Maintaining Security for Always-On Services and Protecting Key Infrastructure Assets

By deploying Qualys Vulnerability Management, the University of Westminster has improved its security posture by prioritising the remediation of high-risk vulnerabilities. It has also saved time, resources and effort by delegating the scanning activities to system administrator asset owners.

Established in 1838 and gaining full University status in 1992, the University of Westminster has more than 20,000 undergraduate and postgraduate students in five faculties across four London campuses. Now celebrating its 175th anniversary, the University is building new global partnerships while remaining closely involved in business, professional and academic life in the UK’s capital city.

When the UK government introduced university tuition fees, it simultaneously turned its students into customers, empowering them to demand more from their educational institutions. In a competitive global marketplace for education, the University of Westminster must deliver high-quality services on a 24/7 basis during both term time and vacations.

Ashley Pereira, Network Security Officer for the University of Westminster, comments, “Our students are investing in their education, so naturally they have high expectations around service levels for the electronic resources we provide. As part of protecting data and keeping services running at all times, we recognised that we needed to take more of an enterprise stance on security.”

Agile and Holistic Approach to Security

The IT infrastructure at the University of Westminster plays an ever-growing role in both administration and teaching, which means that even short periods of downtime would be damaging to the institution’s finances and reputation alike.

“We need to be agile and proactive in addressing security vulnerabilities across our large infrastructure because we can’t afford to risk the negative publicity that a breach would undoubtedly cause,” says Pereira. “In the past, we had a fairly limited and piecemeal approach to monitoring and scanning our infrastructure. We were spending a lot of time checking for vulnerabilities, but we didn’t have the visibility to actually be sure that we were having a positive impact.”

The University decided to invest in a holistic and automated solution for vulnerability management, choosing Qualys Vulnerability Management (VM), which leverages the Qualys Cloud Platform.

“Qualys VM ticked all the boxes,” recalls Pereira. “It provides accurate scans with detailed recommendations for remediation, it doesn’t impact services, and it’s easy to set up and use. You don’t need an army of security experts to achieve great results with Qualys.”

He adds, “The speed of deployment for Qualys was also extremely impressive, and we could see the benefits in a matter of weeks. With our previous solution, we had been running for years without a clear idea of whether it was making any practical difference to our security posture.”

Raising Awareness of Vulnerabilities

Starting from an initial discovery scan, the University worked with business and technology owners for each key IT asset to address the highest-priority vulnerabilities and to set up regular, automated vulnerability scanning.

“Qualys VM gives us the visibility to understand what the threats and the risks are,” comments Pereira. “Security is an ongoing process – if we harden a service on day 10, a new threat may emerge on day 11 – and Qualys VM allows us easily to maintain a view of the risk profile for each asset.”

The University is using Qualys VM to run daily, weekly and ad-hoc vulnerability scans for approximately 700 servers running multiple operating systems, and for more than 4,000 staff and student workstations.

The Qualys solution provides detailed reports to technical teams, with recommendations on how to remediate any vulnerabilities that are identified. “Qualys VM is a valuable solution for raising awareness about IT security issues with the asset system administrator and business owners, as we all play a role in ensuring the security of the University assets,” says Pereira. “Without the evidence that Qualys VM provides, it would be very difficult to understand where we need to make improvements to our security posture.”

He adds, “The Qualys solution also helps senior management to understand the security risks we face, which in turn underlines the importance of the security management programme I run.”

Prioritising Resource Usage

As an education institution, the University of Westminster faces constant downward pressure on IT budgets. The high degree of automation provided by the Qualys solution makes it a good fit for the University, as does the ability to delegate tasks.

“With the Qualys solution, we have an excellent understanding of where we need to prioritise our resources, time and effort,” comments Pereira. “Limited resources are a key factor for us, so that’s a major help. Once you’ve configured Qualys VM, you can pretty much leave it to get on with the job.”

He adds, “At the outset, we wanted a resource for the technical asset owners that would allow them to take responsibility for securing their services. With Qualys VM, we can delegate scanning rights, and because the solution is very easy to pick up and start using, we don’t need to make allowance for training costs.”

Qualys VM is powered by the Qualys Cloud Platform and provided on an on-demand basis via any web browser, without any equipment to deploy or maintain. This eliminates the need for the University to make capital investments and adds to the flexibility of the solution.

A Crystal Ball for Spotting Vulnerabilities

With Qualys VM scanning almost 5,000 assets in its IT infrastructure, the University of Westminster has much better visibility of vulnerabilities and a clearer understanding of their potential impact on services. The security team can highlight issues and provide clear remediation advice to asset owners, helping them to resolve the vulnerabilities faster and with less effort.

“We have significantly reduced the number of vulnerabilities thanks to Qualys VM,” comments Pereira. “Asset owners can run their own scans without impact on service levels, use the remediation advice to fix the problems, and then scan again to check that the fixes have worked – all without directly involving the security team.”

The ability to delegate control over scans to the asset owners frees up the central security team and provides greater overall efficiency, saving time and effort for the University. It also means that the people who know each system best are responsible for maintaining security, which tends to translate into faster and more effective resolution.

Ashley Pereira concludes, “I think of Qualys VM as a crystal ball that offers visibility into every part of the infrastructure, and that provides concise, accurate and actionable information. It’s an invaluable tool that helps us organise our resources to reduce our security-risk profile.”