CIO Data Protection Finall

8/7/2019 CIO Data Protection Finall

1/15

TOPIC: A HOLISTIC APPROACH

TO DATA PROTECTION

SUMMARY: Data protection encompasses a host of

technologies, business processes and best

practices. Government regulations threaten

dire consequences for noncompliance,

and compromised data quickly becomes a

public relations and customer retention issue.

Learn more about the various parts of a data

protection strategy and how to maintain and

augment what you already have.

PASSWORD: |

aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK


2/15

p IT SECURITY BUDGETS at large cor-

porations are getting a bigger propor-tion of the IT spend in 2009, accord-ing to a recent study from ForresterResearch Inc. Data protection is thetop priority.

During 2009, about one in fivesecurity groups plans to pilot or adoptfull disk encryption, file-level encryp-tion, a host intrusion prevention sys-tem and endpoint control. When

combined with the percentage offirms already using these securitytechnologies, enterprise adoptionof them will top 50%.

The budgets, which follow a jumpin 2008 as well, come with a growingawareness on the part of businessexecutives that security is a businessrisk, the study showed. But getting the

backing of the business on securitymatters and securing adequate fund-ing remain serious challenges for ITgroups. And the day-to-day burden ofprotecting the company? That remainsalmost exclusively the province of ITat most places, leaving security teamslittle time for strategic planning.

Even though people realize that

security is important to the businessand security is focusing on protectingthe databoth good thingsorgani-zations still have a hard time under-standing how much do we spend,where should we spend, what is theright amount to spend and the kindof projects they should be doing, saysForrester analyst Jonathan Penn, leadauthor of the study.

The findings are based on respons-es from 942 business, IT and securityexecutives at companies with 1,000to upwards of 20,000 employees.The survey was conducted in the thirdquarter of 2008.

While IT budgets are shrinking,security is getting a larger portion ofthe IT pie. Companies with 1,000 or

more employees will devote 12.6% oftheir IT operating budget to securityin 2009, according to the study.Thats almost a full percentage pointabove the 11.7% of the IT budget allo-cated the year before, which in turnmarked a sharp increase over the7.2% allotted in 2007.

2 A HOLISTIC APPROACH TO DATA PROTECTION SEARCHCIO.COM

aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

CHAPTER 1

1Data Protection TopsCIO Security AgendaEnterprise CIOs are still spending on securityspecifically data protectionwith or without helpfrom the business. BY LINDA TUCCI


3/15

The recognition among businessexecutives of security as a businessrisk is due partly to a shift in reportinglines. More than half of IT securityprofessionals (54%) polled by For-rester report to either the organiza-

tions board and CEO/president or toan executive committee, the surveyshowed, compared with 28% whoreport to IT. Despite the organization-al alignment between the securitygroup and business, however, securityremains an IT-centric job at mostorganizations.

The survey showed that responsi-

bility for infrastructure security, iden-tity and access management, threatand vulnerability management, regu-latory compliance and even physicalsecurity, for example, falls primarilyor exclusively to IT security groups.Those tactical duties allow little timefor broad strategic initiatives, Pennsays.

The security strategizing that is

done happens without much inputfrom the business and with only tepidsupport, he says. More than two-thirds of the firms polled (70%) sayother organization priorities takeprecedence over security plans.

When you look at the challenges,it is surprising to me that despite thereporting lines, there is still this issueof getting enough executive backingfor projects, Penn says.

But the disjunction shows just how

hard it is for IT people to articulatethe value of security investment in away that business executives under-stand, he adds. They need to showthat this money is going to give thebusiness some kind of return, hesays, as a first step in encouragingthe business to help set strategyand develop metrics for measuring

security ROI.

