Today the Obama Administration is announcing a focus on cyber security at a meeting this afternoon with high-level corporate executives, pushed by the recent Chinese and Iranian string of security attacks as well as the general vulnerability of U.S. networks. Yesterday the nation’s top spies warned of the rising threat of cyber attacks to national and economic security, and directly relating these dangers to global terrorism. Institutions of higher learning are not immune to these problems, (“Universities are #1 Target for Privacy Data Breaches”- NonProfit Times, July 2007, University of Georgia, University of South Carolina, University of Nebraska, City College of San Francisco, Missouri State University, State of Hawaii, Florida CCLA, University of North Carolina, to name a few…)
The attention these security issues are getting will undoubtedly lead to positive things and greater cyber security, however too many are focused on mere encryption of the data as the answer, whereas the problem is much bigger, especially for institutions. Additionally, organizations experience fraud and breaches mainly from the inside. A new security study by Ponemon Institute supports this.
A good lead in the various dimensions required to great security is Defense in Depth (DID), which was developed by the NSA. In a nutshell, DID is an information assurance concept in which multiple layers of security are placed throughout the IT infrastructure, including encryption of storage and network transport, auditing, monitoring and blocking. These layers cover roles, permissions, failed logins, user activity, views, schema changes, data changes, and firewalls around the data.
Encryption is a process of encoding data in such a way that unauthorized parties cannot read or access information while at the same time authorized parties can access. Most methods of encryption use a key, which specifies how the data is encoded. Encryption is often undertaken today on selected areas of information like PII or other sensitive data, but if some tables are encrypted, chances are there are several opportunities for unencrypted sensitive information (print spool files and tables for instance). Whole database encryption is the key to resolving the risk with unencrypted sensitive data.
Auditing is a passive process that enables future accountability for actions taken against information (the database), which typically deters users from inappropriate actions. Auditing allows for investigations of suspicious activities and can report unauthorized manipulation of information. Auditing monitors specific database activities and can detect individuals accessing part of a system that are not authorized to do so, for example. The complete database infrastructure must be monitored and information stored to allow for audits.
A database firewalls work in conjunction with auditing and monitoring to block traffic. The entire database infrastructure should be fire-walled.
Watch Ellucian Live this year, for some fantastic news on out-of-the-box Ellucian security, patterned after the NSA’s Defense-in-Depth.