Given the breadth and depth of the new similarity between corporations and higher education, Kenney says, it's no wonder corporate IT leaders are increasingly looking at universities for best practices when it comes to managing security in a complex environment.
IT leaders in higher education are developing security best practices that involve multilayered approaches that combine technology-based defenses, data management policies and user education to protect internal information and resources from those who seek to do harm.
"At first, it was all about what the technology can do, so we had things like firewalls. But now it comes down to high-level governance and risk management," says Rodney J. Petersen, senior government relations officer at EDUCAUSE, a nonprofit that promotes the use of IT to advance higher education.
Like their counterparts in corporate America, leading IT security officials in higher education are thinking beyond their department walls in a search for solutions. They're elevating security to the executive level of risk management, where they can assess risk, assign differing levels of security access, and develop user policies that work with the technology-based safeguards they deploy.
Jinx P. Walton, director of computing services and systems development at the University of Pittsburgh, sums up her approach by saying, "It's always going to be a combination of various tools, processes and education. It's layered security models."
At Pitt, Walton deploys a number of technologies and sets policies that are standard in IT security. For example, she uses intrusion-detection and antivirus tools. But she has also implemented more advanced strategies to keep university data and infrastructure safe.
One she calls "zones of trust." Starting in 2007, Walton and her staff started looking department by department, unit by unit, at what work was done by whom. IT first determines what kind of information is required for the work conducted in each zone and then sets up networks and firewalls that ensure that workers can access only the information they need.
Depending on the job, access requirements and the sensitivity of the material, some of a worker's data may be stored on servers while other information is kept on a workstation.
The zones also protect employees' own work, Walton says. "These firewalls work in a two-way fashion: protecting the user from accessing information that he doesn't need to have access to, and supplying the required level of security for the work that the individual does," she explains.