Securing Information—Institutional and Personal
There is not a single day that passes when we don’t hear about a security breach of some sort, whether it is stealing valuable personally identifiable information such as birthdates and social security numbers or ransomware. Also every day, literally thousands of users fall for scams and provide hackers with valuable information about themselves. We do not hear about them the same way as we do institutional compromises because there is no easy way to centrally track and report them. There seems to be no end in sight, and it is only getting worse. We hear that the hackers are beginning to use the rapidly emerging AI software such as ChatGPT or Bard to create code that can be used maliciously. Technology vendors are always in catch-up mode and, in many cases, too late, with severe damage having been done by the time security patches are released. And, of course, when social engineering is used to target individuals, technology can only do so much.
For these reasons, information security has remained one of the most important issues for higher ed leaders, as evidenced by its feature in the EDUCAUSE top 10 IT issues consistently for the past several years and its first position in 2023. Higher ed IT organizations, with their limited resources, have been struggling to deal with these issues but continue to find many creative ways to prioritize them. Unfortunately, it comes at the expense of not being able to provide some of the most critical services in support of teaching, learning and research. I describe below some of what we have been doing.
Information Security Is Everyone’s Responsibility
In many instances, people assume that IT departments are solely responsible for information security, and if one has the luxury of having a CISO (Chief Information Security Officer), then they are assumed to be the person responsible for it. Something we have promoting from on the get-go is that information security is a shared responsibility. While we will take the lead, we cannot do it all by ourselves. Most employees at a higher education institution have access not just to their own information but to others’. For example, faculty have access to a lot of information about students, and department heads have access to information about other department members. They do not realize this until we specifically point it out as a reason why it is extremely important to follow security best practices. Any breach of their account will expose valuable information about many others!
Many IT employees often feel that information security is not their responsibility, and they look to the CISO or CTO (Chief Technology Officer) to claim that responsibility. We have told all IT employees that they are charged with guarding institutional information and that they need to follow the CISO’s best practices while continuously learning new methodologies to protect the information.
The most important aspect of this shared responsibility is education. We believe that users’ weak security practices are in most cases the pathways for breaches, so providing appropriate education is key. We have been able to mandate annual security training for our users that requires them to take a customized version of the SANS Security Awareness Training module. Several lessons are required for everyone and some only for employees. We also make available several optional modules. After making it a requirement, we found that the number of users who fall for scams has reduced significantly.
What IT Does for Information Security
- We help our end users as much as possible.
- We require strong passwords.
- We require two-factor authentication (2FA) for over 90% of our services, and we are actively working on requiring it for the remaining services where possible.
- All college-provided computers for faculty and staff follow standard best practices including malware protection software and full-disk encryption.
- We adopt many of the security controls that our major vendors make available to us, such as Google, Microsoft and Workday, and apply additional security such as step-up authentication where applicable.
- We also try to educate our users about best security practices in their personal lives. For example, I wrote a blog post a while ago on this subject and most of what I wrote there is still useful.
Moving to the Cloud
We have aggressively moved most of our services to the cloud and intend to continue this path for a few remaining services. We have a strong vetting process of the cloud vendors to ensure they not only meet the necessary SOC (system and organization controls) compliance but delve into exactly what they do to protect our information and deconstruct the legal language in contracts into policies and procedures they follow, so that we are comfortable with them. We also request SOC 2 compliance reports from the major vendors annually. Though our data is in their custody and we have delegated the responsibility for holding and guarding them to these vendors, in the event of a breach, we are responsible for notifying the affected parties (depending on the breach, we may not send out notifications ourselves but need to make sure they are sent out).
In short, moving to the cloud has lessened our workload for information security but has not eliminated it totally. We cannot expect to emulate, with our limited resources, the major vendors (such as Google, Microsoft and Workday) with their several hundred trained security professionals working on securing information.
Hiring a CISO
We have been unable to hire a full-time Chief Information Security Officer, and our attempts to do this in collaboration with nearby institutions also failed. But the many institutions that have been successfully hired CISOs have not been successful in retaining them because the market for well-trained CISOs continues to be hot. We have therefore hired a virtual CISO from a company that provided us with virtual DBA services for four years. We also outsourced some of our system administration work to them because of our inability to hire qualified individuals for those positions. This decision has worked out very well for us, and thanks to their due diligence we are in a far better position in terms of updated operating systems and security patches. We simply could not have done all this ourselves.
The requirement that we keep all systems updated and security patches applied in a timely manner simply doesn’t work smoothly in practice. The primary reason is interconnectedness. We still continue to host several systems that run specific applications for departments such as facilities, and these systems’ vendors are notorious for not keeping their applications up to date. As a result, applying OS upgrades or security patches will likely result in applications failing. Though it is a time-consuming process, we have committed to regularly updating the systems by coordinating with the vendors. We are also actively working with the functional offices to move to better products and ones that run on the cloud.
We used to perform external penetration testing once every two years and have switched to doing them once a year but also do internal testing from inside our campus network. These tests have opened our eyes to various issues we have gone on to remedy as soon as possible. They are extremely important, and until you do them you are oblivious to the exposures you have.
We have contracted the company that provides virtual CISO services to also monitor our networks 24/7 and alert us to any issues. They provide us with security operations center (SOC) and network operations center (NOC) services, which have been very useful.
To end, whenever I get asked what keeps me up late at night, I always say, “Cricket and information security!” Of course, I am passionate about cricket and stay up late to watch it because it gives me great pleasure and is played worldwide in different time zones. But information security is dangerous and worrisome; we don’t know how and when it will affect our network.
Author Perspective: Administrator