FULL DISK ENCRYPTION

A HOT TOPIC

Meantime, IT security strategy hasshifted pretty dramatically in the pastfew years, Penn says, from a focus onthreat defense to protecting an orga-nizations data assets. Indeed, data

security was the highest priority for90% of IT security organizations, sur-passing threats cited in the past likemalware (ranked sixth of 11 securityissues) and regulatory compliance(ranked seventh). Application securi-


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

P O D C A S T

Mobile Data Protection Options

WHAT MOBILE DATA protection tools and options are

available to safeguard mobile devices that could potentially be lost

or stolen? Find out in this podcast from SearchCIO.com.
http://searchcio.techtarget.com/generic/0,295582,sid182_gci1346902,00.htmlhttp://searchcio.techtarget.com/generic/0,295582,sid182_gci1346902,00.html


4/15

ty (86%) and disaster recovery andbusiness continuity (81%) came insecond and third on the list.

The focus on data protection repre-sents a pretty healthy approach tosecurity, in Penns view. Rather than

following hackers latest bag of tricks,IT executives are taking an asset-based approach, determining a com-panys most important data storesand building defenses around them.

There is a growing recognitionthat the focus should be on what theattacks are actually doing to businessassets, rather than looking at the kind

of attack, per se, he says.The adoption of threat manage-ment tools is still greater than end-point data protection technologies.But investment in data asset protec-tion is definitely accelerating. Full diskencryption leads the client securitytechnology portion of the shoppinglist, with 22% of respondents sayingthey plan to pilot or adopt it in the

next 12 months.

IAM, MANAGED SECURITY

SERVICES GROWING

In another notable shift from yearspast, firms told Forrester that securi-tynot complianceis driving theiradoption of identity and access man-

agement (IAM) technologies.Although the expense (38%) andcomplexity (30%) of IAM are con-cerns, 15% to 21% will pilot or adopt arange of IAM technologies in the next12 months. In the IAM arsenal, enter-prise single sign-on is grabbing themost attention, with 21% of firms

planning to pilot or adopt it, followedby provisioning (19%).

The survey also showed that largeenterprises are increasingly goingto managed security services to findspecialized skills (29%) and reduce

costs (28%). While email/Webcontent filtering is the most popularmanaged service today, vulnerabilityassessment and host event log moni-toring/management show the great-est promise for growth in the next12 months. The percentage of com-panies planning to outsource these

areas would nearly double the per-centage already using these services.

We think of managed securityservices as something that peopleturn to just for cost savings, Pennsays. But we are seeing pretty strongadoption of managed security servic-es across both SMBs and enterprises,and a lot of it has to do with the skills

shortage. People are unable to findstaff with the right skills, or in somecases, dont want people with thoseskills and find it just as effective tooutsource it. I

LINDA TUCCI is a senior news writer for SearchCIO.

com. Write to her at [email protected].


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

Large enterprises

are increasingly

going to managed

security services to

find specialized skills

and reduce costs.
mailto:[email protected]:[email protected]:[email protected]:[email protected]


5/15

2009 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are registered trademarks of Symantec

Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

SYMANTEC ISKeep your confidential data confidential. Symantec can discover,

monitor, and protect your sensitive data wherever it is stored or used.

Protect the privacy of your companys intellectual property and

customer data. So your confidential data will never be compromised.

Get your Data Loss Prevention info kit at go.symantec.com/dlp

DATA LOSSPREVENTION.
http://go.symantec.com/dlphttp://go.symantec.com/dlp


6/15

CHAPTER 2

p ENTERPRISE DATA PROTECTION

requires a holistic program thatencompasses people, process andtechnology. Too often the emphasisis placed on technologyall employ-ees in a company must play theirparts, such as following good pass-word guidelines, for the programto be effective. The following aresome examples of best practices foradhering to a data protection policy:

Implement a data classifica-tion program that focuseson customer, financial andintellectual property infor-

mationwith designated owners ofthe information.Data protection cat-egories should include confidential,

internal use and public, and it isimportant to put the appropriate con-trols in place to protect this informa-tion. For example, public data shouldbe reviewed to ensure that sensitiveinformation such as future productplans are not released outside thecompany.

