Computer Information Systems in Education/Chapter 3/Section 9 -- Security

How to Support the Student Information System with Security
Allows users that are on a network that is not secure to perform tasks that are normally required on a secure network, such as exchange data and money. Department of Defense and the private sector utilize the same cyber infrastructure to conduct daily operations and business practices. With the private sector controlling over 85 percent of the infrastructure, it is imperative that industry and government partners to find information security and capabilities. Industry is migrating from the use of servers and network computers to integrated systems such as cloud computing. Wikipedia defines cloud computing as Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility. However, cloud computing has security and privacy issues to be concerned with where current servers and network computers have established security measures to handle threats. With Public Key Infrastructure, we have user identity, data encryption and receiver data to ensure proper handling of data within the IS domain. One of the most relevant applications of PKI is in the digital signature and email applications.

The ability to attach digital signatures to email and documents ensures that the user sending information or signing a document is tied to a particular person. This prevents arbitrary handling of sensitive information and provides solid accountability for information processing to the user level. For instance, in Adobe Professional, software users have the ability to add digital signatures to documents and allow routing of that document from document generation to archive filing without hard-copy production. Each person that has signature authority or coordinating responsibility for that document will have user identification recorded with the document. This digital documentation process provides both legal and personal accountability of persons within the coordination chain. Many companies are going to a “paperless document process” to reduce the dependency on paper products. PKI makes this possible for paperless document processes and also for email encryption.

Sensitive information for businesses can easily be misrouted outside the company's purview without digital signature or encryption processes. Whether in Microsoft Outlook, Eudora, Mozilla Thunderbird or many of the other email software programs that contain digital signature or encryption capabilities, it is important for your business to understand how to utilize these processes. According to Network Computing, “Digitally signed e-mail is not the same as non-repudiation or authenticating a document, which fall under the federal government’s E-Sign Act of 2000. The E-Sign Act defines the legal structures for electronic signatures in online transactions, which do not apply to everyday e-mail messages.” With the use of Smart-cards, user identification and certificate authority are contained and accessed by use of a user personal identification number (PIN). Smart-card readers are prevalent among PCs and laptops and are key items within the PKI solution for business processes. Smart-cards are also utilized as part of personal identification under physical security protocols to access secure facilities. Within the realm of email, the receiver of encrypted email messages will need to insert their smartcard into their smart-card reader to decrypt the message which identifies the receiver as someone within the same certificate authority. If an encrypted message were sent to an unauthorized user without the certificate authority credentials, the message could not be read because the correct cipher would not be available. The PKI structure relies on a certificate authority, one or more registration authorities, software tools that manage certificates, directories for the public keys, certificates and certificate-management data, key-management software and trust models that build on the issued certificates. In this chapter, we will primarily deal with the Registration, Certificate and Validation Authority within PKI structures.

Registration Authority (RA) is the binding force between the user, by means of the certificate authority (CA), and the issuance process, through public keys issued from the validation authority (VA). A registration authority (RA) is an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it. RAs are part of a public key infrastructure (PKI), a networked system that enables companies and users to exchange information and money safely and securely. The digital certificate contains a public key that is used to encrypt and decrypt messages and digital signatures. A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate.

Depending on the public key infrastructure implementation, the certificate includes the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner. The Validation Authority allows applications to validate the status of a digital certificate in real time, ensuring that revoked credentials cannot be used for secure email, smart card log in, web access, wireless, VPN or other electronic transactions. Many of the private sector vendors that support both private and government sectors are Entrust, Tumbleweed, and Verisign. Within the education setting, the information system would be able to take advantage of these security measures to protect individual academic performance, provide for enhanced physical security and maintain individual accountability of students on the campus. The information system would also support enterprise single sign-on initiatives tying financial, academic, internal and external email communication and online programs into one sign-on process. One of the processes that support PKI infrastructure is bootstrapping procedures that stack simple programs or increase algorithm complexity to enhance security. The following is an overview of how to implement bootstrapping procedures in the IS security environment.

