Striking a balance between an open, yet secure network remains a challenge for information technology (IT) departments. Although education institutions often are on the cutting edge of innovation, they face complications when it comes to enforcing IT policies. In some cases, this has led to staggering data breaches.
For example, last year, the University of California at Berkeley faced a horrifying situation when overseas hackers gained access to data on tens of thousands of people who had received health care from the university. The victims’ medical information and Social Security numbers were exposed in the breach that lasted from October 2008 to April 2009. The University of Florida faced a similar breach last year. Although security protocols, such as requiring two-factor authentication for network access, could prevent breaches, enforcement challenges abound.
It’s unrealistic and unwarranted for education institutions to be held to the same standard as large private corporations, but schools can incorporate best practices to strengthen their security.
Different worlds
Corporate environments typically are controlled with binding employment contracts, enabling IT administrators to set basic security policies that all employees are required to obey. Education institutions, especially colleges and universities, juggle far more complicated scenarios. Within academia, "employees" range from students, faculty, staff, visiting professors/students and researchers. Although the administrative staff remains relatively stable, the teaching and student body incur much more flux. The regular student body churns several times a year, and visiting professors and exchange students are on and off the network regularly. Traditionally, the way universities handled this fluctuation is by maintaining relatively open networks.
But as institutions realize how detrimental data breaches can be, most are limiting free access to their networks and are taking a far more structured approach to securing data.
Device management
With the explosive success and continued growth of the smart-phone market, institutions suddenly have to manage more devices than they imagined. In some cases, devices are emerging before schools even figure out how to reconfigure the IT policy to accommodate the new gadgets. For example, in 2010, several university IT administrators panicked over incorporating the Apple iPad on campus networks.
George Washington University doesn’t enable students to access its wireless network using an iPad because the device cannot pass the university’s security standards. The school is plugging away at a solution, installing a virtual private network (VPN) for security access. In addition, last April, Princeton University blocked about 20 percent of iPads on its network after detecting malfunctions, with repeated malfunctions potentially affecting all of the university’s systems. Cornell University also has encountered networking and connectivity snafus related to the iPad.
Although schools are working to mitigate issues, the problem remains that universities often are overwhelmed and frustrated by new wireless technologies. It’s rare for schools to outright ban devices. Yet in these examples, universities acted more like an enterprise organization than traditional academic institution. It’s unlikely that iPads—or any new device—are forever banned from connecting to university networks, but we will see more regulation of new devices, as schools forgo flexibility for security.
Convenience vs. security
Education institutions most resemble corporations when it comes to intellectual property. For a major research institution, proprietary information is as crucial for long-term viability as patents are to corporations. With research, some universities garner recognition, awards, prestige and funding—and a breach in this area could threaten all of these critical elements. In addition to securing this information, they have to keep the content accessible by professors, researchers, students and techs.
Further, it’s now common for professors to post quizzes, grades, homework assignments, tests and lecture notes online. But this information has to be protected so that authorized students can gain access, but others cannot, such as students not enrolled in the course. In fact, many professors even prefer their current students not be allowed to download and distribute the content, as quizzes and tests often are highly coveted "black market" materials on campuses.
Striking the balance
The best way for universities to handle network breaches is to establish a well-thought-out system of network access control and identity management. Universities currently are mostly reactive in their policies, often only developing protocols following a major breach or threat. But to truly protect against threats, IT departments must take steps to stop breaches before they happen.
Traditional network perimeter controls no longer are a viable solution because, simply, they don’t really exist anymore. Education institutions should be segmented into security zones, with some departments having relatively free and open access, but others being tightly enforced. Faculty, staff and students also should be provisioned differently onto the network so the level of access granted is appropriate for each person’s role inside the institution. Further, visiting professors and students should be provisioned separately to ensure their access is discontinued upon their departure.
Requiring devices that will access the network to be registered also would help IT departments maintain control and visibility of what’s going on with the network. But whether this is practical for very large universities hinges on the amount of resources a large school is willing to pour into IT enforcement. But registration doesn’t have to be an overwhelming process. Schools can do this through online forms or include this as part of a student’s regular initial network setup.
IT regulation also can be achieved by facilitating more collaboration between an institution’s IT departments and the school registrar. Currently, idle e-mail addresses or log-ins from students that have graduated or visiting professors that have departed can remain active for months before they are removed from the system, providing an easy way for hackers to slip into the network.
Establishing stringent security protocols similar to private corporations is an ambitious order for education institutions—and far beyond what’s necessary. But as legislative pressures force schools to be increasingly protective of data and as the costs of data breaches escalate, there might be more parallels than differences between the two.
Felgentreff is president and CEO of NCP Engineering Inc., based in the San Francisco Bay area. He can be reached at [email protected].