Best Practices for Automation on Campus
Bob Turner remembers the question like it was yesterday. His chief information officer, a little perplexed over a slate of data breaches hitting universities around the country, asked, “What do we need to prevent what’s happening to our peer institutions?” At the time, Turner was six months into his job at the University of Wisconsin-Madison as the director of the Office of Cybersecurity, so the question was relevant across myriad fronts. He remembers the question like it was yesterday because it is a recurring one—not only for Turner and the University of Wisconsin, but for higher education professionals like him and all of the colleges they are entrusted to protect.
The ever-evolving digital landscape is forcing colleges and universities to forever protect themselves against all of the intricate (you could also use words like “sneaky,” “mischievous,” and “criminal”) ways hackers look to get to their data. Over the past five years, Turner has continued to spearhead UW-Madison’s digital transformation effort against said hackers.
Today, he leads a team of 60-plus cybersecurity experts and student interns who deliver governance, risk management and compliance, common systems cybersecurity, testing and cyber defense, incident response and forensics, within a Cybersecurity Operations Center. “Obviously, we need to keep pace from a security perspective with everything that happens here on campus,” Turner says. “It is the entire stream and diversity of that network, which includes administrative research, and teaching and learning business support functions. We have a lot of business that is digitally enabled on our network. That means we have to pay attention to opportunities and transformations that help make things bigger, better, faster.”
The battle is never-ending.
A quick look at the universe that Turner and his team are tasked to protect can be a bit daunting—34 divisions (schools, colleges and institutions) that include more than 43,000 students, 22,000 staff, and scores of affiliated researchers, vendors and other network users. The crux of the blueprint they devised to protect the masses centers on the strategy of People, Process and Tools. “We need to understand the entire realm of what the need is at the university, what our business needs are, what our research and academic needs are,” Turner says. “A better way to say that might be, ‘How do we get there from here?’”
A self-admitted adventurous person by nature, Turner admits the transformation of the business process is kind of the great unknown. “That is why we have to figure out what our customers need, and then determine how we can meet those needs. The weight on my shoulders is to understand that with every new advancement in digital technology comes a corresponding need to assess the risk to the university—not only to the system availability, integrity and confidentiality, but also to the data availability, integrity and confidentiality.”
And here is the kicker: If you put too many restrictions in place, the business stops. That is why Turner says the process of transformation must thrive on collaboration, i.e., being able to have more than one eye on a piece of data.
Knock, knock—Know who’s there?
When someone logs onto the network at Stony Brook University (a video camera, security lock on a door, etc.), it is up to Charlie McMahon and his team to find out who it is, how they landed there and where they want to go. If it is a security camera, for example, protocol enables the user access to certain resources on the network. In a nutshell, that is the essence of software defined networking—one that requires a tight integration between all of the families of products Stony Brook has in its network architecture.
McMahon, who led the Transformation Management Office for the Los Angeles Community College District and was VP of IT and CTO at Tulane University, brought his cybersecurity talents to Stony Brook this past December. As Interim Senior VP and Enterprise CIO, he is on the front lines of the university’s battle for network protection.
Ask him about the never-ending task to protect a university’s data from the unknown and his answer is simple and to the point: There are more bad guys out there than we have people to keep track of them.
“If your security policy depends on having an army of people who monitor event logs to see what is happening and where the threats are, you lose,” McMahon says. “You have to bring automation into the process.”
The recruitment process. Registering for classes. Signing up for parking permits and paying fees. These things are all automated on college campuses. Today’s college-age student is comfortable with these processes and prefers to interact through automation. It also means you have people entering and exiting your network at all times.
“The key of what we do in IT starts with identity,” McMahon says. “You have to have firm control of identity—a single source of truth for identity. Then you have to leverage that identity in ways that are integrated entirely into your security stack. That is the key—when building your infrastructure, you cannot have stand-alone pieces. Everything must be tightly integrated.”
When UW-Madison’s Turner defines the blueprint for digital transformation, he advises choosing a system and process that fits your organization’s technical information architecture, business models, internal dynamics and external communications structure. To meet UW-Madison’s missions for teaching, research and outreach, its cybersecurity program not only had to be an integral part of its culture, but also mature enough to provide the right people, processes and technology, and transformation(s) at the right time.
“We live in challenging times; they are interesting, but challenging times,” Turner says. “Even in the best of days, just when you think you have reached everybody with the messages that you need to stress—‘Don’t click on the link,’ for example—somebody is going to do it. The thing that worries me the most is that we have a complex environment here. We have a lot of really smart people, but even in the stress of the moment, even the smartest people with the best protection are going to bypass what they are supposed to do. We have had that happen here on occasion. But that is the cost of doing business.”
In the end, you can put protections in place, keep up with digital transformations, but still have something go awry. Turner calls it the COW factor—Conditions of Weirdness. “Just when you think you have everything in place, something weird happens across the network. Living in a digital world requires that we protect our information wherever it lives, plays and rests.”
It is as Turner alluded to earlier—a battle that never ends.