Develop an enterprise-

wide data architecture andmanage the flowof criticalinformation throughout the

organizationyouwill be surprisedbywhat you find. Credit card infor-mation is an example of data that youneed to manage closely and ensurethat data protection controls are inplace. The good news here is thatPayment Card Industry Data Security

Standards (PCI DSS) are very welldocumented and spell out what anorganization needs to do to ensuredata protection of this type of infor-mation.

Encrypt critical information,such as credit cardnum-

bers, throughout your envi-ronment. If you are handlingcredit card information, you will needto encrypt this information in order tocomply with PCI DSS. Cyberthievescan easily sell this information on theblack market and will look for creditcard information if they are able to


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

1Seven Steps toBetter Data ProtectionCIOs should take a holistic approach to enterprise dataprotection. A security expert offers seven suggestionsfor enhancing your data protection policy. BY MARK EGAN

1

2

3


7/15

break into your systems.

Use caution with newtechnology, including cloudcomputing or virtualization,

as security protectionmechanisms such as authenticationand data protection are often imma-ture. Two-factor authentication isrecommended when members of yourorganization access these systems,and your customers confidential,personally identifiable informationshould always be encrypted. You

should also confirm these capabilitiesbefore venturing into the cloud.

Protect endpoint devicessuch as personal digitalassistants, laptops, memorysticks and cell phones that

are used to store critical information.You should put enterprise data pro-

tection programs in place to addressloss and theft. Endpoint devices areessential and are often used to storecustomer, future product and financialinformation. The small form factormakes them very likely to be lost orstolen. You need to be proactive inthis area and encrypt data, require useof passwords and leverage the ability

to remotely disable these devices, ifavailable.

Implement enterprise dataprotection policies. Enactguidelines throughout yourorganization for information

security items such as strong pass-words, encryption, two-factor authen-tication and remote data deletion forendpoint devices.

Update your softwaredevelopment lifecycle(SDLC) process with keycheckpoints, such as securi-

ty architecture reviews, and conductcode reviews to identify commoncoding errors such as buffer over-flows. It is much easier to addressyour organizations software security

issues earlier in the SDLC process,and architectural reviews can elimi-nate many of these issues before anycoding has occurred. Use of codechecking programs, similar to spellchecking, are very helpful to identifycommon coding issues such as bufferoverflows. Finally, binary code analy-sis tools are available to test the actu-al running of the software before it is

deployed.

Security threats are here to stay,and holistic programs are essentialto protect the critical data assets ofyour organization. It is important todevelop a roadmap of incrementalimprovements to your enterprise data

protection policy with regular updatesthat will help you face new securitythreats. I

MARK EGAN is managing partner of the

information security practice at The StrataFusion

Group Inc., a management consulting firm in the

San Francisco Bay Area. Write to him at

[email protected] .


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

4

7

5

6


8/15

CHAPTER 3

p IF YOUR NETWORK manager hasnt

made an impassioned case for a net-work access control (NAC) solution,just wait.

This is being hailed as the yearwhen NAC, which has not entirelylived up to its splashy debut of a fewyears back, comes into its own. Firstand foremost a gatekeeper to yourorganizations network, NAC can helpwith compliance. It can shine a light

on devices you never knew or longforgot belonged to you, thus alsohelping with asset managementandproving its value.

Forrester Research Inc., predictinga blockbuster year for NAC, says thiswatchdog technology is fast becom-ing a critical component in makingmany security initiatives efficient and

a seamless part of the network infra-structure. Nearly 25% of all enter-prises have already adopted NAC,and an additional 15% will do so bythe end of 2009, according to theCambridge, Mass-based firm.

Meantime, Gartner Inc. has spentthe past three years encouraging

enterprises to look at NAC as an

important piece of network hygiene,says research director Lawrence OransThis is such a valuable defense thatyou can add to your network. Ouradvice is start doing NAC now.

NAC systems were initiallydesigned to continuously scan end-

points against your corporate securitycriteria to ensure corrupted systemsdont gain access to the network. ButForrester says the technology hasmoved beyond simply checking andisolating an endpoint device, to com-pliance. Now companies are usingNAC to check endpoints for anom-


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

1Dos and Donts ofNetwork Access ControlNAC is a hot topic for CIOs, but this form of assetprotection is not without faults. Here are some thingsto keep in mind. BY LINDA TUCCI

Nearly 25% of

all enterprises havealready adopted

NAC, and an additional

15% will do so by

the end of 2009.

