Before You Click, Think Security
As an information security officer, what concerns me today is how quickly people are jumping on the bandwagon of cloud computing, social media and mobility products without thinking about the security or privacy consequences.
I don't want to alarm people, but the level of trust placed in many of these new products and services is not smart. Many of our colleagues at colleges and universities are willing to send their data off to a cloud service without knowing how the cloud provider's infrastructure is set up, how or by whom the data is being managed or where the provider's data centers are located.
What happens if we terminate a contract? Can the cloud provider turn over all of the data they collected about our organization during the course of the relationship? How will the historical data or transactional data be sent back to us, or how will it be disposed?
These are questions we need to ask before rushing into cloud computing. At the University System of Georgia, we're taking our time signing on with public cloud services. Of course, applications such as student e-mail make sense to outsource to Google, but the likelihood is that functions such as payroll, human resources, accounts payable and procurement will continue to run in a private and largely controlled network environment.
For now, we're proceeding slowly, doing a lot of research, testing and thinking through other layers of defense beyond encryption. We're also looking at technologies such as whitelisting and blacklisting software, identity and access management, network security, host security and intrusion protection systems. We're taking our time, even if it means Georgia's colleges are not as quick to deploy as other university systems.
The Grandma Test
The rise of social media has many security professionals vexed. It's hard for me to accept that even grandmothers now have Facebook pages. The problem is that we are freely giving up information about our personal lives that I believe should remain private. Not everyone on the Internet is wholesome. There are people phishing for personal credit card information and looking to set off Trojan horses and other viruses.
50% The percentage of organizations surveyed that have reported a data or security breach
SOURCE: Trend Micro, based on a February 2012 survey of 850 IT decision-makers
Social media is even harder to manage on a college campus, where students grew up with Facebook, MySpace and Twitter, and faculty hold academic freedom dear. These are great applications, but people need to think before they click. Don't friend someone on Facebook unless you have a trusted relationship with them. Be aware of what's posted online about you. Students need to keep in mind that employers will look them up on Facebook.
Finally, mobility presents yet another challenge to the security team. Students, faculty and staff are bringing to campus a growing number of devices that haven't been issued by our IT department. How do we manage all of them? For devices we haven't issued, we give access to the Internet, but put them on a separate network to make sure they have antivirus and antispyware programs and are properly patched. If they check out, we then give them more enhanced access to the network.
I'm not suggesting that people refrain from using these products and services; what I am saying is to be aware of the risks. Through diligence, vigilance and due care, IT security teams at colleges and universities can manage risk in a way that will let them sleep at night.