Infosec in higher ed is about more than keeping secrets
In today’s “always on” world of higher education information technology, IT resources and data have to be protected from prying eyes to ensure that only the right people with the right permissions can use institutional data.
And the data in those IT resources must be consistently accurate and reliable for many audiences — from students, faculty, and staff to collaborators and researchers, to accreditors, as well as to the public at large. For information security professionals at universities across the country, ensuring confidentiality, guarding availability and warranting integrity of these resources are the fundamental concepts that hold the highest levels of priority.
Yet it seems the concept of confidentiality is the tenet that the public is most aware of. That makes sense, of course, because the concept of confidentiality is easy for anyone to understand and a failure of confidentiality has demonstrable impact on end users. Many laws and regulations specify what higher education institutions must do in order to protect the different kinds of data entrusted to their care. Many of these laws also specify what must happen, for instance breach notification response, if the confidentiality of information is compromised.
Because of the familiarity with the importance of confidentiality, the concepts of availability and integrity are often given short shrift, despite the fact that smooth IT operations depend greatly on both availability and integrity.
For example, availability and integrity are implicated in complaints that a campus network is slow or inaccessible when students and faculty can’t log into the institution’s learning management system and when controls are not put in place to protect administrative, teaching, or research data from modification.
Availability means that the owners and users of IT resource can depend on those responses being operational when needed. The failure of availability can be quite visible to the end user. In recent years several colleges and universities have been the victims of distributed denial of service attacks on their campus networks. These attacks compromise the concept of availability in very public ways, like making an institution’s public facing website unavailable or preventing a campus from accessing the internet, and often leave IT teams scrambling to bring systems back online while an attack is still going on.
For today’s higher education student, 60 percent of whom spend at least three hours a day engaged in online research or homework, not having access to institutional resources or the internet can be limiting. Depending on the length and severity of the attack, the service disruption caused by these types of attacks can also impact other campus operations — hospitals and student health centers, campus emergency operations, and public activities can all be affected.
Integrity is also not to be forgotten. Owners and users of IT resources need to be able to depend on the accuracy of the data in those systems and system processes that use that data. Ensuring integrity is particularly important in high-impact areas where the authenticity of data is critical. An institution could suffer a blemish to its reputation if it fails to protect the integrity of research data, especially as the monies available for federally-funded higher education research continue to decline.
Integrity can be compromised by the well-intentioned user who notices a perceived mistake in data and makes a unilateral decision to change a data element. It can also be compromised by the attacker who purposefully seeks to manipulate data. Reports abound in higher education of students who hack into computer systems (a confidentiality issue) to raise their grades (an integrity issue).
Greg Hedrick, chief information security officer at Purdue University points out that integrity concerns boil down to issues of trust for the information security professional.
“If data are corrupted for any reason, security must detect that corruption and ensure that there is a way to bring the data back to a trustworthy state,” Hedrick said. This is why backing up data is so important.
For the end user, receiving a breach notification letter, or learning that a favorite social media provider may have exposed their personal information is a keen reminder of the information security concept of confidentiality. While incidents impacting the confidentiality of data get all the limelight and attention in the press, data availability and integrity issues can inflict as just as much, or even more, damage on an institution’s reputation, operations, and service levels. A solid information security program that protects an institution from risk is supported by three equally balanced legs: confidentiality, availability, and integrity.