Keeping the Guard Up in a Down Economy: Investing in IT Security in Hard Times
©2009 Brian D. Voss and Peter M. Siegel
EDUCAUSE Review, vol. 44, no. 5 (September/October 2009): 10-23
Considering the unprecedented budget hardships in higher education, now may not seem to be an auspicious time to be emphasizing the importance of continuing, or perhaps even increasing, investments in information security. But the need remains. Nine years ago, in 2000, EDUCAUSE and Internet2 established the Computer and Network Security Task Force (STF) as a reaction to an onslaught of viruses and other maladies attacking operating systems and browsers, wreaking havoc on campuses, and adversely affecting institutional reputations. Under the watch of the STF, the number of campus security groups increased substantially, the formal and informal sharing of critical security information became more common among security experts, and security issues slowly expanded from the network and general areas of operating systems and browsers to critical design issues affecting commercial ERP systems as well as campus web browsers and financial transaction servers.1
Today, the STF is changing its name to the Higher Education Information Security Council (HEISC), still cosponsored by Internet2 and EDUCAUSE. Unlike a task force, defined roughly as a "temporary grouping for the purpose of accomplishing a definite objective," the HEISC is here for the long haul to work with the broader higher education community to address essential objectives, which will change over time as threats morph and risks expand. The good news is that college and university leaders are taking responsibility for security breaches and are making information security an institutional priority. In addition, risk management, audit, and purchasing groups are increasingly incorporating information security as part of their assessment and reporting processes.
Recently, the U.S. federal government took a bold step toward leadership in the cybersecurity space when the White House released Cyberspace Policy Review. The report emphasized seven key points, quoted below:
- The Nation is at a crossroads. . . . "Cyberspace" underpins almost every facet of modern society and provides critical support for the U.S. economy. . . .
- The status quo is no longer acceptable. The United States must signal to the world that it is serious about addressing this challenge with strong leadership and vision . . . strongly anchored within the White House. . . .
- The national dialogue on cybersecurity must begin today. . . .
- The United States cannot succeed in securing cyberspace if it works in isolation. . . .
- The Federal government cannot entirely delegate or abrogate its role in securing the Nation from a cyber incident or accident. . . .
- Working with the private sector, performance and security objectives must be defined for the next-generation infrastructure. . . .
- The White House must lead the way forward.2
Although the report could have placed a stronger emphasis on the role of the higher education sector as a leader and partner in identifying solutions, it is nonetheless impressive in creating a strong vision and sense of ownership for this important issue. The question is, how can college and university presidents be persuaded to follow the lead of the White House and President Barack Obama3and place the same emphasis on securing cyberinfrastructure?
Overall, the higher education community has shown great and early leadership in moving forward with both practical solutions and an international vision of partnership, but it faces many challenges. First, these difficult economic times will put tremendous pressure on institutions to decrease investments in information security, at just the time when worldwide hackers are honing their skills to break into the valuable information systems of colleges and universities. It is no longer the case that the least secured or the most visible institutions will be breached first Ã¢â‚¬â€ after all, especially where organized crime may be involved, the costs for unleashing attacks on hundreds of institutions are modest compared with the benefits that might accrue from acquiring credit card and social security numbers or other private data. This is not to say that colleges and universities are more vulnerable than hospitals, government, or industry; in fact, the data suggest otherwise.4 The point is that the confidence of the higher education community members Ã¢â‚¬â€ faculty, students, staff, alumni, parents, donors, political allies, and governing boards Ã¢â‚¬â€ is absolutely critical, as are the traditions of openness and community. What better way to maintain their confidence than to make sure that colleges and universities preserve their treasured traditions while providing the highest assurance that sensitive data remains private?
To add to the complexity, colleges and universities often have byzantine accounting traditions that can make the connection between good security and lower costs difficult to understand until there is a breach. Even then, if the provost (for example) funds central IT security resources, such as intrusion-detection devices, will he or she understand that these costs are dwarfed by the costs of a large breach of medical records from the campus health center, since the provost may not pay the "remediation" costs? Even though many campuses have risk management committees that oversee risks of all sorts, including cybersecurity risks, many others have no centralized mechanism for socializing the true costs of security measures in advance Ã¢â‚¬â€ as opposed to remediation after the fact. It is then the job of CIOs, information security officers, and other IT leaders to make the connections and to define the risks loudly and clearly.
