Tuesday, March 5, 2019

Information Security at a Research University

Last Thursday, the students in my Humanitarian Logistics and Healthcare class and I had the honor of hearing Chris Misra, the Interim Vice Chancellor for Information Technology and CIO at UMass Amherst, deliver a guest lecture. 

We had had a joint project on cybersecurity with my Isenberg School colleagues, Senay Solak and Mila Sherman, and Wayne Burleson of the College of Engineering at UMass that was funded by the Advanced Cyber Security Center (ACSC) . You can read more about our project and see a presentation here, thanks to INFORMS. Cybersecurity is also a topic that my Supernetwork Team has been conducting research on and we have a stream of papers of the subject, with more to come.

Given  that information security is essential to enterprises, both profit and nonprofit ones, I thought that having Chris Misra speak on Information Security at a University would be very timely and fascinating and, indeed, his lecture was! I had communicated with him early that morning around 6AM, and told him that I would be waiting for him in the Isenberg School atrium. When I did not see him shortly before the class was to start, I emailed him and found out that he was waiting for me in the atrium of our new $62 million addition! Ironically (and the first time this semester), there were some issues with the technology in my classroom, but soon those were addressed, thanks to our TSS staff! Luckily, also, the university did not have a delayed start time, given the snow forecast.

Mr. Misra began his lecture with an overview of how Amherst College, a neighboring elite, very well-endowed liberal arts college, recently experienced a "technical mishap that left the campus without access to online services -- for five days".  Faculty, students, and staff at Amherst College were without access to Wi-Fi, email, and a variety of student support and other services; in effect, any content hosted by the college's website was not accessible. The cause was ultimately attributed to a network outage (and not a cyberattack)  and I heard from Chris Misra that Cisco came to the rescue.

Running an enterprise network for a university of the size of UMass Amherst is a major operation/ endeavor with both network engineering and network operations being essential and with the former also involving switches, routers, and even long haul networks to the other UMass campuses. Misra emphasized that there is a lot of complexity that you don't see, including the copper and fiber cabling. There is builtin redundancy to mitigate risk and there is a separate control domain from transport with 50,000-70,000 devices. Clearly, a very complex system to manage and to maintain.

I was so impressed that Chris Misra had even looked at the course syllabus and remarked that the course looked so interesting (yes, I love teaching this course because of the dynamism of the subject). 

He noted that "security is a negative deliverable - you don't know when you have it - only when you lose it." Clearly, similar to critical infrastructure. And, when it comes to information security, the three primitives are: confidentiality, integrity, and the availability of information, which I think the students very much appreciated. Regarding confidentiality, you want the information concealed across transmission, storage, and processing. As for integrity, one cares about the trustworthiness of the information or resources, and availability ensures the ability to access the information - extremely important in a university environment.
Chris highlighted security measures of training and education, policy and practice, and also technology. He even mentioned budgeting in the context of how much should a university spend to achieve a desired level of risk management (bringing down risk to an acceptable risk) since IT resources are critical assets. It was great to hear how the IT governance at UMass Amherst emphasizes transparent decision-making and priority setting and taking action.

Information security  also involves environmental controls, physical and logical access management, and "technical" change management. Every user holds some responsibility for information security. 

Mr. Misra also discussed disaster recovery under various scenarios and hazard events and noted that the planning for outages could include: loss of connectivity, loss of email functions, teaching/learning technology unavailable, student payroll, billing, etc. unavailable, and research grant processing disrupted. Also, UMass Amherst IT is responsible for our IT at the University Health Services, adding another layer of critical assets and private medical information.

We had some time after the fabulous lecture for Q&A, which my students always prepare very well for.

Absolutely stunning was the evolution of the types of actors engaged in cyber attacks against the university over the past decade! We could have discussed for hours the topic of information security at a research university!

We presented Mr. Misra with a gift from Isenberg and I took a group photo, followed by a formal  thank you letter, which I copied to top level administrators. He was an amazing Professor for a Day and we are lucky at UMass Amherst to have someone with such expertise and skills at the helm of IT!