Prominent U.S. University Overcomes Network Access Challenges with Cloud NAC
The University of Denver is a leading private research institution in the United States with nearly 13,000 undergraduate and graduate students, and roughly 4,300 staff members. The university has a prestigious reputation, often ranking among the top 100 universities in the country, and is the oldest research institution in the Rocky Mountain Region of the U.S.
In late 2019, the University of Denver’s information security team, led by Marcelo Lew, went out in search of a network access control solution to help manage access to the institution’s guest network, as well as to its growing eduroam WiFi network roaming service. “Internally, we had an initiative to move our security stack to the cloud,” Lew said. “We’re really focused on bringing in solutions that are lightweight and don’t require an FTE to come in and manage them.”
Choosing Simplicity in Uncertain Times
As an existing HPE Aruba ClearPass customer, and having evaluated Cisco’s Identity Services Engine (ISE) NAC solution, Lew and his team felt that Portnox CLEAR had the potential to deliver the needed functionality without all of the heavy systems lifting to stand up and maintain required of traditional on-premise NAC. “Some of the legacy NAC solutions out there have a million knobs, making them complex to configure and difficult to troubleshoot. Most institutions like us don’t need all of that,” Lew continued.
Lew and his information security team set their sights on Portnox CLEAR NAC-as-a-Service, moving to a PoC in early 2020. The untimely rise of the Coronavirus pandemic in March of 2020 in the U.S. put a damper on the team’s initial efforts to test the platform. “COVID-19 forced the PoC to take a bit longer due to operational challenges, but in general, we really liked what we saw,” said Lew. “Portnox CLEAR really had the potential to get us where we wanted to be with regards to moving NAC to the cloud.”
Coverage for the Guest Network
Portnox CLEAR would eventually be rolled out in full across the university’s guest network, with full coverage up to 10,000 devices. “We have hundreds and even thousands of users on our guest network at any given time. We’ve had no issues and our network engineers have found Portnox CLEAR very easy to configure. The team particularly likes that there’s no on-prem component or need to upgrade servers on a regular basis,” Lew went on to say.
Starting with the guest network was a strategic decision. The university often hosts conferences and events with thousands of non-staff visiting for the day and needing wireless connectivity, making the guest WiFi network target number one for potential cyber threats. “We’re also situated in a populated neighborhood community in Denver. We’re fine with the community being able to utilize our WiFi, but we needed a mechanism to allow for this while keeping the university’s data safe,” said Lew. “After all, our motto here is A Private University Dedicated to the Public Good – that concept extends to our network as well.”
Expanding to Eduroam & Beyond
As Lew and his team look ahead, they plan to extend CLEAR’s access control capabilities to the university’s eduroam wireless network used by staff, as well as to the many wired ports across the campus. “We have a few quiet periods during the year where network activity is low – typically in the summer, and about 3-4 weeks in December. We’re planning to tackle eduroam coverage with Portnox CLEAR in the fall of 2021, and the wired ports over the Christmas break,” said Lew.
The move off of its reliance on HPE Aruba ClearPass for NAC to Portnox’s cloud-delivered NAC-as-a-Service signifies a larger initiative within the institution even beyond cloud transformation. “The hard perimeter-based security approach doesn’t work anymore because devices are no longer limited to the university network,” Lew continued. “So, we cannot assume that everything inside the perimeter (or enterprise firewalls) is safe. We are working towards a zero trust but always verify environment, where for users like campus guests are given the minimum possible access needed.”