Justin Casquejo’s sojourn to the top of One World Trade Center is a teaching moment for those tasked with cyber security at universities.
Despite spending millions of dollars to make the new tower one of the world’s most secure sites, this audacious 16-year-old squeezed through a foot-wide hole in the perimeter fence. He then scaled scaffolding to enter the building, took an elevator to the 88th floor, climbed the remaining 16 flights, and eluded a (now former) security guard before accessing the roof. From there he climbed the ladder to the skyscraper’s antenna, which rises 1,776 feet above the ground, and snapped a few selfies. Conquest is a powerful motivator.
Fortunately, Justin was a thrill seeker with no criminal intent. Probably not so for the 300,000 hackers attempting to breach Purdue University every month, or the millions of attempts levied against UC Berkeley each week, increasingly launched from China, Russia and Vietnam. Many university CIOs and CSIOs expect that the number of attacks will double every few years.
Colleges and universities across the U.S. are under siege. Attacks are becoming more frequent, sophisticated and organized. As we well know, determined perpetrators do successfully exploit holes in security fences to affect serious data breaches. Experts at Purdue say no one is exempt from attacks — even the institution that boasts the world’s most powerful university-owned supercomputer.
In February, a sophisticated security attack on the University of Maryland garnered the names, Social Security numbers, birth dates and university identification numbers of more than 288,000 faculty, staff, students and others as far back as 1998. Four weeks later the school was hacked again, the target being only one senior university official.
The University of South Carolina has had six data breaches since 2006, the most egregious occurring in June 2012 when 34,000 records were compromised, bringing the total to nearly 81,000. The attack originated overseas and happened despite the university’s assurances that its security procedures were followed before the breach.
Many breaches aren’t discovered until weeks or months after they occur, when the security hole is finally plugged. Often the point of vulnerability isn’t disclosed, only that the problem has been resolved. However, the University of Indiana owned up to the fact that three automated data-mining “web crawlers” had gained access to 146,000 records stored on “an insecure server.” None of the data were downloaded since the intention of the software was web-search optimization.
The open, collaborative posture inherent to higher education is probably contributing to the uptick in hacker assaults. Officials demur on locking down campus networks so tightly that they become fortress-like. “Colleges and universities have a number of complex challenges in securing their environments,” said David Kidd, Peak 10 director of quality and compliance. “By nature, these institutions are designed to support open communication and sharing of ideas. In the modern age, communications and stored information must be more secure than in the past.”
Are Answers in the Cloud?
Many universities aren’t so financially flush that they have $1 million to spend to upgrade security for just one campus program, as the University of Wisconsin did in 2013. Even if they do, managing all their systems internally diverts time, staff and valuable mindshare away from more strategic IT engagements such as recruitment, social media marketing, program extensions and application development, as well as advanced security management.
“Colleges and universities have a complex array of systems with vastly different security requirements,” Kidd noted. “While one system may be involved in highly classified research, another may be supporting much more mundane services such as student meal plans.”
Offloading some or all infrastructure requirements can open the door to IT making higher value contributions to its institution. Managed colocation and/or Infrastructure as a Service (IaaS) enables on-campus IT professionals to redirect efforts to creating business value rather than operating as a cost center.
Organizations are looking to the cloud for disaster recovery as a service (DRaaS) as well, particularly small and mid-size institutions. One of the key factors is the increasing need for flexibility that cloud-based DRaaS offers.
With the rapid emergence of hybrid cloud infrastructures, using all three – colocation, IaaS, and DRaaS – in combination with on-premise systems or other hosted services is becoming increasingly common and will be the predominant computing model within four years.
When it comes to security, outsourced services have a distinct advantage over campus-based systems. Open, collaborative environments are a non-starter. Service providers optimize logical and physical security, having the added advantage of being able to amortize that cost across a large customer base. The same is true for costs related to power, cooling, generators and UPS systems. Outsourced services are a secure and cost-effective complement to a modern-day multi-sourced IT infrastructure.
Anyone familiar with Peak 10 knows that it has the industry’s most comprehensive compliance program. All Peak 10 data centers are audited and audit-ready for inspection. As a hybrid provider, Peak 10 provides a full range of services from basic to managed colocation, enterprise (public) cloud services to virtual and dedicated private clouds, PCI DSS- and HIPAA-compliant clouds, storage and networks services, managed security and DRaaS. It all comes with the best combination of redundancy, resiliency and industry best practices.
In the battle to protect critical data and personal information, it always pays to have like-minded allies who have your back.