FORRESTER RESEARCH INC.


9/15

alous behavior and even to continual-ly monitor employees roles and rightsto network access. And, by the way,those endpoints on your network maywell include noncomputing devices,from printers and Voice over Internet

Protocol phones to video cameras

and badge readers.NAC technology has gone through

several iterations since it burst ontothe scene in the wake of the Blasterattacks, but it is stabilizing, accordingto Forrester. There are three types ofNAC architectures, often used incombination: infrastructure-based(also known as inline), appliance-

based and software-based. LeadingNAC vendors include Bradford Net-works, Cisco Systems Inc., JuniperNetworks Inc. and Microsoft.

Whichever approach or vendor youchoose, a successful implementationwill require your network, security andinfrastructure and operations teams

to work together, for starters. Theimplementation will take longer thanyou think, and it can fail to measureup to your expectations if you thinkNAC will solve all your security prob-lems. It can also really frustrate your

users if not properly deployed.Still interested? We asked a leading

vendor and a couple of analysts to giveus their dos and donts for deployingNAC. Step one? Ignore everythingyouve just read and start by definingwhat NAC means to your organization.

Dont let your network or theproblem at hand determine yourNAC vendor (unless you likewastingmoney).Companies tend to let their type ofnetwork, their problem du jour andtheir security systems determine theirNAC vendor. Many companies aredriven to NAC to solve the problem ofguest and contractor access, Forrester

analyst Robert Whiteley says, so whenthey find out their incumbent net-working vendor offers a solution forguest access, they forge ahead. Some-time down the road, they decide theyalso want role-based access controlfor internal employees. But whateversolution they put in place to addressguest management is not necessarily

the best solution to help with seg-menting employees, Whiteley says.What were finding is that a lot

of companies are spending reallygood money to get NAC in place andthen six to 12 months down the road,that investment either is obsolete orrequires more money be thrown at


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

A lot of companies

are spending good

money to get NAC in

place and then six to

12 months down the

road, that investment

either is obsolete orrequires more money

be thrown at the

problem.

ROBERT WHITELEY

analyst, Forrester Research Inc.


10/15

the problem.NAC appliance systems like those

from Bradford Networks start at about$8,000 for the appliance, softwareand 250 user licenses.

Instead, take a business approach

to NAC. Begin by defining the variousscenarios that require access control.The most successful NAC solutions,Forrester has found, can support atleast four scenarios relevant to thebusiness.

Never, ever do a big-bang

deployment of NAC.The experts are unanimous: Do notunderestimate the complexity of anNAC deployment. It is not unusual forit to span nine months. Both Whiteleyand Orans recommend that compa-nies roll out their NAC capability inthree phases: monitor whats on thenetwork, map network traffic and thenenforce policy.

Take it in bite-sized chunks, andvalidate as you go, says Jerry Skurla,vice president of marketing at Con-cord, N.H.-based Bradford Networks.If adding security causes the busi-ness to slow down, you may not havethe window to try it again.

Before signing off on a deal,ask your network manager twoquestions:

1Does the NAC solution integratewith the existing network infrastruc-ture, or does it require changes torouters and switches or upgrades tobandwidth boxes?

2 Can the NAC solution also handlenonemployees or unmanaged ITassetsguests, contractors, businesspartners?

Dont let your network teamgo it alone.Its almost a misnomer to call thisnetwork access control. At least threegroups must work in tandem todeploy NAC: the network, securityand desktop teams.

The network team defines howthe network will take the enforcement

actions and how it will get done inthe network, but the security teamis often in charge of the policy. Andwhen an endpoint requires remedia-tion, which many NAC systems cando automatically, the desktop teamstill needs to be looped in to makesure the fixes are done correctly.

