Feb 18 2008

Strike a Balance

When it comes to IT security, the challenge lies in protecting systems without impeding academic freedom.

When it comes to IT security, the challenge lies in protecting systems without impeding academic freedom.

In an age of terrorism and potential cyberattacks, it’s easy to grasp the importance of security within university and college information technology systems and procedures.

Where the equation becomes difficult is in determining to what extent we need to clamp down on our security measures.

True learning environments, after all, are nurtured on freedom to wonder, to explore, to be able to experiment and try new things. But tighter security curtails freedom, making our systems less open.

As a result, those of us in higher education must discern good, sound security measures from overly restrictive ones. And a number of college and university IT officials are striving to more thoroughly define just how far our IT security should go.

Two Perspectives

“This office I’m in did not exist a couple of years ago,” says Brian Nichols, chief information security and policy officer at Louisiana State University. “While IT security was being done here at LSU, it was not a formal function.” Several people worked on security in addition to their other roles.

Contrast the LSU experience with that of the U.S. Air Force Academy — where security measures of all types have traditionally been formal and stringent, sometimes to the point of conflict with a dynamic academic environment.

“We’re an educational institution, but we’re also an Air Force base,” says Rich Mock, CIO at the Air Force Academy. “And we cannot live — academically and educationally — with a lockdown environment.

“That environment is fine for an operational Air Force base, but the educational environment is very different. It requires a different approach.”

The Air Force Academy example serves to remind us that IT security is vital — but a proper balance must be struck between strong, effective security and a vibrant academic atmosphere.

“For security reasons, the Department of Defense blocks us from making online connections with certain world regions,” says Larry Bryant, director of academic computing at the Air Force Academy. But Portuguese is an important language to the school, and Brazil is blocked. “That’s putting a serious crimp on our language department.”

Air Force Academy users have to work around a long list of security measures, some of which don’t make sense for an educational institution. “At what level do we say that the increased security benefit is not worth the pain?” Bryant asks. “My opinion is that if you’ve increased security to a point at which you are impacting the mission you’re trying to accomplish, the policymakers have to roll that back.”

He notes that conflict between educational interests and security functions is almost inevitable. “Educators and security people are kind of natural enemies — like the mongoose and the cobra,” says Bryant.

Tough Choices

“We’re both trying to accomplish a mission, but our goals are at odds with each other. Educators are trying to expand and explore and experiment and try new things. And security people would be very happy if the network had no users at all — if there are no users, all of their problems go away.”

For example, say someone suggests deploying retinal scanners for network authentication and encrypting every single e-mail message. The pain isn’t worth the gain, Bryant notes, hence the need for policies requiring encryption for only the most sensitive of messages.

“Eventually, the policymakers have to understand that you can actually have too much security. And we as an educational institution just have to say we’re willing to take the risk in order to have the freedom to do our job.”

It’s an extremely pertinent IT security debate, and there are plenty of examples to look to for instruction and guidance. We just need to promise ourselves that we will always allow reason to dictate an appropriate security balance.

Audit Insight

Louisiana State University hired an outside team of experts to perform an IT security audit. The auditors spent a week on campus talking to people, examining LSU’s policies and running vulnerability scans on the network. The school has implemented many of the resulting recommendations.