As I’ve explained in my previous blog posts, mobile devices have quickly evolved into critical enterprise tools that open the doors to better productivity, innovation and competitive advantage. At the same time, they have increased IT complexity and raised critical security and privacy concerns. I’ve offered several recommendations for ensuring security with both personally owned and corporate-owned devices. But what strategies actually work in the real-world? For example, what do educational institutions actually find most effective?
To find out, I’ve asked Kim Cary, CISO of Pepperdine University, to discuss the challenges of enabling mobility while maintaining security. Here’s our Q&A:
Q. Tell us a little bit about endpoint security from your perspective as CISO at Pepperdine.
A university needs a different network than the typical business. For one thing, we don’t own all the endpoints on our network — students, conference guests, invited speakers and contracted services all use systems we don’t own. Further, for those endpoints we do own, it isn’t appropriate to use a simple “only what the company installs on it” strategy for security, particularly with faculty. So our endpoint strategy in security is much more of an “innocent until proven guilty” approach.
The way this plays out is that we use role-based access. For devices we don’t own, we limit access to well-maintained and monitored services. For devices we do own, we make sure that they are patched and their assigned users have good security training available.
Q. Why is endpoint security so important in terms of your overall security strategy?
As one of our vendors puts it, “Your network is only as secure as the devices that are connected.” This means that at the end of the day, after all the firewalls, IDS/IPS, security education and anti-virus have done their work, if someone’s workstation is weak, it can still become a cybercriminal HQ on your network. The resulting data breach would not be good for the students, community or university.
Q. What does Pepperdine do to manage and secure endpoints?
We use a NAC to provide role-based access. We evangelize security training and software patching aids for systems we don’t own. For systems we do own, we automate patching of the statistically most exploited software: the operating system, the productivity suite, and the web helper apps — Java, Adobe Flash Player, Adobe Acrobat Reader and the like.
Q. What endpoint security solutions do you use and find most valuable?
For systems we own, what is determined to be security baseline must be mandatory. We have found that automation is required, since every other form of maintenance — including posture checking, user education, technicians with flash drives, and even concierge service for executives and high-profile faculty — has been shown to fail to provide a baseline of security.
We’re using Dell KACE to automate third-party patching and security configuration for systems we own. We’ve also found it useful for tracking down and helping eradicate zero day infections that have gotten past our anti-virus. Beyond security, the KACE solution lets us provision systems campus-wide. When finance went paperless and we needed Acrobat on every workstation, KACE installed the licensed software in days. When we needed to retire XP before April 2014, KACE gave us an inventory of the 400+ systems to target, and enabled us to upgrade those systems to Windows 7 overnight, instead of having to pull them in to the workbench and interrupt our colleagues’ work.
Our NAC is critical system for providing role-based access and for informing people of what to do when their BYOD system is blocked for signs of infection or copyright infringement. Being able to both isolate and inform in one operation has saved tons of help desk calls and more importantly, tons of student frustration.
Q. What advice would you give other IT security executives and managers about managing and securing endpoints?
Don’t accept that security is not possible if a traditional method of control is not available. Take ownership and find another path; be proactive in innovation; publish measures of your success. Invest in automation of the baseline tasks — your users and even technicians were not hired to spend time on these basics. Automation enables these colleagues to focus on things more important to the business than patching and configuration, such as making the most of their technology tools and designing new solutions for business problems.
Learn more about building a secure mobile enterprise
As Pepperdine University illustrates, enabling mobility while ensuring security is a worthy and attainable goal for any organization. I’d like to thank Kim Cary for sharing his insights and advice, and I hope you’ve found them helpful as well.
To learn more about achieving a secure mobile enterprise, read our whitepaper, “The Secure Mobile Enterprise.”
About Christopher Garcia
A ten-year Dell veteran, Chris has had experience in various marketing roles within the organization. He is currently a Senior Product Marketing Manager.
View all posts by Christopher Garcia
About Kim Cary | Chief Information Security Officer at Pepperdine University
Kim's current work is focused on security training, business process consulting, security policy, mission-friendly security system implementation, security event analysis, incident handling and system operations.
Kim completed his Ed.D. at Pepperdine in 2004 and holds current major security certifications from ISC2 as CISSP and from GIAC as Firewall, Intrusion and Forensics Analyst and Incident Handler. He received his M.Div. at Biola in 1986, and his bachelor's degree in biology at the University of California, Los Angeles in 1979.
<p>It is cool to see other options or thoughts on managing mobile. I too have found if you rely on the end user, it usually doesn't happen. </p>
<p>Student computers can be a mess.</p>
<p>Very good article.</p>
<p>I thought I had problems, but not quite this bad.</p>
<p>automation is the goal, but it really can mean having to get creative (and convincing supervisors to think it through before saying no)</p>