Striking a balance between an open, yet secure network remains a challenge for information technology (IT) departments. Although education institutions often are on the cutting edge of innovation, they face complications when it comes to enforcing IT policies. In some cases, this has led to staggering data breaches.

For example, last year, the University of California at Berkeley faced a horrifying situation when overseas hackers gained access to data on tens of thousands of people who had received health care from the university. The victims’ medical information and Social Security numbers were exposed in the breach that lasted from October 2008 to April 2009. The University of Florida faced a similar breach last year. Although security protocols, such as requiring two-factor authentication for network access, could prevent breaches, enforcement challenges abound.

It’s unrealistic and unwarranted for education institutions to be held to the same standard as large private corporations, but schools can incorporate best practices to strengthen their security.

Different worlds

Corporate environments typically are controlled with binding employment contracts, enabling IT administrators to set basic security policies that all employees are required to obey. Education institutions, especially colleges and universities, juggle far more complicated scenarios. Within academia, "employees" range from students, faculty, staff, visiting professors/students and researchers. Although the administrative staff remains relatively stable, the teaching and student body incur much more flux. The regular student body churns several times a year, and visiting professors and exchange students are on and off the network regularly. Traditionally, the way universities handled this fluctuation is by maintaining relatively open networks.

But as institutions realize how detrimental data breaches can be, most are limiting free access to their networks and are taking a far more structured approach to securing data.

Device management

With the explosive success and continued growth of the smart-phone market, institutions suddenly have to manage more devices than they imagined. In some cases, devices are emerging before schools even figure out how to reconfigure the IT policy to accommodate the new gadgets. For example, in 2010, several university IT administrators panicked over incorporating the Apple iPad on campus networks.

George Washington University doesn’t enable students to access its wireless network using an iPad because the device cannot pass the university’s security standards. The school is plugging away at a solution, installing a virtual private network (VPN) for security access. In addition, last April, Princeton University blocked about 20 percent of iPads on its network after detecting malfunctions, with repeated malfunctions potentially affecting all of the university’s systems. Cornell University also has encountered networking and connectivity snafus related to the iPad.

Although schools are working to mitigate issues, the problem remains that universities often are overwhelmed and frustrated by new wireless technologies. It’s rare for schools to outright ban devices. Yet in these examples, universities acted more like an enterprise organization than traditional academic institution. It’s unlikely that iPads—or any new device—are forever banned from connecting to university networks, but we will see more regulation of new devices, as schools forgo flexibility for security.