IT professionals at school districts and universities support "customers" who are very different from most enterprise IT users. University IT teams support an employee population of faculty and staff, but they also support students who are paying customers that view the school as a service provider. A bring your own device program isn't optional -- it's a must. But IT still has to control network access and apply security policies to endpoints.
Broward College in Broward County, Florida, knew it needed a better answer to bring your own device (BYOD) management to manage a network used by more than 68,000 students and 2,000 faculty and staff members located across four campuses and seven satellite locations in South Florida.
"Our problem was that even though students have been connecting to the network for years on their own devices, there was really no control or technology in place to prevent malware from infiltrating the network, and it was very difficult for the IT team to determine which student was associated with what device," said Matt Santill, CISO of Broward College.
Santill and his team selected ForeScout CounterACT for its agentless approach to network access control (NAC) and its ability to integrate with third-party security tools for better network visibility.
ForeScout CounterACT: An agentless approach to reigning in BYOD, maintaining compliance
Before installing ForeScout, Broward College had an acceptable use policy for BYOD, but had no way of enforcing NAC, Santill said. To improve BYOD management, Santill and his team wanted a combination of NAC and mobile device management that could work with security tools they already had installed.
The college reviewed several NAC products from its network infrastructure vendors, Enterasys (now Extreme Networks) and Aruba's ClearPass. But with over 20,000 personal and college-owned devices on the network, "we didn't want to have to manage agents on the thousands of devices we have connected to our network, or deal with the maintenance associated with it," Santill said. Enterasys required agents on every device for BYOD management, and Aruba's ClearPass only offered limited integration with Broward's wired infrastructure, he said.
After completing a proof of concept, Broward selected the ForeScout CounterACT platform, an appliance that can identify and assess network users, endpoints and applications for increased visibility and policy-based mitigation of security issues. Using ForeScout's open ControlFabric technology, CounterACT can integrate with third-party IT security products within the environment to share information, improve threat detection and automate remediation actions, said Sandeep Kumar, principal solution marketing manager for ForeScout.
"There was a time when we'd see an offense and try to block it on our network, but we ended up blocking the wrong individual or device," Santill said. "[Forescout CounterACT] is really acting as one pane of glass to see all the vulnerabilities within our system. We can see all of our switches and wireless controllers inside ForeScout."
Santill and his team are also enjoying the increased visibility of both personal and college-owned devices on the network without having to run reports or [do] searches for the information. "You can immediately see not only the user who is connected to each device and the difference between students on personally owned devices versus a faculty member, but it also allows us to see ports open on the machines and processes and applications running in real time," he said.
More on ForeScout CounterACT
ForeScout CounterACT integrates with AirWatch, MobileIron
Revamping network access control with ForeScout
Security product of the year: ForeScout CounterACT
While ForeScout CounterACT does not require agents on devices for BYOD management, students still must onboard and register their devices. However, they can do it through a self-service login portal rather than a help desk ticket. Then CounterACT can enforce the college's security policies on those endpoints, like ensuring there is antivirus installed and up to date on the device, Santill said. Unprotected devices are added to a separate virtual local area network (VLAN) and given Internet access only.
Broward College also uses CounterACT to help maintain regulatory compliance for several mandates, including the Payment Card Industry Data Security Standard (PCI DSS), the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). In addition, the college must comply with the Digital Rights Millennium Copyright Act.
"Education has some of the same regulatory and privacy requirements as other entities, but it's not usually as well-known," Santill said. "We have healthcare information and student Social Security numbers that need to be protected. Within the ForeScout appliance, I've separated out all the servers related to each regulation." ForeScout CounterACT routinely monitors and reports on machines that access any sensitive data associated with these mandates to help the college stay compliant, he said.
BYOD management benefits for students
Broward College knew students were going to use their own devices on campus, and the school wanted to be able to fully embrace BYOD by having the right controls in place to ensure security, as well as a good user experience.
"Now we can tell our faculty and students that they can work on any device, anywhere, and there won't be limits if it's not a Broward-owned device," Santill said. "We aren't limiting our faculty from teaching classes or our students from learning off of any device."