The University of California at Berkeley recently faced a mortifying situation when overseas hackers gained access to data on tens of thousands of people who had received health care from the college.
The victims' medical information and Social Security numbers were exposed in the breach that lasted from October 2008 to April 2009.
The University of Florida faced a similar breach last year.
While security protocols, like requiring two-factor authentication for network access, could potentially prevent breaches like these, enforcement and implementation challenges abound.
The bigger picture remains striking a balance between an open, yet secure, network remains a challenge for university IT departments. In fact, while universities are often on the cutting edge of innovation, they face complications when it comes to enforcing IT policies.
The enterprise has navigated around many of these roadblocks. While it is unrealistic and unwarranted that universities be held to the same standard, there are best practices schools can incorporate to strengthen their security.
Corporate environments are typically controlled with binding employment contracts, allowing IT administrators to set basic security policies that all employees are required to obey.
Universities, however, juggle far more complicated scenarios.
Within academia, “employees” range from students, faculty, staff, visiting professors/students, and researchers. While the university administrative staff remains relatively stable, the teaching and student body incur much more flux. Not only does the regular student body churn several times a year, visiting professors and exchange students also regularly provision on and off the university network.
Traditionally, the way universities handled this fluctuation was by maintaining relatively open networks. But as universities realize how detrimental data breaches can be, most are limiting free access to their networks and are taking a far more structured approach to securing data.
Convenience or security?
Universities most resemble corporations when it comes to intellectual property. For a major research institution, proprietary information is as crucial for long-term viability as patents are to corporations.
With research, universities garner recognition, awards, prestige, and funding — and a breach in this area could threaten all of these critical elements. In addition to securing this information, universities have to keep the content accessible for professors, researchers and students.
Further, it is now common for professors to post quizzes, grades, homework assignments, tests, and lecture notes online. But this information has to be protected so that authorized students can gain access, but others cannot, such as students not enrolled in the course. In fact, many professors even prefer their current students not be allowed to download and distribute the content, as quizzes and tests are often highly-coveted “black market” materials on campuses.
Managing devices
With the continued growth of the smartphone market, universities suddenly have to manage more devices than they imagined. In some cases, devices are emerging before universities even figure out how to re-jigger the IT policy to accommodate the new gadgets. For example, earlier this year, several university IT administrators panicked over incorporating the Apple iPad on campus networks.
George Washington University in Washington, D.C. doesn't allow students to access its wireless network using an iPad because the device cannot pass the university's security standards.
The school is plugging away at a solution, installing a virtual private network (VPN) for security access. In addition, in April, Princeton University in New Jersey blocked about 20 percent of iPads on its network after detecting malfunctions, with repeated malfunctions potentially impacting the entire school's systems. Cornell University in Ithaca, N.Y. has also encountered networking and connectivity snafus related to the iPad.
While the schools were working to mitigate issues, the problem remains that universities are often overwhelmed and frustrated by new wireless technologies.
It is rare for schools to outright ban devices. Yet in these examples, universities acted more like an enterprise organization than traditional academic institution. While it is unlikely that iPads — or any new device — are forever banned from accessing university networks, we will see more regulation of new devices, as schools trade flexibility for security.
Finding the balance
The best way for universities to handle network breaches is to implement a well thought-out system of network access control and identity management.
Universities are currently mostly reactive in their policies, often only implementing protocols following a major breach or threat. But to truly protect against threats, IT departments must take steps to stop breaches before they happen.
Traditional network perimeter controls are no longer a viable solution because, simply, they don't really exist anymore.
Universities should be segmented into security zones, with some departments having relatively free and open access, but others being tightly enforced. University faculty, staff, and students should also be provisioned differently onto the network so the level of access granted is appropriate for each person's role inside the university. Further, visiting professor and students should be provisioned separately to ensure their access is discontinued upon their departure.
Requiring devices that will access the university network to be registered would also help IT departments maintain control and visibility of what's going on with the network.
But whether this is practical for very large universities hinges on the amount of resources a large school is willing to pour into IT enforcement. But registration doesn't have to be an overwhelming process. Universities can do this through online forms or include this as part of a student's regular initial network setup.
IT regulation can also be achieved by facilitating more collaboration between university IT departments and the school registrar.
Currently, idle email addresses or logins from students who have graduated or visiting professors who have since departed, can remain active for months or semesters before they are provisioned off the system, providing an easy way for hackers to slip into the network.
Implementing security protocols similar to the enterprise is an ambitious order for universities — and far more beyond what is necessary.
But as legislative pressures force schools to be increasingly protective of data and as the costs of data breaches only escalate, there might be more parallels than differences between universities and the enterprises.
