Northern Arizona University Sets New Standard in Vulnerability Management

Transforming vulnerability management efforts from periodic assessments to a comprehensive and continuous vulnerability and compliance management program

While higher education institutions need to keep their networks secure, they often have to approach security differently than most enterprises due to their open nature. “Universities are unique because everyone wants the university network to be open,” says Michael Zimmer, information security analyst at Northern Arizona University (NAU). However, like any enterprise, NAU has a great deal of sensitive data to protect, including the personal information of students, faculty and administrative systems.

As a public institution, Northern Arizona University offers undergraduate, graduate, and professional degrees guided by the university’s distinguished faculty. Courses are offered at its Flagstaff campus, regionally throughout Arizona, or online, where students are prepared to achieve their full potential.

In addition to ensuring that the university’s applications and networks are secure from attack, it must also comply with a variety of regulatory mandates: Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) and others.

Identifying and fixing the security gaps

A few years back NAU was audited by the Arizona Board of Regents (ABOR) who identified areas where the university could improve the security of its network. Specifically by instituting a vulnerability management program. When systems go unchecked for software and system vulnerabilities, vulnerabilities inevitably creep unto those systems as new patches are released and systems are changed.

To manage the vulnerabilities that sneak into these systems, the university sought a way to proactively identify these weaknesses as they arose. When these vulnerabilities go unnoticed and unmanaged, the potential for malicious threats to succeed becomes greater. This is why it is vital that security and IT teams have repeatable and automated processes in place to identify and remedy gaps in their security posture.

Northern Arizona University chose to deploy Qualys Vulnerability Management (VM) and Qualys Web Application Security (WAS), both of which are integral solutions within the Qualys Cloud Platform. The Qualys Cloud Platform identifies and helps to remedy software vulnerabilities, outdated systems, and associated weaknesses that jeopardize compliance with government and industry regulations. Delivered from a highly scalable multi-tenant cloud infrastructure, Qualys delivers a suite of information security and regulatory compliance management services.

“When I was first hired, Qualys was already in place, but it was being implemented in an ad hoc fashion, and wasn’t being used to its potential,” says Zimmer. “We were only using the solution a little bit here and there,” he says. After he took a close look at Qualys’ capabilities, Zimmer realized how much the university was underutilizing all Qualys offered. “I quickly saw that Qualys would enable us to target hosts, explore vulnerabilities and scan them, whether with credentials or without, outside and inside the perimeter. It looked very valuable,” he adds.

One dashboard to manage network, web, and regulatory risks

Initially, the university had been using Qualys VM to assess about 1,000 devices, which covered all of the networked devices that were under internal and external regulatory control. Zimmer knew that the university needed broader assessment coverage than that, and had to determine all of the systems that should be within the umbrella of its vulnerability management program. “That was one of my primary goals this past year – to work with the central IT team, domain administrators, and server administrators to develop an inventory of our systems, and add those into Qualys after doing a map and a discovery,” he explains.

“What is great about Qualys is that I can log into one interface and access an operating system, a services vulnerability management scanning tool, a web application scanning tool, a policy compliance management tool, a threat analysis reporting tool…it's all in one place, accessible from anywhere,” Zimmer says.

To get the most out of Qualys VM, Zimmer used Qualys VM’s asset grouping feature, which enabled him to establish groups by any criteria he needed, and to assign those groups to business unit managers. “This enabled us to get really good coverage of our entire asset inventory and delegate our assessment responsibility,” Zimmer says.

After the inventory was established for network vulnerability management and the initial scans and remediation work were completed, Zimmer was able to use the efficiencies and time savings to then target the web applications. Zimmer duplicated the plan he executed for the university’s network. He built an inventory of web applications using Qualys WAS on various departments, scanned for vulnerabilities, prioritized those vulnerabilities, and then remedied them. Zimmer is currently formalizing their web application security program, which he hopes to complete soon.

Recently, a department at NAU approached Zimmer because an IT admin was experiencing challenges managing their systems, including proactive vulnerability management. “We used Qualys to analyze their subnet and created a vulnerability management reporting structure for them,” says Zimmer. Qualys VM was so successful at solving this departmental vulnerability management challenge that Zimmer is considering offering Qualys VM as a service to other departments at the university.

Zimmer explains that the initial scan data and the inventory not only provided the necessary insight to begin addressing system weaknesses, but helped to foster a more collaborative work environment among different IT teams and application owners. “It became less about finger-pointing and more about looking at what is wrong, what is going great, and what can be done even better,” he explains.

Mitigating the flaws that create the most risk

“There are many benefits to using Qualys. We now know where and what our critical assets are and manage them within Qualys,” he says. Building on this success, Zimmer plans to conduct more credentialed scanning, where the scanner is authenticated to the device. Credentialed scans provide insight into all of the remotely detectable vulnerabilities, as well as those that can actually be exploited remotely. Without authenticated assessments, remotely detectable flaws are the only flaws that are identified. “This way we can learn a lot more about the host. We won't be wasting time researching false positives. We will actually be focused on the most important risks,” he says.

Later this year, Zimmer will evaluate the potential deployment of Qualys Web Application Firewall (WAF). Qualys WAF could help the university to mitigate application vulnerabilities uncovered by Qualys WAS until the flaws in the application can be fixed with coding updates. Qualys WAF will also make it possible to block direct access to application servers, restrict transmission of sensitive types of content or files, as well as simplify regulatory compliance mandates and make web servers more resilient against distributed denial of service attacks.

In the end, it’s all about protecting the students’ as well as the university’s systems and data. And when it comes to those goals, Qualys has proven its value. “Everyone realizes that we have the same mission – to protect our data and systems – and Qualys helps with that mission by helping us quickly identify and address potential vulnerabilities, while fostering collaboration between our IT teams and ensuring the overall security posture of our systems,” he says.