Warn your networkmanager: Dontget bedazzled by the NAC data.NAC provides a tremendous amountof data about your network thatyouve never had before. Thats good.But dont get carried away withreports, especially those going upthe management chain. Stick to redlight, green light. A lot of executives,

including the CIO, simply want toknow, Is this going to be a normalthreat day or lunatic threat day?Skurla says. I

LINDA TUCCI is a senior news writer

for SearchCIO. com. Write to her at

[email protected].


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK


11/15

WHO: Central Michigan UniversityLOCATION: Mount Pleasant, Mich.COMMUNITY: 27,000 students,1,200 faculty and staffREGISTERED SYSTEM USERS: 16,000NETWORK: Cisco switches, HP/Compaq and Dell servers

p THE TROUBLE WITH talking aboutnetwork access control (NAC) is itsa complicated, evolving and contro-versial technology. Depending on towhom you listen, its a must-have:Gartner Inc. has been pushing NACfor three years; Forrester ResearchInc. says its a key component ofgood network security architecture.

Just as likely, youll hear its a shapeshifter, with no dominant standard,better left to hardy souls with bigwallets.

One example of an organizationthat benefited from network accesscontrol is Central Michigan University(CMU). It turned to an NAC appliance

to keep out-of-security compliancedevices off the university network. Or,as the IT people at Central Michiganprefer to put it, to keep the networkaccessible for the majority by exclud-ing the few.

IT BEGAN WITH

A WORM (OR TWO)

This moderately large university hada really localized pain point when itconsidered a network access controlsystem in 2003 for its campus ofmore than 27,000 students. It didntwant to end up like Michigan State,where the Blaster and Nachi wormshad taken down the network. Nor was

it practical for Central Michigan tokeep its own line of defensewhichconsisted of a phalanx of volunteersto battle this nasty worm.

We shut down Internet access forall the residence halls, gathered anarmy of students and sent them outto patch student systems one at a


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

CASE STUDY

1Appliance-Based NACThe Right Answer for

Universitys NetworkAn NAC system at one university helped enforce thesecurity policy for 25,000-plus students, faculty and staff,replacing a sneakernet form of worm control. BY LINDA TUCCI


12/15

time, by hand. We have 26 residencehalls and apartments," says Ryan Laus,network manager at CMUs maincampus in Mount Pleasant, Mich.

To head off infection, networking,help desk and residence hall staff

members burned more than 1,600CDs with the latest Windows patchesand the schools licensed antiviruspackage. In less than three days,roughly 6,000 users with unpatchedsystems and out-of-date antivirusprograms showed up. Another 800virus-related incidences came to light.IT shut down entire dorm rooms

because it had no idea whose systemwas infected, fomenting some massresentment.

The university wanted an automat-ed process that could authenticatestudents devices before they con-nected to the CMU network and kickthem off if they became contaminat-ed. An appliance-based, or out-of-band, NAC solution from Bradford

Networks answered the callandthen some. The Concord, N.H.-basedprovider made its bones with its Cam-pus Manager solution designed foruniversity campuses, but for CentralMichigan the huge plus was thatthe appliance did not have to be putinline.

We had an intrusion prevention

system and I believe we also had[WAN optimization] Packeteer sys-tems in line, so to add another inlineappliance was scary," Laus says. Wedidnt want to add one more link tothe chain on our network. If the out-of-band system died, it would affectonly the people who were registering

their computers at the time. Usersalready in the universitys productionnetwork would not be affected.

Campus Manager manages,secures and controls the approxi-mately 17,000 devices accessing the

CMU network when school is in ses-

sion, enforcing the universitys net-work authentication and registrationpolicies. This includes quickly identi-fying, locating and tracking networkclients, and isolating at-risk users anddevices in a quarantine area.

It was an easy sell. A network thatactually stays up and is secure? Ohyeah, heres a blank check, Lausrecalls. The initial outlay was about$100,000; the university uses fourappliances and supports 22,000licenses.

