Creating a Cohesive Student Experience While Keeping Security in Check
College and university IT infrastructures are becoming increasingly complex and critical to institutional growth and success. Institutions want to be able to provide their students with borderless access to partner colleges. Students expect the same customer experience at their universities that they receive from major corporations. Faculty increasingly want to be able to share information with colleagues using the latest cloud collaboration tools. What’s more, for institutions that have built their own back-end systems, it’s rare that they are compliant with the latest security recommendations. In this interview, Quinn Shamblin discusses some of the most significant changes in the expectations of university IT divisions and shares his thoughts on how institutions need to evolve to meet new demands while remaining compliant.
The EvoLLLution (Evo): How are university IT divisions responding to student demand for more administrative self-service opportunities and access to information?
Quinn Shamblin (QS): University IT, generally speaking, is just like any other customer-focused IT organization in trying to deliver the best service possible within the constraints they face. The people in university IT understand that they are serving a broad customer base comprised of students, faculty and staff. They try to design systems that make common tasks as easy as possible.
One thing that is being done by many universities is to “federate” connections between universities so that their students from one can use resources offered by other institutions. So, for example, if a student from Boston University is visiting MIT, the University of Colorado or any other member of the InCommon Federation, that student can log into and access the library at that university using their BU credentials. They don’t have to set up a separate account. This is like what you may have seen online, where you visit a website that allows you to log in using your Facebook or LinkedIn credentials instead of creating a brand new account at that site. This simplifies the number of accounts that a person has to manage across the Internet and makes people’s lives easier.
We’re seeing more and more of this federated login capacity. Many job searching sites will allow new users to log into that site with their LinkedIn credentials, which gives users a great benefit because allowing the site to access to their profile facilitates pre-filling of information already put into LinkedIn. Users save time by logging in this way and not having different logins for a dozen different job-hunting sites. There’s a great simplification of life by using these kind of federated approaches.
Of course, it does open up some security concerns. Typically if you allow federated login, you’re allowing the platform to have access to certain parts of your profile. You’ve got to see what it is they’re asking for access to. Already you see a number of applications that are abusive about what privileges they want in exchange for using the app. There will come a time when you can’t create an account directly on some websites; you will have to go through Facebook or some similar site and give them the rights to post to your private line and read your contacts and whatever else they want. It’s something we really have to keep an eye on.
Evo: Why is it important for universities to meet these demands?
QS: People’s lives are becoming more and more complex, so simplicity can be a competitive differentiator between one organization and another.
If it is easy to do what you need to do in one place and hard to do it at another, that can drive consumer choice. While this may not be as true for higher education—where the reputation of the university is typically of more importance—it can still be a factor when looking at universities that are competitive with one another.
Evo: How important is it for a central IT body to unify the way that those autonomous units within the university start working together to create a unified experience for students within the university structure itself?
QS: Different universities handle this in different ways that have grown up over time and have different levels of maturity. There are many universities that have had single sign in, single branding recognition and single modules for authentication for a very long time. At Boston University, we wrote our own single sign on before it was really even widely available. That’s common in universities. We recognize and see a need and we develop something sometimes before the industry productizes it.
There are wide ranges of sophistication and attention that have been paid to this depending on the university’s resources. Those who have not had a function until recently are actually in a really good position because now that they’re putting it in place, they’re doing it with vendor services, meaning that everything is already compliant with industry standards. For universities that have had these kinds of abilities for a long period of time, their in-house technology was not designed to abide by these same standards. As such, integration with current technology is challenging.
Many universities are looking at what they have and, as they look at going to the next level, realize it is time to adopt those industry standards. I can’t say with any degree of specificity how many universities do or do not have consistent authentication, single sign on or standard branding across the institution. It varies wildly with the internal requirements of the universities and colleges. At Boston University, we have standards that give us very clear guidance. There’s a range of expectations that individual departments across the university are expected to abide by so we maintain a cohesive look and feel to everyone who might be interested in Boston University. This ensures they don’t have a massively different experience if they go into one particular college or school versus another one within the university.
Evo: What impact do these changes have on university information and data security?
QS: These days, the easiest choice is often some cloud service with which people are already familiar. For example, if faculty members or researchers wish to collaborate or share information with his or her students, the easiest solution may be Office365, Google Drive, Dropbox, Box, or any of the other collaborative cloud products on the market.
Cloud services can be made just as secure or even more secure than on-premises services. However it is a shared security model. This means that the cloud service is responsible for certain parts of security, and the end user is responsible for other parts of security. As such, if we allow our people to use cloud services, we may be doing so in such a way that IT no longer provides a security safety net as we have typically done on-premises.
If an end user makes the choice to allow “anyone with a link” to access a particular folder, that is pretty much the same as allowing anyone access to that folder and the sensitive information is contained therein; that can lead to embarrassment or even legal/regulatory problems for the owner of that folder and the institutions which they belong.
There are a number of companies that understand this issue and have begun providing services to allow IT to continue to provide a security safety net while still allowing the flexibility to use online (cloud) services, but this has to be considered, planned for and funded by a university as appropriate, based on their risk tolerance and acceptance model.
Evo: You make a great point about the capacity for cloud services to make information simultaneously more accessible and more vulnerable. As more and more central systems, like Student Information Systems and Enterprise Resource Planning systems, move to a cloud hosting model, what are some of the key considerations university IT leaders need to make to ensure student information remains secure?
QS: Generally speaking, the biggest challenges you see are with how a person is authenticated and the quality of the Identity Assurance—that you know who it is that is accessing a system. The second one is if you allow sensitive information to live in the cloud, what due diligence are you doing to ensure that the information remains secure according to whatever the standards are for that kind of information?
We all know that it’s relatively straightforward to trick people into giving away sensitive information. When phishing occurs, the user has no on-screen indication that they have just given away their username and credentials. If they ask in just the right clever way, a bad guy can fool at least some people—even people who believe they are well educated on the subject of security.
We have to find ways to solve the real problem: that someone else has your password. What do you do to make sure that if somebody gets your password, it is valueless to them? The obvious answer to that is two-factor authentication. That’s why many of these popular sites—Facebook, Google, Office 365, Apple, LinkedIn and Twitter, for example—now support two-factor authentication.
The next thing is the due diligence on the design side. Companies need to be selecting cloud providers that are compliant with current security standards. As a university, we’re required to be compliant with a very wide mix of regulations. In order for us to select an appropriate cloud provider, we need to make sure that their data centers, their processes and their applications are also approved and are compliant with each of these regulations areas. Companies all have different levels of compliance with different kinds of laws. In the cloud, it’s always a shared security model. The vendor needs to do certain things and we need to do certain things in order to use the system together in a way that is compliant.
In the university setting it’s common for colleges and schools within the university or even specific researchers to arrange for their own services themselves without necessarily going through central IT or going through the central purchasing process. This leaves them vulnerable to various kinds of regulatory risks that they might not even realize apply to them.
We recommend that universities have a standardized process. If you want to use a cloud service, run it through the process. This ensures that you ask the right questions and you get the right answers, both from a functional perspective and regulatory compliance perspective. This also ensures that when you have selected a vendor, that the right people have had the chance to comment about the various elements that might be important to you as you’re trying to release a production service.
Evo: How is BU working to safeguard student information given these challenges?
QS: Boston University is continually evolving our service strategy and with it, our security strategy. We continually look for better, more effective, and more efficient methods to provide security for services and personnel at Boston University and, as we take on the wonderful capabilities provided by modern cloud services, we adopt those services that can best fit the majority of our constituents’ needs in a secure and compliant way.
Author Perspective: Administrator