Bootstrapping is the process of a simple system starting a more complex system that serves the same purpose. “Bootstrapping is initially configuring a device so that it can be continuously provisioned by a privileged agent. Continuous provisioning is the ongoing provisioning of a mobile device by updating or changing configuration settings and applications, as required, over time. Devices must be bootstrapped to use the XML delivery mechanism of choice. Bootstrapping is performed by the OEM, or by using OMA Client Provisioning. For information about how to bootstrap for various delivery mechanisms, see Bootstrapping a Device. Over-the-air (OTA) bootstrapping is disabled by default on mobile devices. The device will not initially accept provisioning messages sent OTA by way of Wireless Application Protocol (WAP)."

Bootstrapping a mobile device usually involves configuring the device with the following information: • Trusted Provisioning Server (TPS) • Privileged Push Proxy Gateway • WAP Connectivity • General Packet Radio Service (GPRS)/1xReal Time Toolkit (RTT) connectivity • Changes to the default security model

Bootstrapping may also include configuring other settings such as Browser Favorites, Telephony Application Programming Interface (TAPI), Locale, Clock, and Registry.

With the proliferation of mobile devices within our society, students and parents that have this capability could be aware of course progress and instructors could keep students apprised of any changes or relevant material that affect course work. Bootstrapping is a form of security provisioning but there are other known security measures that will keep information private and secure from unauthorized influence.

Biometrics come in a variety of forms such as thumbprints, retinal or iris optical recognition. Biometric recognition is unique to each individual and helps assure that only that user is authorized access to the time those credentials are used. Access to information systems through biometric forms are usually combined with a PIN that is held within a smart card or token. This same level of security can also be utilized in accessing facilities or sensitive areas of a facility where information is held. Within the student information and management system, it is important to have security measures to defeat attempts to change academic grades within the system. Ensuring authorized access to sensitive areas and information supports the credibility of the academic institution. Administrative process within the academic institution has certain official functions that requires signature to complete documentation. Digital signatures allow authentication of the official that has this responsibility. Software that supports this process is Adobe Professional, Silanis Technology, E-Lock and other industry standards. When the office of registrar signs the degree application, a digital signature could be utilized that would assign a unique identifier to the signature block and even a sample of the registrar's signature. This would not require printing of the document but still allows filing and archiving of documents. Digital signature also allows for email encryption when software supports.

Digital Signatures are used to authenticate the sender of a message or document. This is not for normal email handling but rather for official response to academic administrative requirements. The email is encrypted for sending to an authorized receiver. To open the email, the receiver will need to enter their email credentials or smart card to decrypt the message. As long as both the sender and receiver are under the same certificate authority or related certificates of authority, the encryption and decryption of information will support the email communication.

Enterprise Single Sign-On allows a user to login once to gain access to all systems that are authorized. The Webster University Login for Online Programs, Connections, is an example of single sign-on to access finance and scholarship, academic progress/history, registration, library services, online courses and many other information systems that make up Connections. Managing access to all these systems under one sign-on process eliminates the need for IT resources to reset passwords for each of these systems which uses a significant amount of IT productivity time. Single sign-on procedures also provides student information management systems the means to standardize defense mechanisms across the entire Connections/Blackboard websites. Technical services and information security work together to provide procedures to mitigate threats to the student information management system. In the next section, we will cover some of the security measures system administrators need to utilize to protect information assurance.

