There was some buzz in the media earlier this year about universities being subject to an increasing number of cyber attacks. An article in The New York Times drew a fair bit of attention, spawning articles in the Toronto Star and WLU’s The Cord. Based on the media reports, one might draw the conclusion that universities are more vulnerable than other organizations to cyber attacks because of the open nature of universities.
Are security challenges faced by universities that much different than other organizations?
Wednesday, November 27, 2013 by Jason Testart
With the explosive growth of the Internet over the last couple of decades, there were two key elements to most organizations’ technical security architectures. The first was a focus on controlling the desktop computer. Tight control of the desktop computer reduces the chances of malware infections and, when managed properly, reduces the exposure from vulnerabilities that are discovered from time to time. The second was the perimeter firewall, which protects the trusted internal corporate network from the untrusted big-bad Internet.
In recent years, organizations are finding that assumptions, on which these key elements are based, no longer hold. The proliferation of cloud services such as Google Apps, Office 365, Dropbox, and a plethora of other cloud-based services, means that data are no longer being stored inside the organization’s trusted network. The perimeter firewall, while still an important tool in an organization’s network security portfolio, is not the security panacea it was once thought to be. Furthermore, the assertion, that an organization’s internal network is trusted, is being tested with the acknowledgement of the malicious insiders and the Bring Your Own Device (BYOD) phenomenon. Organizations are struggling with BYOD, as the market is flooded with BYOD management solutions to handle the variety of smartphones, tablets, and laptops.
The University of Waterloo’s success can, in many ways, be attributed to its culture of innovation. To enable this culture, the information security function has traditionally acknowledged that, in essence, BYOD has been a way of life since being connected to the Internet and that parts of the campus network are going to be more open. We’ve known this and we’ve mitigated the risks (with continuous improvement, of course).
The challenge that we, and other organizations, face is the security of information in the cloud. How are we dealing with it? Building on the framework provided by Policy 8, we’re introducing a privacy and security impact assessment process. The process is designed to enable the right people in the organization to understand the information flow of IT initiatives, cloud or otherwise, and to assess the security and privacy risks. The process not only looks at the business, but also the logical view of the proposed solution, and a technical security evaluation. We’re currently testing a draft with a few projects, and we’re making adjustments so that the process can align with existing project management process and systems development lifecycle.
Thanks to our guest blogger, Jason Testart.