As anytime, anywhere computing takes hold on campuses coast to coast, providing secure access for users – from an auditorium, from the commons or even from a dorm cafeteria – has never been more critical. And now, universities and colleges are upping the ante with "bring your own technology" efforts, letting faculty and students use personal devices to tap into campus networks.
Identity management is key, particularly as institutions move to virtualized environments and cloud computing to serve end users.
Can campus IT departments verify that users seeking access to the colleges' networks – and, more critical, to their data – are who they say they are? Can the IT security team monitor those users' network travels and the data that they touch after they're inside the firewall?
On the Move
Technology to validate users at the gateway exists in any number of products, from full-blown identity management systems to network scanning tools and gateway appliances that run health checks on systems before granting access. Plus, through the use of smart cards, many universities now have campus identification cards that also grant logical access to systems.
Yet, the idea of managing access for moving targets (device-wielding students, professors and staff) takes the cybersecurity dynamic within an institution to an entirely new level. It's simply not enough to check IDs at the door per se, as if your network were a gym. Once inside, the fact that a user has cleared firewalls and the demilitarized zone does nothing to protect against an insider attack that could be launched.
Once a user is inside a network, there's a definite need to extend the use of role-based authorization – for content, authentication, auditing and enterprise administration of identity management. In this sense, enterprise does not mean a single college or program; it is the entire campus or system of campuses.
The identity management efforts at the University of South Florida offer a good example of why centralization and consolidation are so critical. Before USF began its efforts to create a global identity registry, "a lot of places were using bits and pieces of records for their downstream systems," explained Dana West, a USF enterprise resources planning analyst, at an EDUCAUSE session last fall.
"Overall, we just wanted to reduce the chaos," West said.
Role-based authorization provides an audit trail, which is why it's essential when it comes to accessing content anywhere in the enterprise. By analyzing where people roam in the infrastructure and the data they access, a college's IT security team can conduct forensic audits should a problem arise. Perhaps even more important, the team can correlate information in audit reports to predict the items inside the network that are most susceptible to tampering, whether from outside or from within.
Dollars and Data
Essentially, it all comes back to risk management. With this type of data analysis in hand, a university can make informed decisions about data exposure risks, security measures and where best to spend precious dollars to reduce intolerable risk levels.
Universities have made amazing leaps forward with both network access control and encryption. They've also put an extensive amount of time into refocusing the IT security debate on data. Now's the time to take identity management beyond the gateway and down the network stack – to where most campuses' data assets reside.
University of South Florida's Lessons Learned
• Identify "trusted" internal and external sources of identity information.
• Determine the standards for an identity record (even if each source has a different idea of what that means).
• Realize that validating data will be an ongoing endeavor: Accept the "good," reject the "bad" and force the sources to clean it up.