Information technology and information security practitioners met at the 2019 NERCOMP Annual Conference and discussed how digital transformation and disruptive innovation are influencing campus information security programs. This post was authored by Associate Vice President Cathy Bates for the Educause Security Matters blog and originally appeared in that publication on May 28, 2019.
At the 2019 NERCOMP Annual Conference, information technology and information security practitioners met in a facilitated session to exchange views on how digital transformation (Dx) and disruptive innovation are influencing institutional information security programs (see footnote below). Participants discussed how the higher education information security landscape is changing and how information security practitioners can best adapt to these changes. The conversation included such topics as changing technology, the proliferation of cloud-based services, participation in shared technology services, interinstitutional consolidation and collaboration, increasing international presence, and compliance mandates that require information security practitioners to be more agile than ever.
This blog post shares portions of the discussion meeting minutes that were recorded during the session and proposes some recommendations and next steps.
Discussion question: What campus changes are influencing IT operations on your campus?
- Participants noted that campuses are building more buildings and outfitting those buildings with better technology, which requires institutions to retrofit server rooms with more AC for continual growth.
- Some participants noted that on-campus data centers are shrinking, and that campus design and dataflows are being influenced more by the applications needed on campus than by where those applications are hosted. Many participants agreed that risks here include not paying close attention to data integrations and data moving off campus in uncontrolled ways.
Discussion question: Is it true that the on-premises data center is shrinking? What does that mean?
- Some participants felt that the notion of the traditional campus data center was indeed changing. One participant noted that moving to an Office 365 data center and shifting learning management and information systems to the cloud have caused on-premises data center shrinkage.
- Other participants challenged this idea, saying that the traditional notion of the campus data center changed as virtualization technologies were implemented.
- Most participants agreed that while the campus data center may be shrinking, it will never completely go away.
Discussion question: As our on-campus architecture changes, do we need to rethink the security tools that we use?
- Participants noted that now is an excellent time to start rethinking how campus security services are offered. For example, they noted that the move to cloud-based services is causing IT departments to ask more questions during the procurement period about the security of an application and how it uses data. Campus security groups are also invested in getting actionable data from their application providers, so they can look for anomalous activity.
- Participants agreed that the information security practitioner’s “toolkit” is changing, and that understanding and using next-generation firewalls, more sophisticated endpoint protection, and security information and event management (SIEM) tools are critical.
- Participants observed that some institutions are adding more security tools on campus to better block campus user activities. One participant noted an abundance of “happy clickers” on campus who are responding to phishing and other social engineering activities and that the IT group needs to stop any resulting data exfiltration.
- Participants noted a strong desire for the consolidation of tools, as the “right tool for the job” is creating an increasing sprawl of toolsets, and the consolidated options are often not good enough. The same participants noted that few of the strongest toolkit vendors have a viable approach to higher education.
Discussion question: How do we help our users adapt to the changing environment, so that they understand how to protect institutional data and IT resources?
- Participants observed that cloud-hosted and software-as-a-service (SaaS) application models are influencing communications and education on appropriate requirements for handling institutional data. Given that these applications can have a significant impact on users, participants thought it was more important than ever for information security departments to have more interactions with end users.
- The majority of participants bemoaned a compliance-based approach to information security training, since this approach makes it hard for campuses to focus on the training that would best protect campus data. Some participants also noted that compliance-based training is invariably boring, and that people don’t learn and adopt good practices when they are not engaged.
Recommendations and Next Steps
As some campuses watch their data center footprint shrink with cloud deployments, others see theirs evolving to cover building environmental traffic and all types of campus devices that expect to transmit new types of data across the network. Meanwhile, traditional campus data is located in a myriad of cloud and SaaS locations, often fracturing the picture of campus data flows and the roles associated with monitoring and protecting the data. Suites of new information security tools and services that promise to help manage security in and across cloud/campus environments are becoming available. This is a challenging time for information security teams. Discussing the influence of Dx and disruptive innovation on campus information security programs is critical to creating a viable roadmap for protecting institutional information and assets during these significant transitions. The following are some thoughts aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework:
It is more important than ever to have an information security strategy and a clear roadmap for actions the organization must take given the many transformative, disruptive, and environmental changes under way. Ensuring that information security is considered at the beginning of technology planning has always been a struggle. As our technology solutions move to various levels of cloud deployments, so too does the ability to monitor and protect those resources with varying capabilities. Information security must now be embedded into the planning stages of Dx to account for new information security services that are being delivered as part of cloud services and to leverage and extend campus information security tools across the campus/cloud environments in the most effective manner.
Campus technology is evolving into a more complicated architecture as we embrace shared service collaborations and innovative ways of delivering technology services. At the same time, vendor partners are expanding their next-generation information security tools to incorporate and integrate more protection features. Information security teams need to account for the changing nature of security tools and determine how to procure the best, most cost-effective toolset to meet the needs of their changing campus environment. Exploring changes in tools and services now will help information security teams make better decisions during contract renewals and infrastructure refresh cycles.
Advances in information security tools and services are not keeping pace with the evolution of and improvements to cloud solutions. Information security teams have more virtual and physical locations to consider as part of incident response planning. Better offerings consistent with higher education requirements are needed from security vendors to help IT professionals effectively manage security architectures that are increasingly spread across national and international locations, campus and cloud data centers, shared technology services, and numerous SaaS solutions. For some campuses, these changes signal the time to turn to information security providers, such as security operations centers (SOCs), which may be better positioned to provide monitoring and detection across complicated architectures.
Contractual and regulatory requirements for protecting assets and detecting and responding to information security events are becoming more stringent in an effort to effectively address an ever-changing threat landscape. Many institutions have decided that they must collaborate on security operations and services across campuses in order to leverage capabilities across smaller schools and realize efficiencies while protecting institutional resources.
Finally, as we move our data into these many new environments, we must do a better job of documenting data integration and synchronization processes. The move to new solutions and environments has created significant changes for business continuity—changes that are mostly unaccounted for within institutions. The integration and control of building environmental data via the network and the importance of that traffic is largely absent from disaster-recovery planning. Business and technical teams need to work together to ensure that continuity and disaster-recovery plans are revamped and tested to keep pace with digital transformations.
Clearly, Dx and disruptive innovation are influencing institutional information security programs, bringing with them opportunities and challenges. This is a great time for us to talk with colleagues at other institutions and with corporate partners to leverage each other’s journeys and abilities. Let’s keep the conversation going.
- Cathy Bates, Jon Young, and Joanna Gramma, “Disrupting Your Campus Information Security Program” (discussion circle, NERCOMP Annual Conference, Providence, RI, March 20, 2019).