INSTALLATION DETAILS

AND LESSONS LEARNED

NAC implementations get a bad rap.They take longer than expected, costmore than anticipated. A 20-some-thing network engineer in 2004, Lauswas given the task of rolling out theBradford solution to the residence


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

It was an easy sell.

A network that

actually stays up and

is secure? Oh yeah,

heres a blank check.

RYAN LAUS, network manager,Central Michigan University


13/15

halls, CMU's biggest bandwidthhogs. Laus began in June, updatingthe switches in the residence hallsone building at a time, and he wasdone by August.

Once we added the switches to

the system, we could use the systemto push out configuration changes, asopposed to making those changes byhand. That made the job much easier,Laus says.

The implementation was not with-out problems. Some older switchingequipment did not behave as expect-ed with the system, causing some

confusion among users, Laus says.That was solved the following sum-mer when the university upgradedwith equipment that worked betterwith the NAC.

Communication was the mostcritical component of the rollout, Laussays. Communication was the mostcritical component of the rollout, Laussays. Central Michigan aims to get

the majority of machines registeredbefore the start of the school year,and gave the students advance noticethat registration would require someextra steps. The network team noti-fied the help desk, which needed to beprepared for the inevitable calls fromstudents when self-help measuresfailed. It also kept the security people

in the loop, and treated the tech peo-ple who work outside the centralizedIT department in the academic andadministrative buildings with kidgloves. Many are faculty members.

Our users hate to have somethingshoved down their throats, especiallyfaculty, Laus says.

POLICING BANDWIDTH

CMUs NAC system has evolvedwith the technology. Students mustnow download an agent that scansmachines for security policy compli-ance, for example, while IT uses

Campus Manager in the residencehalls to enforce a bandwidth quota

(5 GB total traffic or 2 GB uploadtraffic per week) as a way to monitorfile sharing.

Clients that exceed the limit aremoved to an isolated virtual LAN,where they have access to systems oncampus but not to the outside world.

The system can be used to pass alongwarnings from the Recording IndustryAssociation of America with a notefrom IT to cut this crap out.

In one sense, the politics that oftenaccompany NAC deploymentstopexecutives in a tizzy over being kickedoff because they didnt download apatch in timeare moot issues forCMU. If students want to be connect-ed to the network, NAC compliance isthe prerequisite. And indeed, on theadministrative and faculty side of thecampus, CMU has implemented awatered-down, agentless version ofNAC, precisely because it is too com-plex to enforce.


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

NAC implementations

get a bad rap. They

take longer than

expected, cost more

than anticipated.


14/15

We have no real way to deal withguests and corporate speakers whocome in. In order to do it, you wouldhave to say that anybody who comesanywhere on campus and cannot reg-ister would call the help desk, and we

don't have the resources to supportsomething like that, Laus says.

If somebody on the faculty side firesup a server that does virtualization,a departmental tech will notify Lausand I will take the port out of thesystem and make an exception.

The two-tiered system at CentralMichigan extends to keeping

machines current. Students are forcedto re-register every semester. Not sofaculty and administration, Laus says.

That could be another 30-minuteconversation, persuading people to doit and finding a way to do it in a waythat does not interrupt the user. Nowif a faculty machine falls out of com-pliance, it just gets kicked out ofschool. I

LINDA TUCCI is a senior news writer

for SearchCIO. com. Write to her at

[email protected].


aCHAPTER 1

DATA

PROTECTION

TOPS CIO

SECURITY

AGENDA

aCHAPTER 2

SEVEN

STEPS TO

BETTER

DATA

PROTECTION

aCHAPTER 3

DOS AND

DONTS OF

NETWORK

ACCESS

CONTROL

aCASE STUDY

APPLIANCE-

BASED NAC

THE RIGHT

ANSWER FOR

UNIVERSITYS

NETWORK

A Holistic Approach to Data Protection

is produced by CIO Decisions/

IT Strategy Media, 2009

by TechTarget.

