10 IoT Security Best Practices For IT Pros

As an IT manager for one of the nation's major research universities, Sasha Calden faces challenges many tech professionals rarely encounter.

Calden oversees IT for the biology and evolutionary anthropology departments in Duke's Trinity College of Arts and Sciences. Her responsibilities span all aspects of IT and she handles them with a team of two full-time staff and nine part-time graduate and undergraduate students.

Together, the team runs everything from server management to its internal help desk. Aspects of IT outside the team's control include email, network infrastructure and the wireless network, which fall to the university's Office of Information Technology Services.

[Report: Global IT Security Spend Will Top $81 Billion in 2016]

With 58 faculty and more than 350 staff to support, Calden's division is among the largest at Duke and one of several within the arts and sciences. All of the university's individual colleges have separate IT departments.

Each of these divisions can choose how to deliver IT services within their unique environments, so long as they adhere to university guidelines. The policies for Calden's department are decided within the Biology Computing Committee, which is composed of a faculty-appointed chair, staff, and graduate students.

Calden does not dictate these policies; rather, she ensures departmental procedures are addressed. Her primary focus is enabling researchers to do their work while protecting the sensitive information they gather on a daily basis.

"From an IT perspective, our goal is to support research, teaching, and learning, and we try to do our best and to promote innovation and research within reason," Calden said in an interview with InformationWeek. "In support of those things, we need to put security risk at the highest level."

Risk Management

Data security and management rank among Calden's top concerns. She works closely with Richard Biever, Duke CISO and director of identity management, to ensure all HIPAA and FIRPA requirements are met -- a key concern when housing data and working with staff in the school of medicine.

"Working with faculty and the security offices to ensure we are meeting these requirements is pretty much our top priority," she said, noting how her team coordinates with a team of eight to ten administrative staff to implement data management plans.

To minimize risk, the department ensures sensitive information is properly stored and provides the correct tools so researchers can work without compromising security. Duke's security office is also broadening its footprint across campus and will alert Calden to risks of low, medium, or high priority.

If a breach occurs, the team has to weigh options for allowing researchers to work while preventing a repeat attack. For example, Calden is in the process of moving a server with an open-ended connection to a more secure environment. This prevents compromises that had occurred in the old setup, but changes how outside collaborators will connect.

Risk mitigation is tough in a large department with older equipment. Calden explained the challenges of staying current with technology and keeping devices secure. Oftentimes risk heightens nearly impossible to mitigate, especially when older devices aren't compatible with new software.

As an example, she alludes to the challenges of modernizing Duke's growth chamber centers, which were built between the 1950s and 1990s. All are hardwired through the network and attached to three different Windows XP machines that required upgrades.

The problem? To upgrade all of the machines would cost $8,700 per chamber -- a total of $870,000.

Calden worked for two years to come up with a solution. Instead of upgrading each chamber, she had a custom box built that could run the existing monitors for each chamber for a total cost of $4,200.

While her solution can be upgraded, and will last six to eight years, older equipment is a problem in academia as departments struggle to keep machines functional and secure. If those systems had died before they were fixed, it would have cost a fortune in time, research, and grant funds.

"It's not that the equipment isn't useful, it's a matter of technology superseding it," Calden explained.

Keeping up With Change

To stay current on new technologies for her department, Calden sets aside about four hours each week to read about the latest advancements in tech.

The hottest trends on her radar currently include cloud storage, server infrastructure, and web hosting. She's also interested in anything related to bioinformatics and Mac products. Some 80% of her department uses Macs, though some use Linux and Windows machines.

Calden is currently pursuing her bachelor's degree in information systems management at East Carolina University. Following this, she aspires to earn her master's degree and move up within the ranks at Duke, but acknowledges this will greatly affect the nature of her work.

"As you move into higher-level IT positions, you become less hands-on, which is sad in some ways," she said. "But it's why I'm getting my master's in the next four to five years, hoping to become a dean."

New Projects

In the meantime, one of Calden's current projects involves transitioning her department to Dropbox. Duke currently uses Box and Microsoft OneDrive on campus; however, Calden has been seeking an alternate cloud-based solution.

The department SAN is approaching its end of life, and faculty and staff in the Mac-intensive environment have been voicing preferences for Dropbox. The service has a larger footprint, longer history, and Calden noted, is also pushing to enter the education market.

The pilot phase of the Dropbox integration started with 100 licenses. Now Calden is planning a larger pilot of more than 1,000 users because of a need to test the product with a larger pool.

"It's in its very infantile stages," she said of the pilot phase. Right now the biggest challenge is a lack of feedback, as Duke's faculty and staff aren't around much during the summer. As the academic season approaches, she hopes to gather more feedback and move forward with the pilot process.