Click here to receive your FREE subscription to Campus Technology
Data Security
Protecting the Oblivious
4/1/2008
Identity Crisis
For Embry-Riddle Aeronautical University (FL), data security issues were compounded by size and geography. A giant institution with 34,000 students across residential campuses in Prescott, AZ, and Daytona Beach, FL, as well as in more than 130 centers worldwide, the university lacked not only a centralized system to track employee access to sensitive data, but also the ability to enforce cohesive security policies.
"One of the biggest challenges is making sure that we can quickly grant access as needed and just as quickly remove access that is not appropriate," says Cindy Bixler, Embry-Riddle's CIO. "We have to make sure that the right people can access the right data. A lot of universities are struggling to do that." Embry- Riddle took its first step by creating a centralized identity management system (using Oracle's Identity and Access Management Suite to set up a single identity for all users, and automated access privileges for more than 60,000 accounts. Previously, the university had used a manual or batch process to make nearly 2,000 changes daily, which typically took 24 to 26 hours to complete and delayed updates to users. The Oracle software cut that time to less than 30 minutes, and also provides near-real-time user updates.
Unlike corporate settings, the educational environment at Embry-Riddle is in constant flux, with students, faculty, and staff changing frequently. Updating the information in various systems is no easy task, according to Eric Fisher, the institution's director of middleware and web content services. "Because of all those changes, processing was very timeconsuming. We wanted a system that would manage all these accounts and do it very quickly. The Oracle system monitors a user account and looks for changes. If, for instance, a student changes apartments in the HR system, or changes degree programs, the system will make those changes automatically. It has taken a cumbersome process and shortened it."
Bixler is quick to point out that technology is only one of many ways to ensure information security. "One of the best tools is education," she says. "We have a separate security education and awareness program for the university as a whole. For example, we encourage shredding reports or not printing them out. There are several different layers of protection. We use a multilayered approach, with firewalls, identity management, timeouts, and complex passwords and logins, to mitigate the risks. Of course, if anyone abuses the access policy, they're terminated. The guardians of the data take that very seriously."
At the same time, security policies are flexible. Both Bixler and Fisher acknowledge that centralized identity control sometimes must yield to the collaborative demands of a university. Fisher likens the college's data access policies to those of a hospital, with access granted on a needto- know basis: "A faculty adviser gets more access than a faculty member who is not an adviser. A student gets one kind of access; a student employee gets a different kind. We don't inhibit a user, but we don't provide too much access."
Recommended Reading
- 2008 Campus Technology Innovators: Enhanced Learning/ Assessment
- 2008 Campus Technology Innovators: High-Performance Computing
- 2008 Campus Technology Innovators: Interactive, Remote Learning
- 2008 Campus Technology Innovators: Mobile Learning
- 2008 Campus Technology Innovators: Network Security
- 2008 Campus Technology Innovators: Social Networking for Admissions
