Since its founding as a small, specialized college in 1884, Temple University has evolved into a premier institution for higher education. Comprising 17 schools and colleges offering hundreds of degree programs, Temple provides one of the most comprehensive and diverse learning environments in the U.S. Temple is the nation’s 38th-largest university and fifth largest provider of professional education, with more than 38,000 students and eight campuses, including in Rome and Tokyo.
As a large and diverse institution of higher learning, Temple University must provide open access to network assets while protecting private information and intellectual property. To do this in a continually evolving, technology-driven atmosphere, Temple looked to Palo Alto Networks® as a long-term partner. Central to this partnership is the technical account manager service, which provides the university with insights, information and support to help meet their current and emerging network security needs.
With Palo Alto Networks Next-Generation Security Platform and TAM service, Temple maintains complete visibility and more granular control over network traffic while providing students and faculty with safe access to the network resources they need for classroom instruction, research, communication and home-like residential lives. The TAM provides ongoing updates and recommendations on how to enhance the platform by implementing additional next-generation features. Additionally, the TAM serves as an internal advocate for support and provides access to technical experts. With the TAM’s guidance and the capabilities of the Next-Generation Security Platform, Temple can now catch and report illicit traffic activity, such as copyright infringement, as well as accelerate incident response.
Keeping the University Network Open and Secure
A modern university is often like a small city. With a student and staff population pushing 50,000, food service and retail operations, law enforcement, a power grid, transportation services, and a system of five hospitals, Temple University is a mini-metropolis bustling within Pennsylvania’s largest city, Philadelphia. Plus, like any community of higher learning, Temple relies on an extensive data network to enable communications, research, collaboration, healthcare, commerce and education.
Larry Brandolph, Temple’s chief information security officer, points out that Temple’s network infrastructure has a wide footprint, making it highly susceptible to cyberattacks. As a place of learning, however, the university network needs to be open for students, researchers and faculty to maximize educational opportunities and enjoy home-like residential lives. Temple faces a formidable challenge: enable broad access to network resources while protecting private and sensitive information, such as intellectual property, Social Security numbers and medical records.
“We need to create an environment that’s open and flexible, but super secure,” says Brandolph. “The reason why we moved off our old firewall to the Palo Alto Networks platform is because it’s next-generation, it’s scalable, and it reduces complexity. We also needed someone who’s looking down the road to see not only how to deal with current technology and security issues, but how to handle a future with things like wearables and other technologies no one has even thought of yet. Palo Alto Networks gives us that partnership and that vision.”
A key element of Temple’s partnership with Palo Alto Networks is the technical account manager service, part of Proactive Services.
Brandolph elaborates, “Having a TAM is a huge benefit. Our TAM understands our environment and what we’re doing today, as well as our future direction, where she helps with roadmapping. The TAM brings a ton of value outside the usual crisis management aspect of support. The core value is the proactive nature of the service, which is part of our partnership that I like so much.”
TAM Service Ensures a Successful Deployment
With the help of their TAM and a third-party reseller, Temple’s network services team deployed Palo Alto Networks Next-Generation Security Platform, including a PA-7050 next-generation firewall configured with Threat Prevention and URL Filtering.
Temple implemented the platform in two phases. First, the team deployed a high availability pair of PA-7050 next-generation firewalls to secure the residential life portion of Temple’s network, which supports the student population. Then, the team deployed a second pair in the core data center to protect academic and business services. Temple uses Panorama™ network security management for platform administration. Throughout the implementation, Temple engaged with the TAM to ensure a successful outcome.
Paul Smith, assistant director of network services for the university, recalls, “As questions came up about how to configure a particular feature, our TAM was right there to do the research and get back to us. We also opened a few tickets during implementation, and she was the first one to make sure someone in the TAC was assigned right away to expedite support. It’s great having an advocate on the inside who’s always looking out for us.”
He adds, “That relationship has continued now that we’re in production. We have a standing phone appointment every other week, along with a quarterly business review, to discuss anything we might need or to make us aware of updates coming from Palo Alto Networks. The nice thing is, we have constant contact. I don’t need to reach out to her; she reaches out to us. That’s something I haven’t had with other vendors – definitely a step up in service."
Greater Visibility With Less Complexity
A major advantage of moving to the Palo Alto Networks platform has been reduced complexity. Previously, Temple had multiple virtual firewalls, each providing a different service. Other vendors provided separate solutions for intrusion prevention and web filtering, each with its own set of rules and configuration requirements. Now, Temple is consolidated on the Next-Generation Security Platform.
Smith explains, “Instead of three virtual systems with three separate routing tables, we have a single Palo Alto Networks platform and just use zones to segment traffic. We had 800-plus rules from our previous environment that we reduced down to about 600. From an engineering perspective, this simplification makes day-to-day support much easier.”
Application awareness is another significant advantage of the Palo Alto Networks platform. Temple’s previous firewalls used traditional port-based rules to control traffic. Without application-level insight, inappropriate traffic could traverse the network or pass through ports it should not. App-ID™ technology enables the network services team to see exactly what’s on their network and whether it belongs there.
“It was eye-opening to see how many applications we run,” Smith remarks. “Until we implemented the Palo Alto Networks platform with App-ID, we didn’t even know certain applications were on our network. You always want to know what’s running on your network, so the increased visibility has been very useful.”
Among other things, Temple uses application insight to feed all traffic logs into a security information and event management, or SIEM, system. This helps the information security team track down illicit activity, such as copyright infringement – primarily students downloading or sharing copyrighted music or videos.
Adam Ferrero, Temple’s assistant vice president of network services, notes, “It used to take a lot of effort to pull together all the data to uncover copyright infringement. We had to map data from multiple systems, follow time stamps – there were many steps. With the Palo Alto Networks platform, we have the information in one central repository.”
Brandolph provides additional context: “In higher-ed, there’s a compliance requirement that we defend against copyright infringement. We block what we can, but if we get a notification from the RIAA [Recording Industry Association of America], we can use aggregated data from the Palo Alto Networks platform to map the violation to a specific user and send that person a letter. It puts them on notice and helps us enforce the rules about not sharing copyrighted material.”
Leveraging the TAM for Long-Term Strategic Planning
As Temple continues to evolve and enhance its network security posture, its TAM is strategically involved in the process. For example, the network services team is planning to implement User-ID™ technology to control network access based on user account information rather than IP address.
Smith comments, “User-ID will be a paradigm shift for us. It’s next-generation technology, and that’s where we want to head. We see it as the path to more effective incident response. But we need technical help to do it the right way for Temple University. Several times now, our TAM has connected us with experts at Palo Alto Networks to discuss how to implement User-ID. She’s our direct line to getting the information we need.”
Ferrero adds, “We’ve leveraged our TAM quite a bit to evaluate additional features we can enable on the Palo Alto Networks platform. She’s always been quick to get us the appropriate technical details and best practices, which helps us make decisions on where to take our network security strategy next.”
Time and again, the TAM has proven to be a valuable advocate for Temple, providing insights, information and updates from inside Palo Alto Networks that benefit the university’s network services and security teams.
“We were previously very reactive, always responding to an issue after the fact,” Smith notes. “I definitely have seen our focus change to a more proactive approach.”
“Without a TAM, we would have to rely on internal staff to do the research and figure out what we need,” Brandolph concludes. “It’s more resource-intensive and time-consuming, and inevitably you miss things that lead to gaps in security. By understanding our business and what we need from Palo Alto Networks, our TAM helps use the platform to its fullest capability. Network security is a critical investment for Temple University, and we want to get the most we can out of that investment. Our TAM is helping us do that.”