A history professor, for example, wouldn't need -- and therefore wouldn't access to -- servers that store confidential student data, such as financial aid records. "His firewall zone might not open to the secure sites that we have open to the university's own network," Walton explains, adding, "Nothing's wide open anymore."
Penn State: Adopt authentication and encryption
Other institutions of higher learning are creating similar high-tech partitions.
Pennsylvania State University, for example, has set up an ePay virtual work environment to handle payments made to the college by credit cards. Employees who handle credit card data must do that work in a virtual space partitioned off from other applications, explains Kathleen R. Kimball, senior director of security operations and services at Penn State.
Employees access the virtual ePay environment from their regular computers by simply hitting an onscreen icon. "It switches you into the environment where you can work [securely] with credit cards. The credit card information is segregated from other [data]," Kimball explains.
Penn State IT workers built the virtual network to support the ePay workstations two to three years ago to comply with Payment Card Industry Security Standards Council guidelines, but Kimball says she has seen more uses of this type of setup. "This might be something for regular computing for sensitive university data," she says.
But it doesn't end with virtualization. Like other institutions, Penn State is using multiple strategies to fend off threats. As part of that effort, the university is trying to expand its use of two-factor authentication as well as its use of encryption programs, Kimball says.
The school is also using data loss prevention technology, which enables IT to look for packets that contain sensitive data, such as Social Security numbers, as it flies by so workers can deal with any traffic that isn't legit. Penn State is also using scanning technology to search for sensitive data in places it shouldn't be.
Some users are resisting these measures, and that resistance sometimes crops up in surprising places. Kimball says. For example, some computer science researchers don't want encryption programs on their machines because they think such systems can hurt performance. Kimball maintains that the performance hit is minimal.
That kind of resistance isn't unusual at universities, says Ipswitch's Kenney, explaining that, when it comes to IT policies, faculty members may have sway that even senior executives in commercial corporations don't often have.
Georgia State: Focus on people, process and technology
Tammy Clark, chief information security officer at Georgia State University in Atlanta, says she has adopted a three-pronged approach: people, process and technology.
Sign up for CIO Asia eNewsletters.