In addition, there is one thing every campus will be looking to expand and refine as it considers how to use dwindling or flat resources wisely: development and outreach efforts to donors and alumni. Providing new ways to engage alumni, increasing the availability of online news and campus developments, simplifying online giving, and other initiatives create opportunities for campuses to bring in needed revenues while maintaining excellence. The likelihood of success for these opportunities is great Ã¢â‚¬â€ except, of course, if the campus is known for experiencing security vulnerabilities, sending letters to alumni instructing them to contact their credit agencies, and publishing apologies in the press about recurring losses of private data.
Many other aspects of academic integrity Ã¢â‚¬â€ from collaborative research with private corporations to simple respect for the privacy of employee communications or employment records Ã¢â‚¬â€ make it essential that colleges and universities maintain their investments in information security. The fact that attacks are increasing in number, scope, and sophistication suggests that institutions must consider ways to make these investments as efficiently as possible while also considering other, additional investments. Efficiency comes from exchanging information, sharing or consolidating infrastructure wherever scaling decreases costs, and standardizing in ways that lower staff costs and increase the likelihood of properly configured firewalls and other devices. Although the emphasis on cybersecurity by the White House may make a big difference, colleges and universities need to provide leadership if academic issues and traditions are to be effectively addressed.
What Is Higher Education Doing about the Cybersecurity Problem?
So, what is higher education doing to provide a robust, multifaceted information security program? One way to answer this question is to look at what campuses have been doing since 2000, when the STF was established. In some cases, institutions have been working as consortia, sharing their development ideas and best practices; in other cases, a lone part-time security officer has been borrowing whatever he or she can glean from colleagues or from the STF/HEISC web pages; in still other cases, campuses have been leading innovative programs that are setting the standard for the broader community.
- Before 2000, very few campuses had a significant number of staff members dedicated to security. Where staff existed, they tended to identify themselves first as network or operating system experts "doing" security. Today, the annual EDUCAUSE/Internet2 Security Professionals Conference brings in hundreds of individuals to share their expertise and learn from their peers.
- Before 2000, raising security awareness was done ad hoc, if at all. Today, many campuses have yearly programs to help faculty, staff, students, and administrators understand their responsibilities for ensuring information security. These programs include formal security symposia and training days, walk-in days to fix security problems on laptops, and contests for security posters, bus ads, or videos. Many campuses use their campus cable networks to broadcast the videos developed as part of the HEISC Computer Security Awareness Video Contest (http://www.educause.edu/SecurityVideoContest).
- Today, many campuses carry out security reviews of internal colleges, central administrative units, and departments. These may be self-assessments, audits or audit-like reviews, or a combination of the two. Some campuses "swap" security professionals to review key systems at minimal cost, to the benefit of all. Other campuses do the same among local departments or colleges.
- Broad external partnerships have flourished, from the HEISC to the REN-ISAC (Research and Education Networking Information Sharing and Analysis Center), hosted by Indiana University, to collaborations between the higher education community and the FBI (e.g., participation in InfraGard). Less formal partnerships include active mailing lists and various Internet2 and EDUCAUSE working groups.
- Spurred by concerns over the avian flu a few years ago and the swine flu more recently, many campuses have established formal business-continuity plans that go hand-in-hand with formal disaster-recovery plans to ensure that lost (or corrupted) data can be retrieved with high confidence.
- Many campuses have risk management processes and committees in place, and a growing number of these explicitly include IT risks, including security, among their critical issues.
- More campuses are providing centrally funded security management tools that allow for proactive and regular vulnerability-assessment scans and scans for private or sensitive data. Many campuses make these tools available to departments to add a second level of scrutiny.
- Today, most campuses recognize the need for security training at all staff levels, not just among the traditional networking and central security staff. In particular, training is necessary for individuals developing web-based services that deal with private data Ã¢â‚¬â€ alumni offices, business offices, registrar and admissions offices. As a result, many more individuals today view themselves as having a critical campus security responsibility than in 2000. Even faculty who know others who have lost private data on laptops take security far more seriously than in the past, though there is more work to be done to ensure best practices, rather than simply best intentions.
- Although most campuses have had account management and authentication systems in place for a long time, most now recognize the need for a continued investment in formal procedures for account management, especially identity management systems that look at roles and not just identities and that automatically secure data based on roles in real time. Some campuses are starting to look at location Ã¢â‚¬â€ for example, flagging accesses by legitimate community members from unexpected locations Ã¢â‚¬â€ for highly restricted data or processes.
- Campuses are adopting a "defense-in-depth" strategy, using multiple layers of security to provide not only effective defense at the unit level but also protective layers at the campus level, including intrusion detection, bandwidth management, traffic shaping, IPS, and host-level security such as encryption and antivirus software.
