Businesses coping with security issues stemming from employee use of personal devices for company work are only experiencing what universities have grappled with for years.
"Many of us in higher ed find it very funny when we see how BYOD has dominated so much of the security press lately," Mike Corn, chief privacy and security officer at the University of Illinois (UI) at Urbana-Champaign, said in an interview. "We view that with amusement because Bring Your Own Device has defined our environment almost since the beginning of personal computing."
The magnitude of BYOD at a university the size of UI would likely give a corporate security administrator fits. Not only is there a large annual turnover rate — some 10,000 new students arrive on campus each year — but each has an average of 3.5 personal devices in tow.
"We work in an environment where we're used to having a huge number of personally owned devices on the network," Corn said.
While most universities have had their students use their own hardware for years, a big bump in corporate BYOD occurred in 2010 when tablets began to proliferate. "When the iPad came on the market, everyone brought it to work and expected to do work on it," Gord Boyce, CEO of ForeScout Technologies, said in an interview. "Universities have always had students bring their own devices, but they have less control over those endpoints.'
One reason universities have less control over those endpoints is because a higher education network needs to be more open than a corporate network. "Because of our nature, the idea of throttling information is anathema to us," Corn said.
That can pose security problems, not only for the university but for vendors trying to address those problems. "When we bring some of these appliance vendors in and begin pumping some of our network traffic through a device, they ask us, 'Why are you pumping white noise through my device?'" Corn said.
Because of the nature of universities, the amount and variety of traffic on our network has a completely different flavor to it than a corporate network, Corn explained. "Universities are not good models to compare with corporations," he said. "We're more like municipalities."
The proliferation of devices and network traffic is challenging university security shops. "What's become necessary for them to do is to track all the digital footprints of any user of any device who authenticates on their network," said Rob Reed, worldwide education evangelist for Splunk.
The problem with that kind of tracking is that the analysis of its results isn't often performed in real time. That means security incidents won't be discovered until after they occur — the equivalent of closing the barn door after the horses have bolted.
Sign up for Computerworld eNewsletters.