Securing the eCampus:Interviewed Tom and Adam for Network World

Education has special needs for information security. Tom Candon and Adam Goldstein have both deeply involved in organizing
one of my favorite conferences, Securing the eCampus. I recently interviewed Tom and Adam for Network World.

* * *

This is the fifth annual eCampus conference; tell our readers a bit about the history of the event. What prompted you to start
the series?

We have been very fortunate here to have a great relationship between the computing services department and the researchers
that are working on computer security issues, many through the Institute for Security, Technology, and Society (ISTS). In 2007, we had some funding to run a workshop on information security. We brainstormed a topic focus and, after some thought,
looked around and realized there are plenty of security issues in academe that need to be considered in many, many contexts.
Five years later, there is still much to discuss.

What are the special or particular requirements of universities that make security in universities a special issue?

There are so many policies with which a university must be concerned. From FERPA, to PCI, to HIPAA, to research data, and
on and on, the university has numerous policy related responsibilities not to mention other IT related concerns like cyber
bullying, RIAA notices, etc. Because of the changing policy issues alone, we make a point of inviting a speaker every year
just to discuss changes to national policy that have an effect on how the institution needs to operate.

How has security for university and college systems changed in the last few years?

Many of the general trends in information technology have had an impact at higher education institutions. The efficiency and
flexibility afforded by mobile computing has been beneficial but also raises risk due to the broader distribution of institutional
data. Cloud computing can have attractive pricing and allow some institutions to better focus on their core missions. However,
shifting services to the cloud raises questions regarding security, data ownership, and regulatory obligations. On a more
technical level, the shift from standalone and client/server applications to web-based services has caused an increase in
external attacks against web servers and heightened the need to implement secure web applications.

In my experience, there are conflicts between the academic culture of openness and free inquiry and the assumptions behind
access controls and restrictions on transferring content (e.g., student records). Have you personally experienced some of
these conflicts? How do you cope with these culture clashes?

Many institutions are attempting to address this issue by taking a layered approach to their security programs. By adopting
security architectures, technical controls, and business processes that adequately protect administrative systems while not
restricting scholarly pursuits, many schools are trying to meet their obligations to protect the institution while allowing
for academic freedom. This, however, is challenging because many systems are used for both academic and administrative functions,
data is often intermingled, and a sizeable portion of research and other educational activity also require security controls.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Professor of Information Assurance & Statistics in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.