What University IT Can Learn From the Enterprise
Striking a balance between an open yet secure network remains a challenge for university IT departments. While universities are often on the cutting edge of innovation, they face complications when it comes to enforcing IT policies. In some cases, this has led to staggering data breaches.
For example, the University of California at Berkeley faced a horrifying situation last year when overseas hackers gained access to data on tens of thousands of people who have received health care from the university. The victims' medical information and Social Security numbers were exposed in the breach, which lasted from October 2008 to April 2009. The University of Florida faced a similar breach last year. While security protocols like requiring two-factor authentication for network access could prevent breaches, enforcement and implementation challenges are abound.
While it's unrealistic and unwarranted for universities to be held to the same standards as an enterprise, there are best practices that institutions can incorporate to strengthen their security.
Corporate environments are typically controlled with binding employment contracts, allowing IT administrators to set basic security policies that all employees are required to obey. Universities, however, juggle far more complicated scenarios. Within academia, "employees" range from students, faculty, staff, visiting professors/students, and researchers. While the university administrative staff remains relatively stable, the teaching and student body incur much more flux. Not only does the regular student body churn several times a year, visiting professors and exchange students also provision on-and-off the university network regularly. Traditionally, the way universities handled this fluctuation is by maintaining relatively open networks.
But as universities realize how detrimental data breaches can be, most are limiting free access to their networks and are taking a far more structured approach to securing data.
With the explosive success and continued growth of the smart phone market, universities suddenly have to manage more devices than they imagined. In some cases, devices are emerging before universities even figure out how to re-jigger the IT policy to accommodate the new gadgets. For example, earlier this year, several universities' IT administrators panicked over incorporating Apple's iPad on campus networks.
George Washington University (D.C.) doesn't allow students to access its wireless network using an iPad because the device cannot pass the university's security standards. The school is plugging away at a solution by installing a virtual private network (VPN) for security access. In April, Princeton blocked about 20 percent of iPads on its network after detecting malfunctions, with repeated malfunctions potentially impacting the entire university's systems. Cornell (N.Y.) also has encountered networking and connectivity snafus related to the iPad.
While the schools were working to mitigate issues, the problem remains that universities are often overwhelmed and frustrated by new wireless technologies. It's rare for schools to outright ban devices. Yet, in these examples, universities acted more like an enterprise organization than a traditional academic institution. While it's unlikely that iPads - or any new device - are forever banned from accessing university networks, we will see more regulation of new devices, as schools trade flexibility for security.
Universities most resemble corporations when it comes to intellectual property. For a major research institution, proprietary information is as crucial for long-term viability as patents are to corporations. With research, universities garner recognition, awards, prestige, and funding - and a breach in this area could threaten all of these critical elements. In addition to securing this information, universities have to keep the content accessible by professors, researchers, students, and techs.
Further, it's now common for professors to post quizzes, grades, homework assignments, tests, and lecture notes online. But this information has to be protected so that authorized students can gain access, while others, such as students not enrolled in the course, cannot. In fact, many professors even prefer their current students not be allowed to download and distribute the content, as quizzes and tests are often highly coveted "black market" materials on campuses.
The best way for universities to handle network breaches is to implement a well thought-out system of network access control and identity management. Universities are currently mostly reactive in their policies, often only implementing protocols following a major breach or threat. But to truly protect against threats, IT departments must take steps to stop breaches before they happen.
Traditional network perimeter controls are no longer a viable solution because, simply, they don't really exist anymore. Universities should be segmented into security zones, with some departments having relatively free and open access, but others being tightly enforced. University faculty, staff, and students should also be provisioned differently onto the network so the level of access granted is appropriate for each person's role inside the university. Further, visiting professors and students should be provisioned separately to ensure their access is discontinued upon their departure.
Requiring devices that will access the university network to be registered would also help IT departments maintain control and visibility of what's going on with the network. But whether this is practical for very large universities hinges on the amount of resources a large school is willing to pour into IT enforcement. But registration doesn't have to be an overwhelming process. Universities can do this through online forms or include this as part of a student's regular initial network setup.
IT regulation can also be achieved by facilitating more collaboration between university IT departments and the school registrar. Currently, idle e-mail addresses or log-ins from students who have graduated or visiting professors that since departed can remain active for months or semesters before they are provisioned off the system, providing an easy way for hackers to slip into the network.
Implementing security protocols similar to the enterprise is an ambitious order for universities - and far more beyond what's necessary. But as legislative pressures force schools to be increasingly protective of data and as the costs of data breaches only escalate, there might be more parallels than differences between universities and the enterprises.
H. Peter Felgentreff is president and CEO of NCP engineering Inc., based in the San Francisco Bay Area.