Managing Identity in Higher Ed = Fewer Breaches? Part 1
Read this two-part blog series to explore the evolving data breach landscape in higher education and the crucial role that “people security,” or managing identities and access rights, occupies.
In December 2017, Ed Tech Magazine published an article entitled “Education Sector Data Breaches Skyrocket in 2017.” If you missed it, you can find it here. For the purposes of this blog, one stand-out quote needs to be highlighted:
“During the first half of 2017, there were 118 successful attacks on educational institutions, which accounted for 13 percent of all breaches. Only the financial and healthcare sectors had more breaches.
With the report indicating identity theft as the leading motivation, it’s no surprise that universities—with their large numbers of users—are a juicy target for hackers looking for personal and financial information.”
Combine this quote with Ponemon Institute data in an article from 2017 published by Campus Technology (found here):
“The average cost of a data breach in the United States rose for the fourth straight year, hitting $225 per compromised record–the highest it has been since 2006, when the Ponemon Institute began to publish research on the topic. In education, which tends to be more heavily regulated regarding data privacy, the average “per capita” cost for 2017 in this country is even higher: $245.”
“Compared to other types of organizations, education tends to take a long time to identify and contain data breaches. On average, worldwide, education takes 221 days for the first part of the work and 83 days for the second part. As a comparison, financial takes only 155 days to identify a potential breach and 34 days to respond and contain it. Those aspects are important, the research noted, because the longer the duration of those two aspects of data breaches, the higher the cost to the organization.”
What do we learn from these short snap shots of the state of higher education data breaches? First, higher education institutions are particularly vulnerable to data breaches, led by identity theft (or credential loss). Second, data breaches are extremely costly for higher education, driven by both regulatory penalties and the length of time it takes for an institution to identify and remediate a data breach.
This blog series examines the extreme vulnerability higher education institutions face to data breaches, led by stolen credentials. In this first part of the series, “people security” will be defined. In the second part of the series set to publish on September 20, 2018, potential solutions will be investigated.
Higher education institutions store highly sensitive personal data for diverse users, including students, faculty, staff, alumni, donors, and vendors, in addition to intellectual property and research data. Many institutions have open, decentralized environments which help promote education and collaboration, but can also increase vulnerability. Further, decentralized environments breed silos of identity information and unnecessary duplicative data, which reduce security and efficiency, while increasing costs. Some institutions still have locally managed IT infrastructures at the Department or School level, with little centralized IT oversight or consolidation. Compounding the issue is the fact that higher education institutions are typically a “laggard” in the technology adoption space. Higher education institutions also have a unique challenge: reconciling their decentralized environments with highly complex identities (e.g., a faculty member may also be a parent of a current student and an alumni of the institution).
Not only are identities in higher education complicated, but the landscape of both “people security” best practices and tools has been undergoing rapid changes over the past ten years. “identity and access management” (IAM) used to represent an all-encompassing umbrella term for determining who has access to what, when. Today, terms like “identity governance and administration” (IGA) and “access management” have taken over as standalone functionalities with many sub-functions. For IGA, some of these sub-functions include provisioning and deprovisioning, role-based access policies, and segregation of duties, and for access management, some sub-functionalities include single-sign-on (SSO), directories, and multi-factor authentication.
Vendors use complicated and confusing language for their solutions’ capabilities, making it very difficult to compare solutions apples to apples and to even discuss the space with any coherency and consistency. Many vendors are unable to handle the complexity of roles within higher education, leading higher ed to seek out either custom built home-grown solutions, or open-source tools from organizations like Internet2, or both. For instance, higher education institutions have focused on manually managing their identities and accompanying access rights with a combination of a user directory (like Microsoft Active Directory) and the Lightweight Directory Access Protocol (LDAP), often with Shibboleth in the mix. In conjunction, many institutions also use application level access controls built into a legacy student information system/human resources/financials (student/ERP) environment like Oracle PeopleSoft or Ellucian Banner. As the number of applications at an institution grows, however, the more unsustainable this strategy becomes. The problem is compounded exponentially as the number of constituents (students, faculty, staff, parents, visitors) increases. Further complicating the issue is that the most sensitive data at the institution is largely held within the student and ERP systems, which are frequently exposed to the institution’s public URL.
As a result of these converging factors, institutions struggle to define both the problem facing them and settle on a path forward to remediation. When the problem is hard to define, asking for funding to solve it becomes almost impossible, which has led to institutions foregoing addressing it with a systematic, enterprise-wide strategy. The majority of institutions find themselves in a very precarious situation. Identities and accompanying roles can be held in many disparate systems that are not centrally managed. Access rights can be granted without strict workflow approvals or auditing abilities. If (when) credentials are stolen, attackers can easily access sensitive applications that are exposed to the Internet. Data breaches are often missed for long periods of time, and frequently, significant issues with the identity management strategy at an institution are only found in the midst of very complicated and expensive ERP replacements.
How are innovative higher education institutions (and the vendors that serve them) tackling this difficult issue? The Tambellini Group is actively researching this topic and will have more for you next week on what leading institutions and vendors are doing to streamline and modernize identity management within higher education. In the meantime, you can read more about creating a comprehensive IAM strategy in Tambellini’s A Guidebook to Maturing an Identity and Access Management Strategy on Campus. You can also learn more about the threat of credential loss by watching this video from Foothill-De Anza Community College District.
Do you have feedback for us on this post or ideas for a new blog topic? Contact Katelyn Ilkani or find her on Twitter @katelynilkani to share your thoughts.