In addition, the UTS network has to handle between 30,000 and 40,000 full or part time students accessing the network. On an average day the campus wireless will handle 30,000 connections.
This means the network must be robust and handle scale such as at exam time or during enrolments. Similarly, the IT team could not afford the downtime required to manually configure the firewalls each time an application was patched or rolled out.
Salameh explained that before addressing the problem at a macro level, the two parties worked on a single web-facing application on which the university had sensitive information.
“It was an application which we thought would potentially be the first target off an exploit,” he said.
Airloom and UTS then spent time working through the application itself and then developed the design on how the company would build security around the application. This design then became a repeatable set of templates that could be used for other applications.
In addition, UTS chose to add a threat intelligence subscription service to the F5 capability, which gives the university IT team access to additional information on potential threats.
“Steve Identified an area where they had a product capability that wasn’t leveraged. It is about leveraging what they have bought to get a much better return on investment from the assets they have purchased,” Salameh said.
“In the new world of breach notification, the first question the government is going to ask is what steps have you taken to make sure your data is as secure as possible,” he said.
For McEwan and his team, the most important part of the project was trying to find a balance between securing the environment and maintaining usability. So, when an update or patch is required, it does not shut down the application.
“You need to find a balance between protection of data and allowing developers to make changes as they need to,” he said.
“It is almost like it is set, and the policy will now do its thing but we don’t have to make changes everyday. That is why we brought in Airloom because they have that expertise, whereas my guys might have been trying to work it out and would have deployed something that requires everyday to make a little change here or there.”
For Salameh, the F5 technology is often misunderstood by customers and partners alike.
“It is complex technology and because it is complex, it can be configured in a way that is extremely complex,” he explained. “If you are a large tier 1 financial services provider and you have a team of people dedicated to this, its fantastic.
“For the rest of us, that level of change intensity is not sustainable, you can’t keep reconfiguring this thing every five minutes. It becomes costly, things break, the user experience is poor and it is just not a great position to be in. Unless you have dedicated 24/7 people, it is not workable.”
“Where we came at it from an Airloom perspective was, we could do that, but we don’t recommend it,” he said.
From a risk perspective, McEwan said the department feels safer because it added as much capability as the team felt was reasonable without impacting the ability of the organisation to roll out new projects.
“From a reputation point of view, that’s a big thing, if we have a breach students may decide to go to another university,” he said. “We feel more confident having done this project and one of the other benefits is that we have been able to up skill our internal pool of people.
“The great ting was that Airloom has come in and said let’s work together and share the knowledge rather than coming in and taking over,” he added.