In an era of identity theft and cyber crime, information security is one of the most pressing issues facing higher education institutions today. The eNews recently sat down with Armand Capote, senior director of Infrastructure and Architecture in Administrative Systems, to discuss what measures AS is taking to fortify and protect Stanford’s administrative application infrastructure. Below are selected highlights from the conversation.
On a department level, AS is responsible for managing the systems that run the business of the university. How does AS secure these systems and the data they contain?
System security is one of the highest priorities of our organization. We work closely with the Information Security Office (ISO), business offices, and application vendors to deploy systems according to well-established security guidelines and best practices.
That being said, hackers are only getting more advanced and brazen. New system vulnerabilities and exploits are constantly being discovered, and this requires constant vigilance on our part. AS routinely monitors for these types of events across all of our systems, and typically addresses them within a week or less of discovery.
Last summer’s system security breach highlighted the need for heightened IT security across Stanford. Did AS implement any new security procedures as a result?
Prior to last summer’s event, access to most Stanford systems simply required entry of a SUNet ID and password. That model left systems vulnerable to stolen passwords; there was no way to tell if the person typing the password really WAS the person who owned it. As an immediate measure once the security breach became known, AS implemented and enforced new internal SUNet password requirements; all AS staff were required to establish longer/more complex passwords, and to change them on a very short schedule.
Once Two-Step Authentication for WebAuth accounts became standardized across the university, the stolen password risk was greatly mitigated; however, WebAuth Two-Step does not cover direct access to network hosts and database systems— the kind of access we regularly use in Administrative Systems. To address this vulnerability, AS deployed an additional internal two-step authentication layer for all AS staff who manage application infrastructure.
We also convened an ongoing task force to perform a comprehensive security review of our application infrastructure. The team meets weekly to examine both technology and process improvements aimed at further strengthening our long-term security posture. One of the important best practices that this group is proposing across Stanford IT is the idea of keeping privileged account credentials separated (i.e., not using privileged credentials and normal user credentials on the same machine). That means that if a system is compromised, it is much less likely to be used as a "pivot" to gain access to other, more secure systems.
Have there been any challenges implementing these new security procedures? What has the implementation process been like so far?
Implementing new security procedures is always a challenge at the organizational level; you have to weigh the security risks against the financial and/or operational costs of managing them. Finding the right balance between the two is tricky, and this is something that we routinely discuss at length with our business partners and system owners.
In light of recent events, there is a heightened awareness on campus regarding information and/or computer security. This has made it easier to implement new security procedures, since everyone at Stanford has a vested interest in protecting our systems and information.
Many departments on campus are looking for ways to strengthen application infrastructure and/or desktop security. Is there anything in particular that you would recommend?
The Information Security Office (ISO) has put together a wealth of security information and resources on its website. I urge departments to use the ISO recommendations as a guideline.
For those looking to further enhance desktop security, I recommend that departments consider leveraging our virtual desktop infrastructure. A virtual desktop has substantial security advantages over a traditional desktop because it is physically located on a remote central server rather than on the user's local computer. A virtual desktop cannot be lost or stolen in the same manner as a laptop, which means the data is at a much lower risk of “walking away.”
Several departments (Financial Management Services, the Office of Sponsored Research, Research Financial Compliance & Services, and the Graduate School of Business) have already adopted this technology for their user bases. I’d be happy to discuss virtual desktops with any department interested in learning more.