Security, Identity, Privacy, GRC

Information security is the #1 issue on the 2018 EDUCAUSE Top 10 IT Issues list for the third year in a row. This topic continues to dominate the yearly list because the higher education regulatory and threat landscape, as well as service delivery models, are changing rapidly, with increasing complexity. Information security and the topics that are closely associated with information security, such as privacy, identity management, and governance, risk and compliance (GRC), include both technology and business-process elements that transcend the IT department. There are few obvious, easy solutions for how to run institutional IT systems and protect the critical data contained in those systems in a way that complies with applicable laws and regulations; enables teaching, learning, and research; allows the seamless operation of business functions; and significantly reduces institutional risk.

This section covers the 14 trends and 22 technologies included in the security, identity, privacy, and GRC domain.1 The two trends significantly influencing institutional information security posture—the complexity of security threats, and the increasing complexity of technology, architecture, and data—hint at the Gordian knot that institutions face. Moreover, the rather slow adoption of strategic information security technologies—only 1 of the 22 security technologies listed here is included on the 2018 Top 10 Strategic Technologies list—indicates that the knot will not be sliced quickly but rather will be painstakingly unraveled.

Technologies

Included in this domain:

  1. Applications of analytics to security (such as user behavioral analytics)
  2. Blockchain
  3. Cloud access security broker
  4. Cloud-based identity services (e.g., Duo, OneLogin, and PortalGuard)
  5. Cloud-based security services (e.g., Duo, Qualys ThreatPROTECT, and cloud-based e-mail security solutions)
  6. Content-aware data loss prevention
  7. Cryptocurrencies (e.g., Bitcoin)
  8. Database encryption
  9. DDoS prevention products and services
  10. DNS security
  11. End-to-end communications encryption
  12. Enterprise GRC systems
  13. E-signature technologies (e.g., DocuSign, Adobe Sign, and SignNow)
  14. Federated identity technologies
  15. Life-cycle contract management
  16. Location-based computing
  17. Mobile device management
  18. Next-generation firewalls
  19. Privacy-enhancing technologies (e.g., limited-disclosure technologies, anonymous credentials)
  20. Private-cloud computing:
  21. SIEM (context-aware security)
  22. Threat intelligence technologies

Complete initial deployment and maintain these technologies.

Our research shows that about half of institutions are planning to deploy and maintain one security, identity, privacy, and GRC strategic technology:

  • Next-generation firewalls

Pilot and start deploying these technologies.

At this time, about half of institutions are planning to pilot and deploy these five security, identity, privacy, and GRC strategic technologies (listed below from highest to lowest attention):

  • Database encryption
  • Federated identity technologies
  • Mobile device management
  • DDoS prevention products and services
  • Cloud-based security services (e.g., Duo, Qualys ThreatPROTECT, and cloud-based e-mail security solutions)

Decide when these technologies fit your strategy, and start planning.

About one-half of institutions are watching these five security, identity, privacy, and GRC strategic technologies carefully, deciding and planning for potential future deployment (listed below from highest to lowest attention):

  • E-signature technologies (e.g., DocuSign, Adobe Sign, and SignNow)
  • Cloud-based identity services (e.g., Duo, OneLogin, and PortalGuard)
  • Threat intelligence technologies
  • End-to-end communications encryption
  • DNS security

Learn about and track these technologies.

A majority of institutions are tracking and learning about the following 11 security, identity, privacy, and GRC strategic technologies (listed below from highest to lowest attention):

  • Private-cloud computing
  • Life-cycle contract management
  • SIEM (context-aware security)
  • Content-aware data loss prevention
  • Applications of analytics to security (such as user behavioral analytics)
  • Privacy-enhancing technologies (e.g., limited-disclosure technologies, anonymous credentials)
  • Cloud access security broker
  • Location-based computing
  • Enterprise GRC systems
  • Blockchain
  • Cryptocurrencies (e.g., Bitcoin)

Peer Institution Approach to Strategic Technologies

Understanding what peer institutions (both current and aspirational) are doing can help you gauge whether your institution's current approach is on track or might warrant reconsideration. Some technologies are more relevant for some types of institutions than others. We looked at broad demographic categories, including Carnegie class, institutional size, and approach to technology adoption and found differences in attention score based on those factors. (See the methodology section for explanation of our attention score calculation.) In figure 11, the US mean is the average attention score for an item from all US respondents. The minimums and maximums are the lowest and highest average attention scores among all groups within the categories of Carnegie class, institution size, and timing of technology adoption, with labels indicating which group or groups returned that score. In the event of a tie, all tied groups are represented.

