Background

The CSU recently completed a year-long process to select new state-of the-art network-based security tools.  Campus CIOs and other campus-based subject matter experts in information security and networking technology participated in activities related to the definition of CSU requirements, development of an RFP, evaluation of proposals and selection of the best tools and services.

As a result of this, Palo Alto Networks proved to offer the most comprehensive technology, the easiest administration, and the lowest total cost of ownership. The Palo Alto Networks Next-Generation Security Platform met all the CSU’s key objectives with a single platform, simplifying the total solution by working with just one vendor. When fully deployed, these PAN tools will be used to monitor our systems and networks to ensure the confidentiality, integrity, and availability of our constituent’s data, to protect the privacy of students and staff, and to reduce risk to the CSU. In total, the CSU will deploy over 100 firewalls in 30 locations in 18 months.

Benefits and Improvements

Higher education networks are an ever-increasing target of a variety of cybersecurity threats. Higher education targets include research databases, credit card numbers, and student transcript information. The new PAN firewalls offer significant security and monitoring benefits over prior installations. These benefits include the ability to view network traffic with much greater detail (AKA Deep Packet Inspection) and the ability to apply access policies based on users and applications.

The PAN firewalls will feature a robust ability to monitor the campus and system networks through the use of system and application monitoring tools.  Originally used primarily to monitor performance, these tools have evolved to include various types of information security and risk-mitigation functionality.  While they are indispensable components in the CSU’s ongoing efforts to secure the institution’s systems and information, they are used only in the context of our broader information security program and existing CSU information security policies adopted in 2015 by the Council of Presidents. 

Appropriate Deployment

Student and faculty privacy remain a key component of our academic environment, and as such, the PAN firewalls will be deployed in an appropriate manner and use. While these network monitoring tools are typically used to monitor system performance or detect atypical activities or patterns that might be indicative of security threats, information about internet traffic patterns (so-called meta-data) is collected by this system in order to protect the campus network. Access to this information is restricted to those technical staff that need access to the meta-data in order to protect campus resources. Meta-data is not released beyond technical staff and is destroyed when no longer needed for security analysis purposes. The actual contents of internet communications cannot be inspected by campus technicians and are only released to Palo Alto Networks for the limited use of analyzing whether they contain malware that can attack campus resources, and then destroyed. In all instances, these activities are properly supervised and are conducted in accordance with CSU acceptable use and confidentiality policies.