BALTIMORE, MARYLAND – Joel Rosenblatt doesn’t worry about securing the network at Columbia University. He worries about securing data.
The school’s director of computer and network security spoke at the first annual Cyber Security for Higher Education conference, an intimate gathering of CISOs and CIOs from some of the country’s top universities. The two-day conference was hosted by IQPC, an international company that hosts management solutions events in various industries.
“My entire security theme is, ‘Let’s secure the data,'” Rosenblatt said during a presentation. “We don’t do things in a lot of ways that standard schools do.”
Rosenblatt said the Ivy League school, in upper Manhattan in New York City, has a “completely open” network, without any firewalls.
IT leaders at the school are currently trying to build a cloud facility in-house, while moving away from reliance on personal computers and using Citrix to secure data and applications in virtualized environments.
“We’re in the process of moving everything to our private cloud, which will turn into a hybrid cloud,” Rosenblatt said. “Our ultimate goal is to create one seamless cloud.”
Students were unhappy with the university’s webmail system, so the school chose a new email service – Google. Email from about 100,000 people on campus comes into Columbia’s system and then goes into Google’s system. The school does its own authentication.
Rosenblatt spoke of the importance of a strong contract between universities and service providers. He said that, in order to store all of Columbia’s data in the United States, Google put the school in a separate category typically reserved for government employees. Lawyers for the school and the tech company spent about two years negotiating and finalizing the contract, Rosenblatt said.
“Moving email to Google is the biggest business process we have,” he added. “If Google goes down, there are a lot
of unhappy people. The good news is it doesn’t happen very often.”
The school uses Google CloudLock, a Cloud Access Security Broker solution, to protect sensitive data.
“It looks at
every document in Google on a continuous basis, and it looks for patterns like social security numbers or credit cards,” Rosenblatt said. If CloudLock finds this type of personally identifiable information, “it removes all the shares from that document and emails me to encrypt or remove the document.”
The school has run into roadblocks in trying to both secure student data and promote a more collaborative learning environment.
Professors recommended that students use a collaboration platform called Piazza, which integrates with schools’ learning management systems. It allows instructors to guide classes by endorsing student’s questions and answers, and lets students post anonymously. Soon, thousands of students started using the platform – but Rosenblatt found out that Piazza sells student information to headhunters looking to place people in jobs.
“The bottom line was, they have something that students sign that says exactly what [the company is] going to do with their data,” he said. “We can’t stop them from doing this. So the final decision was, ‘Students are smart, they should know what they’re signing.'”
As more information is stored in the cloud, Rosenblatt said he believes it’s going to be split into two business models in the future. There will be one for storage and one for services, “and you’ll contract with a storage vendor and pick a service vendor that will interact with your data.”
When things go wrong in the case of data breaches, universities are typically worried about “reputational risk,” Rosenblatt said. If a story is written about a data breach, it usually zeroes in on the college, not on the vendor. Breaches can also have wider implications, possibly costing donations from alumni.
“If nothing happens, it means that you’re doing a good job,” Rosenblatt said.
IQPC is hosting its second annual Cyber Security for Defense Summit in June. For more information, visit www.CyberSecurityforDefense.
Yizhu Wang contributed to this report.