Protecting the Privacy of Information and Network Integrity

How The University of Texas at Austin is implementing centralized management of network vulnerability scanning while maintaining appropriate segregation and access controls

The Problem 

The Information Security Office (ISO) for The University of Texas at Austin is ultimately responsible for protecting sensitive data on the network.  The administration of the network, however, is highly decentralized: hundreds of technical contacts are spread out over fifteen colleges and schools; hundreds of research units; and dozens of academic and administrative departments.  Typically, departments ask the ISO to scan their systems for them, which places a burden on the ISO’s small staff.  The ISO also lacks login accounts on most systems, which means that technical staff must either give the ISO temporary credentials, or the scan must be done without credentials, making it much less effective.

The ISO needed a way to allow technical staff to scan their own devices--and only their own devices--on the network, without compromising the ability of the ISO to view the resulting reports.

The Solution 

The university has implemented SAINTmanager as a federated vulnerability scanning tool.  Using a centralized authentication and authorization mechanism, technical staff members have the ability to log into the SAINTmanager system and scan only the networks for which they are responsible.

Feedback from the technical staff on campus has been positive, and several groups regularly scan their networks for vulnerabilities using scheduled scans.  The ISO uses the SAINT system as its primary network vulnerability tool for risk assessments, PCI compliance assessments, system profiling, and network-wide vulnerability sweeps.

SAINT did not do everything that we required from the start.  For instance, it did not support external authentication or authorization sources, and it did not have the concept of load-balancing nodes.   Our risk management team and developers worked closely with the vendor to implement these features over the course of many months, and continue to work with them to refine the product for our needs.  We have had success in getting features added by the vendor’s development team and their customer support has been responsive, with e-mail queries generally returned within one business day and fixes or workarounds for problems almost always available within one or two business days.