Many institutions made significant investments in cybersecurity about a decade ago, when a wave of data breaches swept through higher education. Those investments transformed many campuses that previously had a wide-open approach to networking into secured enterprises that adopted practices resembling those common in the private sector.
Many institutions adopted network firewalls for the first time, hired their first information security teams and began security monitoring efforts in earnest.
The security infrastructures built during that wave of investment are beginning to show their age. Today, campuses are considering new rounds of investment that reinforce security infrastructure to rise to modern challenges, including next-generation security tools, cloud computing and mobile devices.
Embracing Next-Generation Security
Next-generation security tools add significant enhancements over the firewalls and intrusion prevention systems now residing on most campuses. The major upgrade available with new technology is the incorporation of contextual awareness. Rather than treat each network connection as an isolated issue that the tools must assess with predefined rules, next-generation technology maintains situational awareness. It incorporates context about the user identity, the nature of an application, time of day and other core facts to make better-informed security decisions.
For example, a next-generation device might block a login request originating in China from an admissions officer if the device senses that the same user is currently logged on to a desktop in his or her local campus office.
Such next-generation security controls combine to form a defense-in-depth approach to information security. That represents the security model of the future, says Helen Patton, chief information security officer at Ohio State University.
“The truth about the security field is that there is no one tool that will support all of your needs,” she says. “Most security professionals take an in-depth approach, where you have tools that overlap, and in total, give you a relatively solid posture.”
The Perks and Pitfalls of Cloud Security
Colleges and universities around the world are quickly adopting cloud computing strategies that seek to achieve flexible, scalable and cost-effective computing solutions.
Almost every institution has adopted one or more Software as a Service solutions, such as moving email and calendaring applications to Microsoft Office 365 or Google Apps. Others have adopted cloud-based enterprise resource planning and customer relationship management solutions. Several institutions, including the University of Notre Dame and Harvard University, have adopted formal cloud-first strategies that aim to move the vast majority of computing to cloud-based providers.
As institutions shift more functions to the cloud, they must take time to ensure security controls also extend to these new platforms. In some cases, the cloud calls for new tools, such as data loss prevention products designed to ferret out sensitive information stored in the cloud. In other cases, an institution may choose to extend existing security infrastructure to cover cloud-based services, such as consolidating cloud service logging with campus security information and event management infrastructure.
Mobile and BYOD
It doesn’t take much time on a college or university campus to realize that the world is quickly becoming a mobile-first computing environment. Smartphones and tablets have moved beyond tools of mere convenience to become the platforms of choice for faculty, staff and students.
In many cases, faculty and staff now use personally owned devices for institutional business without giving it a second thought. The trend, known as Bring Your Own Device (BYOD) computing isn’t new to higher education, but many new security controls are available to help protect sensitive information stored, processed or transmitted on mobile devices.
The most common BYOD security solution is mobile device management (MDM), which provides security administrators a centralized platform for administering security settings on both institution-owned and personally owned mobile devices. MDM technology allows administrators to require the use of device passcodes, configure Wi-Fi network settings, remotely wipe lost or stolen devices and apply consistent security profiles across different mobile operating systems. MDM technology gives institutions the ability to allow the use of many different devices while remaining confident in the security of information they contain.
Information Security is Everyone’s Responsibility
Cybersecurity is a team effort. Initiatives designed to protect sensitive institutional data against breaches in confidentiality, integrity and availability can succeed only when everyone at an institution works together to achieve common goals. That certainly includes IT staff, but also extends to administrators and faculty who work with sensitive information.
Institutions may wish to start awareness efforts with their IT teams, says Allan Chen, CIO at Muhlenberg College, but should look to tailor that communication to specific IT roles.
“Network administrators must understand how to configure firewalls, while end-user support staff need a broad understanding of phishing and other security issues facing faculty and staff,” Chen says.
As security awareness efforts spread out across an institution, it’s important to remind faculty, staff and students of IT’s cybersecurity role.
“IT teams should serve as security partners,” Chen advises, “not the institution’s cyber police force.”