The University of Texas at Austin (UT Austin)
Higher Education
1,000+
USA
Cam Beasley, CISO
The University of Texas at Austin (UT Austin) is one of the largest public universities in the United States. Founded in 1883, the university began with a single building, eight teachers, two departments, and 221 students.
Today, UT Austin is on a 350-acre main campus with 21,000 faculty and staff, 195 departments, 16 colleges and schools, and nearly 52,000 students in 2021. Over time, the campus’ scale quickly became a unique challenge for the information security office (ISO).
Cam Beasley, UT Austin Chief Information Security Officer (CISO), along with the broader ISO team are tasked with managing one of the largest and most complex information security programs in the country. Today, some of the challenges they face include:
It’s not the most exciting thing–inventory–but if you look at any security compliance framework, inventory is the basic table stakes for everything. If you don’t know what you have, you don’t know what to protect.
Evolving and automating IT asset management and vulnerability management is tricky, and on the spectrum of risk management activities, it falls on the mature end. At UT Austin, “we focus on inventory. We try to inventory everything, either connected to the network or running different supplicants that our campus deploys to an asset,” says Beasley
Once UT Austin’s inventory was in place, it became clear it would be robust–and dynamic. With over 150,000 devices, UT ages out and replaces roughly 1200 devices a month, meaning it must keep a rolling inventory at any given time.
When it comes to IT assets, universities like UT Austin typically deal with a number of different categories: end user devices, servers, network management devices, classroom management devices, projectors, printers, phones, clocks, and everything else connected to the network. Add in the IoT devices present in medical environments–infusion pumps, heart rate monitors, etc.–and suddenly, there are seemingly endless assets to inventory.
While it’s possible for users to collect any kind of information about IT assets, users most often collect information about the asset’s data classification (i.e., what kind of data is housed on the device).
At UT Austin, they cast a broad net to try to fingerprint those devices based on the manufacturer’s details–but oftentimes, it’s not always clear as to what each device actually is. In many cases, this requires additional analysis and folding in metadata from other sources to make a better determination of what each device is.
For some campuses, IT asset inventory is difficult because they don’t have access to good, clean metadata to further enrich the process.
At the same time, as UT performs different vulnerability management activities–vulnerability scanning, pen testing, and more–they need to directly correlate that vulnerability process with their inventory to get a better idea of how well their units on campus are reflecting on the task at hand.
These challenges and more required a multifaceted, flexible solution that was scalable enough to accommodate the large, federate and heavily regulated nature of the university.
“Isora GRC’s inventory capability is really important to us,” says Beasley. Using Isora GRC from SaltyCloud to organize and enrich their IT asset inventory, Beasley and his team can:
IT asset management takes a lot of legwork, but you start to reach a steady state. At a certain point, it becomes pretty well automated.
Isora GRC integrates with asset discovery tools to import inventories and assign them to people or units in the organization. Through this process–and by leveraging Isora’s Assessment Engine–UT can further enrich their asset inventories by collecting data that only the owners or manager of the asset would know.
Although UT’s risk management program is mature, they had to start somewhere. “Start small,” Beasley recommends, “focus on what you can manage.” For most campuses, this means their endpoints–laptops, desktops, servers, printer fleets, and any other systems they can lay their hands on and physically deploy.
When it comes to other bundles of devices, it can get more challenging. For example, phone services that are fully managed by a telecommunications group “Attack it in different groups,” says Beasley, “go directly to management groups for more details about your assets.”
While this type of approach works, it’s ultimately part of a larger maturation process. It might be easy to assume that we live in a world where there’s a tool that can do most of these things for you–but that’s just not possible. In a large environment, there’s always a human component. You have to ask people.
Once you have those relationships developed, you can get access to consoles or tools and create an API connection to extract data directly for automation.
Before Isora GRC, asset inventory was stored in a variety of ways including spreadsheets, CMDB tools, and other databases some of which included dated, incorrect or missing data.
After Isora GRC, UT Austin was able to successfully inventory, manage and secure over 150,000 IT assets. Additionally, with Isora GRC, Beasley and his team were able to:
With years of risk information, Isora GRC provides UT Austin and the ISO with a wealth of information that helps measure and inform the mitigation of information security risk across the organization as well as demonstrate continuous improvement of their overall security posture.
Isora has transformed the way UT and the ISO view and understand risk. I’m not sure where the university would stand without it.
A prestigious academic medical center optimizes their third-party security risk management program with Isora
Virginia Tech matures their campus-wide security posture with the CIS Critical Security Controls and Isora GRC
How the University of Chicago Automates Enterprise-Wide NIST CSF Assessments & Risk Analysis with Isora GRC GRC