- Finally, because at least forty-four of fifty U.S. states have notification laws for private data, including stringent laws relating to health records, campuses are developing strong oversight committees, policies, and procedures to review breaches and determine required action Ã¢â‚¬â€ from remediation to formal notification of agencies and affected individuals. These oversight committees in turn provide high-level advice to the campus administration on ways to avoid breaches or other failures through intelligent and cost-effective investments.
Much has happened since 2000. The members of EDUCAUSE and Internet2 have been the engine driving higher education to become perhaps the most responsive national sector in addressing security concerns Ã¢â‚¬â€ with vigorous, robust, and intelligent solutions. This is all the more remarkable in light of the academic tradition of openness: those of us in higher education invite folks we do not know and may never meet, from across the world, to review our news stories, to watch our podcasts, and in many cases to model their courses after our own by perusing our course syllabi. We do all this and secure our systems too!
What Challenges Remain?
Reading this list of accomplishments, one might think it is time for those in the academic community to rest, relax, and enjoy what they've done. The only problem? It's not that time now, and it likely never will be. Waiting for the day when the job is complete, when campus online environments and data have been secured, is like waiting for Godot. (If you're not familiar with that play, the punch line is that Godot never comes.)
At the most recent meeting of the HEISC leadership team, Rodney Petersen of EDUCAUSE posed the following question, voiced by many in the security and policy community: "With all we've done over the past decade, and in light of the fact that there still seems so very much to attend to, are we better off today than in 2000?" The answer was a resounding "Yes!" But those at the meeting also expressed a recommitment to the need to continue to advance. The list of topics that remain to be addressed is indeed long and, at times, daunting. Below is an illustrative, though by no means exhaustive, list of these topics. Interestingly, they reveal a subtle trend: whereas many of the past advances have involved (as will those in the future) information technologies, the larger challenges depend on recognizing and developing information policies.
- Identity Management. This is a two-pronged challenge: part involves internal, cultural challenges within institutions; the other part involves the broader challenges of interinstitutional/enterprise/entity identity management.
- Within institutions, the multiple-identity approaches that have evolved need to be gathered into a single-identity management structure. The Holy Grail is a single-identity management system that will answer the question, "Who are you, and what roles do you play right now?" Such a system goes beyond simple authentication and authorization. It involves policies for ensuring that people/entities are who they say they are now and ensuring how their identities will be managed throughout their relationship with the institution. It involves the development of processes to issue, maintain, and revoke credentials for a person/entity (e.g., user ID, certificates). And it involves technology for issuing and maintaining credentials (e.g., password change), enabling/enforcing policies (PEP, PDP), and securely communicating information about a person/entity to other service providers (including applications). Once again, as has been the case for IT organizations and the implementation of business systems (e.g., ERP), the real challenge in all of this is developing the policies and procedures (often owned by data stewards in the functional areas) for determining who you are and what you are entitled to access or modify. It's dÃƒÂ©jÃƒÂ vu all over again.
- The issue of interinstitutional/enterprise/entity identity management is even more challenging. Institutions need to coordinate with other institutions so that identities can be credentialed for access to systems, applications, and data somewhere else. The above challenge is racheted up an order of magnitude. These "common identities" are required to support advanced research that has become increasingly collaborative as time and technology have advanced. Efforts such as InCommon (http://www.incommonfederation.org/) have been launched and are growing in size and maturity across the areas of policies, processes, and technology.5 However, just becoming a member of InCommon does not mean that one's work is done; creating and disseminating applications that truly take advantage of all that InCommon offers requires new thinking and institutional change. For many institutions, this broader community involvement should not be attempted before a strategic direction for an internal identity management service has been established.
- Security in the "Cloud." As various services and applications move off the machine room floors, away from campuses, and out into the ether Ã¢â‚¬â€ or the "cloud" Ã¢â‚¬â€ control of security and data integrity is also moved out as well. But the responsibility for these environments and data remains on campus. Institutions must develop ways Ã¢â‚¬â€ policies and procedures Ã¢â‚¬â€ to adapt security techniques and technologies to a world in which much of the precious data and intellectual property is "out there."
- Social Networks and Security. As more members of the academic community use applications and systems in the social arena, what challenges must be addressed in terms of the security of environments like Facebook and Twitter? What are the ramifications if a campus department staff member, a dean, or an administrator posts something inappropriate on one of these sites? Or, as was recently in the news, what happens when someone pretends, online, to be the president or the chancellor?6
- Old Distributed Data. Although a great deal of effort has gone into minimizing the existence of personally identifiable information (PII) and safeguarding its use in broader enterprise applications and data structures, old and outdated but still viable PII resides on desktops and laptops and on removable hard drives and thumb drives. The easiest way to describe this challenge is to compare it to the problem that exists with planted landmines remaining after a conflict has ended. These "data landmines" can lie undetected, hidden away, and secured only by obscurity until one day, someone stumbles on one, and boom! Ã¢â‚¬â€ a data-breach catastrophe explodes.
