Boston College converts chapel into secure data center

Boston College's IT department has gotten absolutely religious about securing data three years after a big breach made [[xref:http://www.networkworld.com/news/2007/091007-boston-college-data-breach-recover.html|headlines|How Boston data center resides inside a former chapel on land acquired from the Catholic Archdiocese.

Boston College in 2005 suffered a data breach of a departmental server that had stored on it the records of tens of thousands of college alumni, a searing episode that left a "never again" feeling among school administrators and IT staff. When the school decided to build a new data center two years ago, the opportunity arose to start from scratch to develop a more secure IT environment.

The 2005 breach, which exploited a rogue server, called into question whether the school should continue allowing academic departments to set up servers pretty much as they wished in the de-centralized manner so common in campus settings.

What transpired is that Boston College decided to centralize the majority of its departmental servers in the new facility with more physical security than could be found in the surrounding academic buildings and began implementing stricter security policies, including requiring VPN access.

"There was a strong push from upper management to centralize data to minimize the risk," says Joe Harrington, Boston College's director of network services. "By instituting all this policy change and VPN protection, we've made it less likely this would happen again."

Today the new data center -- which still keeps the old stained glass windows from its days as a chapel -- houses two rows of Cisco Catalyst 6513 switches for redundancy, says Tom Borel, senior network engineer at Boston College.

The back-up system resides where the altar had been. About 75 departmental servers are kept in a physically locked room; about a third of them are virtualized IBM machines running VMware software. IBM also consulted on the data center, which took two years to finish and is double the size of Boston College's previous data center.

A Cisco ASA firewall stands guard at the network entry, while a Nortel VPN server does duty requiring students and faculty who are allowed access to the servers to authenticate via VPN.

For any servers that remain at departmental sites across the Boston College campus locations, they are regularly audited and a firewall-based DMZ was constructed for each of them, Borel says. Boston College has also deployed Enterasys Networks' Matrix N-Series switches at three campus locations for identity-based authentication of devices.

So far, Boston College has avoided a repeat of its data breach fiasco. While there are no absolute guarantees in security, there's a cultural change that has the IT group exerting greater oversight on network-related activities in departmental groups at Boston College in risk management.