Policy-based security and access control

05.04.2011

Yes. It is driving a different approach to how were looking at IT security on the network side. We've actually made an abortive attempt to try and use agent-based approaches to deal with network access and security. It turns out it wasn't very viable. It looked good when we originally started it but the diversity of devices meant that you couldn't get agents for all devices, the students were fairly resistant to having an institutionally installed piece of software on their machines. It didn't always work properly, so it created a fairly large helpdesk situation. It drove us to step back and go at it from a totally different direction.

We're convinced at this point, until something changes our mind, that doing it from a policy-based point of view is the better solution. What we're finding is that if you can come up with the method that will help increase a level of security for the users and the applications and your data center that's as transparent as possible, that essentially looks at the traffic and tries to do behavioral analysis on it, and is able to bind to that. I'm not talking about like in the old days when people would look at ports and protocols and do something fairly static, but instead look at it from the application layer and bind it to user IDs.

Let's use YouTube as an example. YouTube is used by many of the students and it takes up a great deal of bandwidth. But it also might be used by faculty member who needs to show it in the classroom. What if they are unable to use it because 500 students in public labs are gathered around campus and are actively on YouTube and using other social material that's not directly related to their classroom? What we want to be able to do is watch traffic that's gone by realize this is YouTube traffic, and also associate it with the user IDs you know belong to a faculty member. We want to be able to provide print priority access to this particular stream and ensure that the academic use gets through.

On the other hand, while that's being done, we're going to constrain the amount of bandwidth that's being used for recreational purposes. Ideally you want to be able to step back and say we're going to do this on a temporal basis because during the time when are running class. We care about the fact that our priority is to make the classrooms usable. But once we don't have any more classes in session, we don't need to prioritize it anymore for instructional use. There is no reason at that point not to make the full bandwidth available to the students.