trust an outdated network to send
you correct information.
“If you don’t have a trusted infrastructure, you can’t trust the
information you’re getting from your equipment,” says Stephen
Orr. “You’ve got to trust the hardware, and you’ve got to trust the
software that’s running on it. If a device has been tampered with,
you can be getting incorrect telemetry. That’s a huge threat vector.”
4 INDUSTRY PERSPECTIVE
Reframe the Legacy Mindset
Legacy systems often represent significant capital expenditures
that support mission-critical operations. Appropriations for timely
upgrades can be difficult when budgets are tight. There’s often
reluctance to tamper with critical systems as long as they’re working.
“Aging network infrastructures increase security risks in several
ways,” says Orr. Besides hardware that has moved beyond end-
of-life support from its vendor, the use of gray market equipment
in higher education is also a risk. Institutions seeking to save
expenses on infrastructure upgrades may purchase third-party
equipment that matches their legacy infrastructure.
Doing that, says Orr, means “injecting an unknown entity into the
network that might have been modified in some way unknown
to the buyer … The equipment could be modified or the software
could be modified, maliciously or otherwise. It’s a buyer-beware
situation, because you don’t know what you are getting.”
Security-Driven IT Modernization
IT leaders at colleges and universities face additional challenges
in creating safe, secure networks, says Orr, who is himself a
former higher education IT architect. “Within higher ed, you
have that constant balancing act of providing an open and free
educational environment in which students are able to browse the
Internet in a non-restrictive manner.”
At the same time, he says, most higher education institutions are
also a business with other interests, such as research and other
academic interests. Those typically run on the same network.
Institutions must protect those interests from potential threats.
Also, most universities are bound by basic federal security
regulations and requirements regarding student social security
numbers, health records, and credit card information.
Given the risk of operating an aging, end-of-life or gray market
infrastructure and the advantages offered by new and trustworthy
platforms designed with security in mind, there’s no reason to
risk your institution’s critical data on legacy equipment. Cisco has
been innovating networking products for more than 30 years
and has a large installed base in networks around the globe.
As networks threats have evolved, Cisco responded with a
Secure Development Lifecycle to ensure security is built into the
underlying architecture of solutions and embedded throughout
Ensuring this security and helping institutions build a trusted
infrastructure from end-to-end is a continuous process. As new
products are developed and existing products are updated,
security is embedded into every platform.
The solution is creating a trusted end-to-end infrastructure on
campus, says Orr, in which each piece of equipment is trustworthy
and deliberately added. This helps ensure nothing has been
tampered with or altered. To keep all its platforms secure, Cisco
keeps them up-to-date as part of its Secure Development
First Things First
Networks are not simple. Not all elements are the same age or have
the same requirements, and not all assets are equal. A security-driven
network refresh requires an understanding of where your network is
right now and where you want it to be. This requires planning.
Setting security policies—determining and defining what security
means for your institution, and how it will be implemented—is a
critical first step. “Everybody talks about security, but it’s a very
amorphous word,” says Orr.
Start by defining the basics, he suggests. Ask, “What are you
trying to secure? What are you trying to protect the network from?
What are the different threat vectors? And finally, how will the
security policy be implemented once it is established?” Then build
on that awareness to make risk-based decisions about what to do
and when to do it. Orr outlines eight essential steps, including:
1 Use Network Telemetry: As part of an overall security
strategy to address inside attacks, says Orr, “one of the most
underutilized tools within the network is network telemetry.”
Very few institutions turn on telemetry tools such as Cisco
NetFlow to understand what normal day-to-day traffic looks
like and immediately spot anomalies. “With telemetry, you get
visibility into what’s going on in your network,” Orr said. With
NetFlow, Cisco builds telemetry into its routers and switches,
which provides a baseline of network activity.
5DON’T RISK IT: MODERNIZE CAMPUS INFRASTRUCTURE TO ADDRESS CYBERSECURITY
2 Patch and upgrade: This is just basic good cybersecurity
3 Harden the infrastructure: Apply best practices and good
security policy. Replace default settings to ensure services
and access are appropriately limited, and then monitor
configurations. Make sure any new equipment can perform
Image Signing and Secure Boot, utilize a Secure Device
Identity and provide Runtime Defenses
4 Identify equipment approaching end of supported life:
Products that aren’t patched and updated by their vendors
create vulnerabilities in the network.
5 Combat malware with network-enforced policies: “If you
have a maliciously acting endpoint, you don’t want to wait until
the client’s trying to get out of the network to block it,” says
Orr. Instead, track and stop the attack as close to the client
as possible. Prevent it from being injected into the network.
“The only way you can do that is by utilizing the network as an
enforcement point,” he says.
