Guest Blogger: Rich Murphy, Director of Technical Account Management, @BlackStratus
IT Systems administrators working in an academic setting are often faced with the unenviable task of balancing two seemingly disparate priorities: managing and mitigating security risks, and ensuring a user experience that is intuitive, seamless and reliable. This dilemma is not a new one — Frederick M. Avolio, writing at Networkcomputing.com, notes that “security and usability are often inversely proportional.”
The unique environment of an academic institution presents its own specific set of challenges. While each organization is different, it is possible to address some general concerns that impact how users interact with their IT resources and the security issues that result. Understanding these issues is the first step towards designing systems that are user friendly without compromising security.
Identifying User Priorities
One of the main challenges to effective and secure IT design in an academic institution is the wide range of users — each of whom bring varying levels of computer fluency — the system has to support.
Typical users of an academic institution’s IT resources can include:
- Administrators handling student records and other confidential information.
- Students accessing academic and financial services remotely.
- Researchers collaborating on papers, grant proposals and other intellectual property.
- Health facilities and financial institutions transmitting student records electronically.
Prioritizing User Expectations
In each of the above examples, users face a very different set of priorities. On the administration side, preventing academic fraud is essential to maintaining an institution’s reputation. Students who access financial and private information from campus need to be confident their data will be protected. Researchers need to be able to collaborate openly without putting their proprietary data at risk. And on-campus health and financial institutions must ensure compliance with HIPAA, PCI and other federal regulations are being met.
Assessing and Mitigating Risks
Cyber attacks on higher education facilities can come from a variety of sources and exploit a large range of potential weaknesses — including, but not limited to, botnet activity, design flaws that create unintended access points, BYOD policies and social engineering. Identifying these risks should be one of the first priorities of any security team working in higher education IT.
Best Practices for User-Friendly Network Security
In an ideal system, authorized users would be able to access the information and applications they need without having to jump through too many hoops. Too often, however, the user is asked to compensate for a poorly designed security infrastructure with limited access conditions, complicated password requirements or other restrictions that inevitably lead to further problems that tax the resources of your IT team.
Tightening up your security is an essential first step to ensuring a more organic user experience that doesn’t put private information at risk. There are other articles which delve more deeply into best practices, though some of the important principles to keep in mind include:
- Simplicity: A simpler network is easier to use and more secure. Begin by performing a comprehensive audit of your systems, and aim to reduce redundancies and eliminate waste.
- Centralize log data: Log data from your security devices is essential to identifying and responding to threats. Data collection should be automated and centralized to ensure all relevant information is available for analysis as needed.
- Practice continuous improvement: As threats against your network evolve, so should your ability to respond to them. Regular audits and an ongoing commitment to security give you the tools to ensure your systems can anticipate new threats and vulnerabilities that arise.
While security and usability are often at odds within higher education networks, accomplishing both priorities is not only possible, but necessary to maintain the integrity of your institution's reputation.
Rich Murphy, Director of Technical Account Management, oversees the BlackStratus security platform as it relates to BlackStratus partners. Rich has over 10 years of experience in the security field, working with Internet Security Systems, and later IBM prior to joining BlackStratus. He has worked extensively with incorporating advanced firewall, IDS/IPS, SIEMs, and other networking/security tools in large-scale Enterprise and MSP environments. Rich received his B.S. in computer science from Georgia Institute of Technology.