- Identity Thefts, Scam-in-a-Spam, Fishy-Phishes. As detection systems improve and catch scammers, spammers, and phishers in the act, their evasion techniques likewise improve and they learn to get through again. As educational campaigns create more-savvy users who can avoid most scams, the scams become far more intricate, complex, and convincing. This is definitely a case of a perpetual motion machine: once set into motion, it never stops. Never. The scams are too valuable to the perpetrators; with 30,000 students, even 5 or 10 naÃƒÂ¯ve respondents make the attack worthwhile, providing new launch points for thousands of spam e-mails on an institution's powerful central server.
- Secure Web Applications. In a world in which such nefarious activity exists, how can those of us in higher education create useful web applications that are secure and functional? As we wrap ourselves tightly in a security cocoon, how do we allow the butterfly inside to grow and eventually escape? As Web 2.0 gives way to Web 3.0, what new tools will we need to use to secure our environments?
Perhaps the greatest challenge is the one that has faced IT organizations since the outset: balancing security with customer service, especially in the higher education environment steeped in the traditions of openness and academic freedom. Colleges and universities are basically about two things: creating knowledge and sharing knowledge. Both are now done in a national or even international collaborative environment. So although colleges and universities must be just as "closed" as the corporate world in securing PII, when it comes to academic and research information and collaborations (beyond private medical and administrative information), higher education simply cannot lock things down as tightly as is done in the corporate world.
CIOs and other IT leaders must wrestle with this every day. Just recently, one of us found himself at a special luncheon, honoring a visiting scholar who would be speaking later in the day. The scholar mentioned the critical role of CIOs in advancing the use and understanding of information technology on campuses, and he applauded a particular element of the host institution's IT environment for its resourceful, innovative value to the community. Barely having a moment to bask in that glow, the CIO was quickly walloped by the speaker's sponsor (a well-respected computer science professor at the university), who said, "Yes, we are so happy with this tool, but I have a complaint: our honored guest could not connect with his laptop to the campus network earlier today to demonstrate some of his technology advances!" Fortunately, another faculty colleague at the table chimed in, "Well, then the security is working on campus." An awkward moment was averted, but this example is illustrative of the constant balancing act needed between security and access.
Today a new problem has emerged. All IT organizations are facing potential layoffs of staff (beyond the natural turnover) as the economic downturn ripples through higher education institutions. The question is, when laid-off staff leave, what data will they take with them? The issue of the suddenly dismissed (and potentially disgruntled) systems administrator or data steward is well documented and understood by security and human resources organizations. But what about well-meaning employees who, laid off due to the economic downturn, take with them PII or other protected data on thumb drives or on files saved to their personal laptops (perhaps inadvertently and without malicious intent)? In today's downsizing world, layoffs may become much more common and occur with shorter notice. Thus, we must develop policy and procedures for handling this form of termination.
Investing Appropriately in Hard Times
Returning to the titular point of this article, how can institutions keep their security guard up in a down economy? We do not have the mathematical formula that will offer a solution. We do not have the magic incantation that will yield necessary funding. We do not have the wisdom to craft a concise, fifty-word statement that will convince the provost, chancellor, president, board, legislature, or governor of the need to increase funding to higher education, with an earmark for the security of environments and data. (We also don't know the Jedi mind trick.) We're thus sorry to disappoint the reader hoping to find a pot of gold at the conclusion of this rainbow of an article.
But we do not want readers to abandon hope, all those who have read this far. Decisions regarding these matters are usually in the hands of the CIOs, leaving IT leaders in control. This may mean making tough choices for the IT environment and the institution. It may mean sacrificing elements of one's operational or strategic objectives for advancing information technology in the institution, in order to preserve and enhance the security of their environments (along with other "survival items," such as disaster recovery and business continuity planning and continued investments in major enterprise information systems). It may mean a very real example of "security versus service" choices, as key (and appreciated) IT infrastructure and services are reduced or eliminated in order to preserve and protect other IT infrastructure and service elements providing more critical support to the academy. It most definitely means doing one's job as chief information (technology) officer and guiding the institution and the executive administration in making such tough choices.