6 Create a trusted platform: When you’re ready for a network
refresh, select devices with secure unique device identifiers,
such as Cisco Secure Boot, which can handle a secure boot
and image sign-in. That says the software and hardware is
valid and that nothing has been tampered with. “Then you
know that it is a truly trustworthy device,” says Orr, “and you
can build that chain of trust throughout the entire enterprise.”
7 Segment the network: This is critical to accommodate the
influx of consumer devices students bring to campus, especially
residential halls. Since those devices typically have a lower level
of security than enterprise devices, create a parallel network
with a common physical infrastructure, says Orr, but a separate
wireless SSID and separate virtual network infrastructure.
That keeps the traffic separate and logically different, thereby
avoiding mixing potentially unsecured and secure traffic.
8 Consider the broader threat: The bring-your-own-device,
or BYOD, movement generally adds to the threat landscape.
“With myriad devices on the network, segmented or not, you
need to make sure those devices are valid, that they belong
to who they say they belong to, and that they have been
appropriately patched to be on that network,” says Orr. That
comes back to security policy. “You need strong policies on
what is going to be allowed on campus networks.”
The Network as a Recruiting Tool
Higher education IT leaders have one major advantage in making
the case for upgrading network infrastructure—it can be a selling
point for attracting students. “The next generation students aren’t
To combat malware, taking a complete view of the network is
essential. This is far more effective than trying to block a threat
at any one place. “Today’s threat vectors are changing,” says
Orr. “Threats now can come from within the network.”
In simpler times, securing the network meant putting a firewall
at the edge to block unauthorized outside access and setting
policies that didn’t allow outside devices into the network.
The era of BYOD and consumer devices clearly complicates
Ransomware is one example of the kinds of new and rapidly
growing threats facing higher education. At its most basic,
ransomware enters the network via an email enticing a student
or other user to visit a malicious website or to share information
they shouldn’t. Once ransomware is on the network, says Orr,
it’s very difficult to eliminate. The key is to block it in advance
using strong Internet and e-mail security tools. For example,
Cisco’s Open DNS checks the DNS resolution of web sites and
blocks access to known malicious sites.
Combating malware also means looking for problematic
endpoints. In a BYOD environment, says Orr, “You want to
know what type of device it is, who owns it, who is logged
into it, what network they are on and what attributes they are
allowed to access.”
Security needs to be built at the front of the network, at the
Internet edge, and all the way to the access layer. “Security
needs to be pervasive,” says Orr. “It’s no longer a layer of the
network. It’s a foundational and fundamental component of
every device in the network.”
Take a Holistic
6 INDUSTRY PERSPECTIVE
going to want to live in a dorm or even go to a campus,” says Orr,
“where network capabilities are less than what they’re used to on
their home networks or from their cable provider.”
Universities are already using their network capabilities,
speed and reach as a selling point toward research and
development and other fields. “Whether it’s Public, Private or
Community Colleges,” says Orr, “the network is a recruiting tool.
Institutions are using the capabilities, the speed, and network
programmability as ways to attract talent.”
Too many network acquisitions are based on price alone, says Orr,
as opposed to how network infrastructure capability can carry the
institution forward for the next three to five years. Refreshing the
network should always be about looking ahead, he says, keeping
in mind the capabilities points of an up-to-date network.
Move from Reactive to Proactive
Cisco partners with higher education institutions to help them
understand the current status of their network, decide where they
need to be, and chart a path to get there. Consultants can help lay
out a roadmap for a security-driven IT modernization that takes full
advantage of modern, trustworthy platforms.
Cisco consultants can also help institutions meet and remain
in compliance with applicable regulatory requirements for
cybersecurity. Experts can match security capabilities of modern
platforms with best practices and government regulation to
ensure updated networks are not only compliant, but truly secure.
“It’s about moving from being reactive to proactive,” says Orr. That
includes creating a trusted network from the ground up, instituting
strong security policies, segmenting the network to deal with
student devices, and using network telemetry and other tools to
monitor threats. It’s all part of creating a proactive approach to
higher education network security.
Don’t Risk a Security Breach. Don’t Risk IT.
Are you entrusting your organization’s crucial data to aging,
end-of-life infrastructure? Don’t Risk IT! Cisco security-driven
network offerings are built from concept to completion to
include built-in security to protect sensitive data. Learn more at
Campus Technology is one of higher education’s top information
sources, with distribution across a website, monthly digital
magazine, newsletters, webcasts and online tools. It’s the go-to
resource for campus professionals, providing in-depth coverage
on the technologies and implementations influencing colleges
and universities across the nation. Content includes valuable
hands-on articles, best practices, industry trends, expert advice
and insightful articles to help administrators, campus executives,
technologists and educators plan, develop and successfully
launch effective IT initiatives.
About Cisco About Campus Technology