Policy-based security and access control


In our case, we have about 1000 students in the dorms and the balance, about 2000+ or so, are commuters. People are going back and forth and some of these machines can become infected with malware when they're at home. They bring them on-campus, and unknowingly put us at risk. They're not doing it on purpose. They're walking around with a machine that they're trying to get their class in school work done on, but those machines can have something that's trying to disrupt the operation of the school's network.

For a college, there is no distinction we can draw from a security point of view between things that come from the outside and things that are on the inside. We have to treat all of the devices as if they are untrusted. And that's a bit more of a severe environment that a typical organization would find.

Like all organizations, we have computer-use policies. But I think the analogy that is most apt for it is to take the example of what happens when people learn to drive. The average person knows that if they try to take a turn to tight they are going to risk losing control of the car and possibly even flipping it if it's an SUV. Or if they are driving at a high speed on the highway, if they don't leave X-number of car lengths per 10 miles of speed, they won't have enough distance to stop, and if they slam on the brakes they could rear-end someone.