There are ways to leverage investments. Nationally, the REN-ISAC, mentioned above, provides a great way for security staff to leverage a centralized entity (the resources at Indiana University, augmented with resources from LSU, Internet2, EDUCAUSE, and member contributions) to help better secure a campus as it fits into the larger Internet and research and education networking environment. When it comes to getting peer support, including on matters of policy, the HEISC and its working groups bring the cybersecurity community together to address and resolve challenges. Although colleges and universities are very different from one another, they have many similar underlying structures and face many similar challenges. Using what has been done elsewhere Ã¢â‚¬â€ either word-for-word or adapted to suit a particular environment Ã¢â‚¬â€ saves time, energy, resources, and hence, money. One thing that is often true for new IT security personnel Ã¢â‚¬â€ or for the new IT security function in a campus and organization Ã¢â‚¬â€ is the feeling of being alone in a dangerous world. But with organizations like HEISC and REN-ISAC and with the broader community of cybersecurity peers, an individual campus is not alone. The cavalry may not be coming over the hill literally in the physical presence of information security officers, engineers, and analysts from other institutions, but this is exactly what can result figuratively and virtually. Thus one way to "up" an investment in a "down" time is to hold that investment constant but to leverage it further with more ties to the higher education cybersecurity community.
There are no simple answers here. The truth is that these are hard times. CIOs and other IT leaders will have hard decisions to make Ã¢â‚¬â€ decisions that will affect their institutions and their own careers regardless of what path is selected. An IT leader who manages a down-economy budget by cutting back on valued services faces the backlash of members of the campus community, upset with the losses they feel. A leader who has done this to preserve the security of the environment Ã¢â‚¬â€ and who has been successful in doing so Ã¢â‚¬â€ will have nothing positive to show for that. Security, if done perfectly, is not noticed. On the other hand, an IT leader who keeps service levels high, and takes the risk that a problem won't happen, can cut investments in security and policy development. But it takes only one incident to render a campus, an institution, and an IT organization into a shambles. And then, all the positive feelings built up from maintaining direct services in these hard times will vanish.
As mentioned at the beginning of this article, the White House report Cyberspace Policy Review outlined some bold steps for investing in cybersecurity during the economic downturn. Below, we paraphrase its seven key points, with an eye toward the challenges that CIOs and other IT leaders face on their campuses:
- Colleges and universities are at a crossroads: cyberspace underpins almost every facet of the modern campus and provides critical support for the mission of higher education institutions.
- The status quo is no longer acceptable: CIOs and other IT leaders must signal to their institutional communities and leaders that the central IT organization is serious about addressing this challenge with strong leadership and vision.
- The higher education dialogue on cybersecurity must begin today (and continue in earnest in the days ahead).
- Colleges and universities cannot succeed in securing cyberspace if they work in isolation.
- CIOs and other IT leaders Ã¢â‚¬â€ and the institutional executive leadership Ã¢â‚¬â€ cannot entirely delegate or abrogate their role in securing the institution from a cyber incident or accident.
- Working with the private sector and government, performance and security objectives must be defined for the next-generation infrastructure.
- CIOs and other IT leaders must lead the way forward.
CIOs and other IT leaders must indeed lead the way forward. However, working with the CIOs and IT professionals must be the functional-area experts, faculty, staff, administrators, and executives who understand that information security is not a luxury but, rather, a critical necessity to maintaining the innovation, outreach, and openness that have made colleges and universities so valuable to those they educate and those they benefit with their research and scholarship.
- The STF has worked with the academic community to develop policy resources, informational documents, and best practices. See Security Task Force 2008-2009 Strategic Plan: Safeguarding Our IT Assets, Protecting Our Community's Privacy, <http://www.educause.edu/Resources/SecurityTaskForce20082009Strat/163191>.
- Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, pp. iii-v, <http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf>.
- President Obama understands some of the cybersecurity challenges firsthand: his presidential campaign's computer system was attacked last year, and hackers gained access to e-mails and files. See "Report: Obama, McCain Campaign Computers Were Hacked by 'Foreign Entity,'" Computerworld, November 5, 2008, <http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119221>.
- Peter M. Siegel, "Data Breaches in Higher Education: From Concern to Action," EDUCAUSE Review, vol. 43, no. 1 (January/February 2008), pp. 72-73, <http://www.educause.edu/library/ERM08111>.
- For more on InCommon and identity management, see Jack Suess and Kevin Morooney, "Identity Management and Trust Services: Foundations for Cloud Computing," published in this issue of EDUCAUSE Review.
- "UT Austin Humor Magazine Writers Impersonate Institution's President on Twitter," Wired Campus, May 21, 2009, <http://chronicle.com/blogPost/UT-Austin-Humor-Magazine-Wr/7175/>.