JACQUELINE BISCOBING

Managing Editor

LINDA KOURY

Art Director

MARK EGAN

Contributing Writer

ANNE MCCRORY

Editorial Director

KAREN GU GLIELMO

and SCOT PETERSENExecutive Editors

CHRISTINA TORODE

and LINDA TUCCI

Senior News Writers

KRISTEN CARETTA,

ALEXANDER HOWARD

and RACHEL LEBEAUX

Associate Editors

FOR S ALES INQU IRIES

STEPHANIE CORBYSenior Director of Product Management

[email protected]

(781) 657-1589

BUSINESS STAFF

ANDREW BRINEY

Senior Vice President and

Group Publisher

JU LLIAN COFFIN

Publisher, Sales

STEPHANIE CORBYSenior Director of Product Management

THERON S HREVE

Product Manager

KATIE GRAYBEAL

Marketing Manager

LEE TETREAULT

Marketing Programs Associate

NAC IN ACTION

Network access controlmay be controversial, but itsneeded, according to experts.Check out our collection ofcase studies to find out howother universities are usingNAC.
mailto:[email protected]:[email protected]://searchcio.techtarget.com/news/article/0,289142,sid182_gci1347553,00.htmlmailto:[email protected]://searchcio.techtarget.com/news/article/0,289142,sid182_gci1347553,00.html


15/15

15 A HOLISTIC APPROACH TO DATA PROTECTION SEARCHCIO COM

qData Loss RisksDuringDownsizing:As Employees Exit, SoDoes CorporateData

q 7 Requirements ofData Loss Prevention

q 3 Steps to Protect Confidential Data on Laptops

q PricewaterhouseCoopers: Data Loss Prevention:Keeping Sensitive Data out of theWrongHands

q Prioritizing YourData Protection Program

About Symantec: Symantec is a global leader in providing security, storage, andsystems management solutions to help consumers and organizations secureand manage their information-driven world. Our software and services protectagainst more risks at more points, more completely and efficiently, enablingconfidence wherever information is used or stored.

RESOURCES FROM OUR SPONSOR
http://ad.doubleclick.net/clk;213920070;10405922;m?http://www.bitpipe.com/detail/RES/1236869532_196.htmlhttp://ad.doubleclick.net/clk;213920070;10405922;m?http://www.bitpipe.com/detail/RES/1236869532_196.htmlhttp://ad.doubleclick.net/clk;213920118;10405922;p?http://www.bitpipe.com/detail/RES/1222277176_481.htmlhttp://ad.doubleclick.net/clk;213920184;10405922;s?http://www.bitpipe.com/detail/RES/1236696634_662.htmlhttp://ad.doubleclick.net/clk;213982705;10410959;f?http://www.bitpipe.com/detail/RES/1223051745_896.htmlhttp://ad.doubleclick.net/clk;213982705;10410959;f?http://www.bitpipe.com/detail/RES/1223051745_896.htmlhttp://ad.doubleclick.net/clk;213982791;10410959;k?http://www.bitpipe.com/detail/RES/1237392390_62.htmlhttp://ad.doubleclick.net/clk;213920070;10405922;m?http://www.bitpipe.com/detail/RES/1236869532_196.htmlhttp://ad.doubleclick.net/clk;213920070;10405922;m?http://www.bitpipe.com/detail/RES/1236869532_196.htmlhttp://ad.doubleclick.net/clk;213920118;10405922;p?http://www.bitpipe.com/detail/RES/1222277176_481.htmlhttp://ad.doubleclick.net/clk;213920184;10405922;s?http://www.bitpipe.com/detail/RES/1236696634_662.htmlhttp://ad.doubleclick.net/clk;213982705;10410959;f?http://www.bitpipe.com/detail/RES/1223051745_896.htmlhttp://ad.doubleclick.net/clk;213982705;10410959;f?http://www.bitpipe.com/detail/RES/1223051745_896.htmlhttp://ad.doubleclick.net/clk;213982791;10410959;k?http://www.bitpipe.com/detail/RES/1237392390_62.htmlhttp://ad.doubleclick.net/clk;213920031;10405922;j?http://www.symantec.com

CIO Data Protection Finall

Documents

Transcript of CIO Data Protection Finall