In many ways, colleges and universities experience the same data security issues major corporations do. However, enterprise systems are set up to meet business needs. University systems are designed on the principles of free information exchange and to accommodate diverse user populations.
Additionally, many universities are tied to decentralized IT policies that complicate security data policy implementation, ultimately forcing IT departments to troubleshoot only as problems arise. In the case of a data breach, its often too late if a centralized security strategy isn't in place to safeguard data.
The need for a centralized approach
Essentially, university IT departments are charged with creating secure data environments while trying to preserve open environments and diverse information needs, which can exacerbate this daunting challenge. Gone are the days when IT administrators and DBA's were merely worried about the student hacker trying to change grades.
What IT is faced with today spans departments – the registrar's office, financial aid, the student health office, and departmental research databases. The valuable information therein can be manipulated easily, and monetized even more easily. With groups on the black market paying top dollar for stolen data, particularly personally identifiable information (PII) and credit card or bank account numbers, there's a need today to identify vulnerabilities and take action to harden university database assets.
Consider the risks – and university culture
The number of potential university database attack scenarios is almost unlimited – attackers have already targeted patient health records and financial records of students' parents. Databases are much more accessible now than they were five years ago because today students, professors, distance learners, visiting researchers and administrators are routinely granted network access.
Studies show that in addition to protecting from outside attacks, universities are just as susceptible to insider attacks as large corporations. The fact is that 80 percent of all database breaches originate from the inside, whether it's a university, a large enterprise or a mom-and-pop retailer. There are, however, a number of factors that make universities unique in their security challenges. The very structure of university IT systems and the demand for access anytime/anywhere with limited information control policies are all factors. In short, the real difference isn't the users, it's the culture.
Knowing who, and watching where
To maximize an effective data security strategy, all personal, financial and other high-value data should be migrated into a protected database environment—a centralized environment with restricted access and tight information controls. Real-time activity monitoring functionality should also be a component of a proactive and efficient database security model so that administrators have a handle on user activity. With the centralization of this information, effective information protections and policies can be developed and enforced. Additionally, this structure can help ensure compliance with various regulations including FERPA, HIPAA, PCI DSS as well as other state and federal privacy regulations.
Security of this centralized database environment should be bolstered by the application of established industry best practices. And continuous monitoring in real time helps prevent data breaches and security violations by alerting on suspicious behavior and logging anomalous activity.
Reasonable security, not roadblocks
Though the concepts of security and openness are not mutually exclusive, the truth is that increased security usually means inconvenience. But the "openness" concept was never meant to imply access to everything, no matter how personal, private, confidential or damaging.
By proactively implementing the following basic steps, educational institutions can reduce their risk and ensure they're on the fast track to a more effective and proactive database security strategy.
1. Establish a baseline. Assess the current level of database security and establish a baseline for future comparison. Identify common flaws including: unpatched systems, weak or default passwords, excessive privileges and a lack of system monitoring. This simple effort will pay large dividends by allowing a university to benchmark and demonstrate progress moving forward.
2. Understand vulnerabilities and exploitation methodologies. Vulnerabilities fall into many classes – some simple and some complex. By understanding existing system vulnerabilities and relative risk levels, universities can determine which to address first based on severity and likelihood of exploitation.
3. Prioritize vulnerability remediation. Once a university has established a baseline of its security posture and understands the severity of the identified vulnerabilities, it can begin the process of prioritizing fixes and mitigating risk. By analyzing the risk, asset classification, required fix effort, and likelihood of exploitation, universities can outline a plan to achieve maximum impact with minimal time and effort. Such a process is a vital step in the early mitigation process.
4. Continuously monitor and maintain systems. Database security is an ongoing process. Security professionals must continually monitor systems to ensure compliance while they evaluate and respond to the changing threat environment. Adhering to a recognized system can optimize a university's ability to understand and mitigate risk.
5. Automate activities. Much of security involves regular assessments and validation, but the day-to-day work can quickly decline into tedium and get overlooked. Through automation of security processes, security professionals can schedule routine tasks and reports. Automated report generation and delivery further simplifies the process of keeping stakeholders (auditors, regulators and security staff) informed.
6. Stay patched. Intruders seek known vulnerabilities and will exploit them when possible. A crucial element of securing the database is to ensure that patches are implemented in a timely manner and known vulnerabilities are monitored in real time.
7. Audit systems regularly. Conducting regular audits will ensure that security policies are on track and help to identify irregularities or potential breaches before it's too late. These best practices help to secure a university's databases from internal as well as external threats.
8. Apply real-time intrusion detection to critical systems. Audits and vulnerability assessments serve to provide an excellent starting point to address security risks. This baseline should be augmented with real-time detection policies. Implementing an alert system that delivers intrusion detection warnings in real time ensures up-to-the-minute security awareness.
9. Extend protection to the database application layer. Protecting data at its source, the database, is essential to preventing breaches and data loss. Even with traditional perimeter security measures in place, the best way to defend against data harvesting is to extend protections to the database.
10. Trust but verify. Students, researchers, visiting professors and other administration professionals have all become increasingly connected to the database. While it is important to trust these business partners and essential to grant them access to critical data, it remains vital to prevent security risks. Responsible data practice dictates verifying, via permissions, access control, defined roles and real-time monitoring, so that user behavior falls within authorized activity. As part of that process, the database security system should alert on suspicious activity and document suspected violations.