Boston University’s Yes Man

By working in harmony with Boston University’s business leaders, Quinn Shamblin developed two systems to protect the institution’s sensitive data—even after changing course mid-stream.

With many in security leadership operating with a posture of “no,” Quinn Shamblin is bucking the trend. Photo by Rebecca Shamblin

We’ve all heard the one about IT and compliance professionals really being experts at “business prevention.”

It’s a well-worn nugget rooted in a “trust us, we know better” mind-set that resulted in technically sophisticated solutions that often failed to accurately address the needs of an organization or end users. That is rapidly becoming a thing of the past as IT and security experts take a more holistic approach. They no longer consider only technological, regulatory, or legal issues, but also work cooperatively with organization leaders to find the best ways to support business goals and priorities.

Quinn Shamblin, Boston University’s executive director and information security officer, epitomizes this approach. He arrived at the school in 2010, just as CIO Tracy Schroeder was renovating the university’s IT organization by establishing new best practices and active governance. “I had similar plans for implementing information security best practices and international standards that would continue to build relationships with business leaders and better position us moving forward,” Shamblin says.

CASE STUDY: PREMIUM SECURE VM

The Challenge

Researchers’ work often requires compliance with federal requirements for protecting personally identifiable information. Boston University had a virtual system in place, but it wasn’t going to meet tightening regulations.

The Solution

Adopting Premium Secure VM, Shamblin leveraged the power of VMware and other tools to attain a higher service level. “In the virtual space, we can spin up a new server very quickly,” Shamblin says. “Because we’re designed to meet federal security requirements, we’ve already completed the extensive documentation they need for federal grant applications as part of that new server.” With the turnkey system, researchers can avoid the time and expense required to create their own secure networks. “I believe that for security to be effective, it must be convenient,” Shamblin says.

In 2012, a high profile opportunity to demonstrate his approach arrived: Shamblin faced a redesign of the school’s system for complying with payment-card industry (PCI) security requirements. With 9,000 faculty and staff; 35,000 students; and credit card transactions at campus stores, sporting events, and the fitness and recreation center, as well as alumni fund drives and radio membership drives, there were countless points at which the system could be vulnerable.

Additionally, the school handles a range of other sensitive information. This includes everything from class schedules, student social security numbers, financial aid details, and business strategy to highly controlled data related to the Health Insurance Portability and Accountability Act, the Financial Services Modernization Act of 1999, personally identifiable information, electronic health records, and other data protected by Massachusetts state statutes.

Portions of this data must be secured from any other system that can actively connect to the network on which it is held. That means protecting it from unauthorized access from Internet connections, but also from potential compromise from a variety of critical administrative services, such as credential and backup servers or other ancillary systems.

The decision was made to create a new service level for Boston University’s existing virtual server hosting environment. “Premium Secure VM” was standardized to meet a number of applicable security regulations as well as the needs of sensitive workloads throughout the enterprise. In addition to sequestering credit card transactions and reducing unauthorized access points, it would also be more cost-effective, efficient, and environmentally friendly by drastically reducing the number of physical servers.

“University business representatives were part of the process from the beginning,” Shamblin says. “They provided financial oversight, and we worked cooperatively to focus on achieving the intended business results.” The virtual system would lower acquisition costs per virtual machine by approximately $1,000, save an additional $1000 in annual power costs per retired system, and create a simplified environment for reduced compliance burdens and costs.

“Our business partners were there when we discovered the alternative approach and we did the analysis—in business terms—together. So when it was all said and done, we could all agree to the advantages of changing approaches mid-stream.”

Part of the cost-effectiveness of a standard virtual machine hosting environment comes from storage, processing, and some types of files and other system resources being shared among clients using a single hosting resource. This is a potential vulnerability, since hackers can access information on one client from another. Virtual firewalls, virtual application firewalls, and configuring the hypervisor to reserve memory space exclusively for a system that is processing regulated data can all mitigate the risk, but they slightly reduce efficiency.

A new technological development entered the picture to provide an improved solution: Peer-to-Peer (P2P) encryption. This approach automatically encrypts credit card transaction data on the card swipe device itself as soon as a card is swiped. The credit card number never enters a computer or crosses the network unencrypted, and can only be decrypted by the credit card processor. Even Boston University administrators are unable to access it. In other words, nearly airtight security.

In other circumstances or in other organizations, discovering this new solution would have meant either forging ahead with the planned-for but second-best solution or a financial debacle as the result of funds for the original project being considered “lost,” necessitating the approval of additional budgeting for the new approach. Instead, the cooperative nature of the business-IT relationship enabled everyone to agree that revamping the redesign was the best course.

Shamblin admits that it was easy to agree on making the change to P2P; in the end, it is 70 percent more cost-effective than Premium Secure VM, it reduces the number of systems required to follow PCI data security standards from hundreds to two, and it has a much lower risk of hidden vulnerabilities. “Our business partners were there when we discovered the alternative approach and we did the analysis—in business terms—together,” Shamblin says. “So when it was all said and done, we could all agree to the advantages of changing approaches mid-stream.”

In addition to ultimately implementing a more robust and effective PCI security network, Shamblin and his partners recognized the value of maintaining the innovations that had been developed under the original plan. Not only has the Premium Secure VM service been implemented to protect the sensitive data handled by the university’s researchers and medical professionals, but it also has earned Boston University’s information services and technology department the 2015 CSO50 Security Innovation Award from CSO magazine.

Shamblin believes that the award and the ability to provide Boston University with two new innovative systems were facilitated by considering as many different perspectives as possible throughout the project. “Choosing the VM approach wasn’t even our first consideration,” he says. “But working with our business partners, we analyzed the situation and considered the core business needs and available technology on an equal footing. That put us in a much stronger position to leverage our expertise and the technology to give the university what it needed, plus a little extra.”