For IT Security, University of Idaho Raises Its Grade

With the rising need to secure employee and student data and increased regulatory compliance demands this university sought a way to enhance the effectiveness of its vulnerability and risk management program.

The University of Idaho prides itself as a university that offers a distinctive combination of fascinating and career-building majors, graduate programs, a seasoned faculty, and renowned research capabilities -- all within a residential campus in the spectacular natural landscape of Moscow, Idaho. Recently, U.S. News & World Report ranked the University of Idaho among the top national universities in the country, as well as one of the best values in higher education by The Princeton Review.

Like most universities, the University of Idaho runs a lean IT team. Unfortunately, in recent weeks, that department lost two of its administrators and has since decided to restructure how the university manages its IT security. "We are going to re-emphasize the role everybody provides when it comes to security. We are moving away from having dedicated security staff to distributing those responsibilities across our network and systems teams," explains Dave Lien Networks and Systems Manager for the University.

When it comes to IT security, there is much to do. The university needs to protect the administration systems that hold student and employee data, file servers used by student and staff, course management systems, as well as all of the primary Web servers used by the campus. "All of that must be securely maintained," Lien says. In addition, while many of the systems and servers that handle credit card payments have been outsourced to a third-party provider, there are certain gateways that the university uses to transmit payment-related information to the credit card processors -- which means they must be maintained in compliance with the Payment Card Industry Data Security Standard (PCI DSS). "We need to make certain that those machines are compliant, and report their status with a high-level of confidence," Lien says.

Fundamental to both the university's IT security and PCI DSS compliance is an effective vulnerability and risk management program. The program needs to include the ability to spot misconfigured PCs and servers, out of date operating systems and applications, and provide operations teams the crucial fixes they need for rapid remediation.

To try to get the job done, for some time, the university had relied on an open source vulnerability scanner, but sought a risk management and security assessment tool that was easier to maintain and use. "The goal is to enable those who manage servers and networks to perform the scanning and remediation themselves," explains Lien. That meant Lien had to find a solution that was extremely easy to setup and maintain, provided highly accurate security checks, and could provide actionable progress reports for both technicians and business managers alike. "We also needed a way to establish specific groups with access to specific systems," he adds. "This way we can federate security system responsibilities."

That's why the University of Idaho selected Qualys. Qualys automates all of the steps associated with vulnerability management — discovery, prioritization of assets, the assessment of real-world risk to systems, reporting, remediation, and finally the verification that vulnerabilities have been fixed. Qualys, an on-demand solution, can be deployed virtually anywhere within hours. "When it comes to vulnerability scanning, Qualys provides us the objective measure we need on how well we are performing," Lien says.

In addition, because Qualys is an approved PCI scanning vendor, the university is able to scan and validate the security and PCI compliance of the systems that serves as gateways to their credit card processors. Using Qualys, anyone Lien chooses can quickly complete and submit the PCI self-assessment questionnaire, and perform pre-defined PCI scans on all relevant systems to identify and resolve network and system vulnerabilities.

"Our open source scanner gave us too many false positives, which always made us suspect of its results. I feel much better with our Qualys results, especially knowing the great reputation Qualys has for the accuracy of its security checks," says Lien.

Currently, as Lien completes his restructuring the university's approach to IT security, he'll be pushing his use of Qualys even further. "The goal is to get every machine vetted by Qualys — and use Qualys as the ultimate test — nothing will go into production until it passes," he says.

"Qualys is accurate and easy to use. We didn't trust the open source tool we were using, and we couldn't get consistent results. Each time someone ran a scan, the settings and the results were different. With Qualys, anyone on my team can use it, and its results are accurate and consistent."