Graph showing the attention score averages and differences. Y-axis represents the items. X-axis represents the attention score. All data provided is approximate. Database encryption: U.S. Mean = 2.6; Minimum = 1.8 (AA); Maximum = 3.1 (8,000-14,999 FTE). Federated identity technologies: U.S. Mean = 2.4; Minimum = 1.8 (AA); Maximum = 2.8 (DR priv.). Mobile device management: U.S. Mean = 2.4; Minimum = 1.9 (MA priv.); Maximum = 2.7 (2,000-3,999 FTE). DDoS prevention products and services: U.S. Mean = 2.3; Minimum = 1.8 (BA); Maximum = 2.6 (AA/DR pub./8,000-14,999 FTE/15,000+ FTE). E-signature technologies (e.g., DocuSign, Adobe Sign, and SignNow): U.S. Mean = 2.3; Minimum = 1.4 (Non-US); Maximum = 3.0 (AA). Cloud-based security services (e.g., Duo, Qualys ThreatPROTECT, and cloud-based e-mail security solutions): U.S. Mean = 2.3; Minimum = 1.8 (2,000-3,999 FTE); Maximum = 3.1 (8,000-14,999 FTE). Cloud-based identity services (e.g., Duo, OneLogin, and PortalGuard): U.S. Mean = 2.3; Minimum = 1.5 (Non-US); Maximum = 3.0 (DR priv.). Threat intelligence technologies: U.S. Mean = 2.2; Minimum = 1.7 (BA); Maximum = 2.5 (DR pub.). End-to-end communications encryption: U.S. Mean = 2.2; Minimum = 1.8 (AA/2,000-3,999 FTE/15,000+ FTE); Maximum = 2.9 (8,000-14,999 FTE). Next-generation firewalls: U.S. Mean = 2.1; Minimum = 1.6 (Less than 2,000 FTE); Maximum = 2.6 (DR pub./15,000+ FTE). DNS security: U.S. Mean = 1.9; Minimum = 1.6 (4,000-7,999 FTE); Maximum = 2.2 (DR pub.). Private-cloud computing: U.S. Mean = 1.8; Minimum = 1.2 (MA priv.); Maximum = 2.6 (DR pub.). Life-cycle contract management: U.S. Mean = 1.8; Minimum = 1.4 (Less than 2,000 FTE); Maximum = 2.3 (DR priv.). SIEM (context-aware security): U.S. Mean = 1.7; Minimum = 1.0 (Less than 2,000 FTE); Maximum = 2.2 (DR priv.). Content-aware data loss prevention: U.S. Mean = 1.7; Minimum = 0.9 (Non-US); Maximum = 2.1 (DR priv./8,000-14,999 FTE). Applications of analytics to security (such as user behavioral analytics): U.S. Mean = 1.6; Minimum = 1.2 (BA/Less than 2,000 FTE/2,000-3,999 FTE); Maximum = 2.5 (DR priv.). Privacy-enhancing technologies (e.g., limited-disclosure technologies, anonymous credentials): U.S. Mean = 1.3; Minimum = 0.9 (AA/Late adopters); Maximum = 1.6 (DR pub./15,000+ FTE). Cloud access security broker: U.S. Mean = 1.2; Minimum = 0.8 (Non-US/Less than 2,000 FTE); Maximum = 1.7 (DR pub.). Location-based computing: U.S. Mean = 1.0; Minimum = 0.7 (Late adopters); Maximum = 1.1 (DR pub./15,000+ FTE/Early adopters). Enterprise GRC systems: U.S. Mean = 0.9; Minimum = 0.4 (Less than 2,000 FTE/2,000-3,999 FTE); Maximum = 1.4 (DR pub.). Blockchain: U.S. Mean = 0.7; Minimum = 0.4 (MA pub./Late adopters); Maximum = 1.0 (DR pub.). Cryptocurrencies (e.g., Bitcoin): U.S. Mean = 0.3; Minimum = 0.1 (Late adopters); Maximum = 0.5 (DR pub.).
Figure 11. Attention score averages and differences

Preparing for the Future

Understanding the technologies that are most relevant for your institution and how fast a certain strategic technology may be growing is critical to institutional IT strategy. We estimated the pace of growth based on the percentage of institutions we predict will implement each technology over the next five years (by 2023). Figure 12 positions each technology in one of 12 cells based on institutional intentions (the "recommendation for today") and the expected pace of growth of that technology. Reflecting what was noted above, the figure shows that institutions are deploying many information security technologies and reviewing and tracking even more.

4 boxes with recommendation for today  Each Box has 3 possible Pace of Growth categories: SLOW, MODERATE, FAST Box 1: Deploy and maintain  Moderate: • Next-generation firewalls Box2: Pilot and deploy  Moderate: • Mobile device management • DDoS prevention products and services • Cloud-based security services (e.g., Duo, Qualys ThreatPROTECT, and cloud-based e-mail security solutions) Fast: •	Database encryption • Federated identity technologies Box 3: Decide and plan  Moderate: • E-signature technologies (e.g., DocuSign, Adobe Sign, and SignNow) • Cloud-based identity services (e.g., Duo, OneLogin, and PortalGuard) • Threat intelligence technologies • End-to-end communications encryption • DNS security Box 4: Track and learn  Slow:•	Privacy-enhancing technologies (e.g., limited-disclosure technologies, anonymous credentials) • Cloud access security broker • Location-based computing • Enterprise GRC systems • Blockchain • Cryptocurrencies (e.g., Bitcoin) Moderate: • Private-cloud computing • Life-cycle contract management • SIEM (context-aware security) • Content-aware data loss prevention • Applications of analytics to security (such as user behavioral analytics)
Figure 12. Plans for 2018 and pace of growth for security, identity, privacy, and GRC technologies

Note

  1. Our rationale for including security, identity, privacy, and GRC technologies in one domain is that EDUCAUSE Core Data Service research shows that central IT information security departments tend to have responsibility for identity management, privacy, and GRC practices in most US higher education institutions. These technologies are referred to collectively as "information security technologies" in this report.

    ↩︎