| Like his counterparts at many universities, Bill Jiminez, systems architect at the University of the Pacific, has to balance security with the desire of faculty and students for openness. How he did that while rolling out NAC and password-management systems provides some key lessons for dealing with reluctant users.
University networks are notoriously open and accessible. Why did you want to implement a password management system?
We were using Novell, along with some NT and Unix systems, and to go along with that, 10 different AAA stores. You can imagine the complexity with that model. So we collapsed everything into Active Directory about five years ago and had one directory. I started [forcing users to] log on across campus, to streamline everything, using one username and password. We tried to do 24/7 services, but account lockout became an issue. It introduced a whole new set of problems for us.
Was there much resistance from the students, faculty and other users?
Not a lot; we did it as painlessly as we could. The good thing was that the application integration was really good with what we already had installed. We quickly got a high rate of adoption, and I think we have 1,300 users enrolled now. The key was that it was easy for the users and for us. We didn't need a separate database. Everything is stored in our LDAP directory and the users can do password resets themselves.
How do you handle the problem of access control, which can be tricky on a large, diverse network?
It is tough. We have a large user base, and that makes it extremely difficult. But we've had a NAC system working for two or three years now. We were doing it for wireless already, with 802.1x for wireless authentication. Getting everyone on board was tricky. Things like academic freedom are very important in university settings, and some parts of the university were not very comfortable with it. It takes away the anonymous access to the network.
We had lots of discussions with the students and faculty about it. But the integration on the wired network was fairly transparent. And so we released it and we had a thousand users within a month, without any notifications about it. I started broadcasting it to more lists on campus and adoption has kept growing. Working with the user base ahead of time was really important in the whole process. It wouldn't have worked otherwise.
Would that same strategy apply in an enterprise?
I think so. With anything like this that changes the way people work or access their resources, you have to be sensitive to their concerns and the ways it affects them. Talking to the users was key for us and it shouldn't be any different anywhere else. Let them know what you're doing and why and it should go better.
Read the full interview with Bill Jiminez at searchsecurity.com.