IS Security Awareness provides measures to mitigate threats to information assurance such as insider threats, overcoming procedural defense, and penetration of physical security. Every information system has vulnerabilities to attacks by people that want to deny services, corrupt data or infiltrate information that is protected by privacy laws and trade regulation. Procedures and training for users must be developed to protect information and assure system availability to all authorized users. A few of the following processes will explain how to increase system reliability and protect information from unauthorized use. An insider threat is an employee of a business that works from the inside to gain control and harm the computer systems and network either through malicious activity or lax information security processes. Many times services are denied or logon attempts fail when an employee is about to be terminated from company service. The reason for this process is to protect the information system from malicious activity by a disgruntled employee. Information system technicians monitor employee activity and intervene when the user attempts access to areas that are outside of their authorization or disrupts service. Another form of insider threat is the uninformed employee that practices poor information security. In the government sector, critical information that threatens our national security and interest abroad must be handled within secure systems at the proper level and classification. Unclassified materials cannot come in with classified information. With the portability of information by various storage devices, information can be degraded or lost because of computer viruses and malicious programming found on the intranet or on a computer that does not perform virus checks on a frequent and regular basis. Information Assurance training can greatly deter threats to IS and employee awareness will assist the user in more efficient and proactive in information assurance.

Employee Information Security Awareness programs are vital to information security. Employees that are knowledgeable about information security protocols can be proactive in their daily tasks to ensure company information is protected and readily available when needed. Back-up of information, computer virus checks, limiting use of portable storage devices to company owned and many other safe IS processes ensure the tools are available to all system users. Recurring training keeps everyone aware of new technologies, threats and procedures to report threats or anomalies. IS managers must incorporate IS security measures into user/employee training to increase awareness and deter IS threats.

Physical security is comprised of the protection of hardware, programs, and networks from instances that can cause loss or damage to a company. Locks on facilities, cabinets and storage units deter theft of information and IS tools. Employees that require credentials to access a facility can identify who, what, why and when access to information is authorized. Tracking systems account for employee and equipment movement within the facility. Data storage facilities must also be hardened against environmental hazards as well to ensure uninterrupted access to information. Facilities such as these have sophisticated fire extinguishing systems, hydraulic or spring floors to absorb earthquakes or explosions and personnel ID systems to deter criminal activity. Physical security of information will need development, planning and strategic vision for the needs of the customer and their business goals.

 Summary 

When it comes to students information security is a most critical issue. When students use the Internet and computers they must understand that there are certain risks involved when it comes to using the Internet. Students need to be aware of the basic principles that should always be in use when on the Internet. Every students need to become familiar with information security and data protection. Every student should know that personal as well as mainstream data makes users vulnerable while on the Internet, this is why data protection is so important. Having an understanding of what kinds of data should be protected will insure an increase awareness in students. Banking, personal contact, health, email, and photographs are all types of data that need to be protected at all times. For some students there will be a learning curve, but with a little basic knowledge and taking the time to make sure every detail is accounted for students shouldn't have any issues. One clear cut understanding to have whenever engaging in the use of the Internet is that, everyone is responsible for maintaining information security in classrooms and university's alike. Students have to come to the understanding that when engaging in any activity on the Internet you are holding a position of trust and with that being said you are no longer the typical student. When a student is on a college or university campus the access that they have to that institutions information systems is only for that student. The same care that is taken with banking and other personal information, this type of care must be shown to the user-name and password that is provided from the students institution. Whatever activity has under the account that is given that student is responsible for, this is why it is very important that they never give out their user-name or password. Students will also need to be abreast of how to create a secure password. When it comes to passwords a good password will always be easy to remember, but the goal of the password is for it to not be easily guessed. Writing down a password might seem to be the easiest way to keep with it, but doing that would be a grave mistake. It would be vital to all students to try their best to remember their password that way the only person who knows your password will be you.

 Questions : Place the following terms with their correct definition:

A. Public Key Infrastructure B. Security Token C. Biometrics D. Insider Threat E. Smart Card

1. a detriment to data and system through employee ignorance, poor practices or malicious activity with information security 2. a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates 3. a physical device that an authorized user of computer services is given to ease authentication. 4. any pocket-sized card with embedded integrated circuits which can process data. 5. used as a form of identity access management and access control.

Answers: A-2, B-3, C-5, D-1, E-4

 References 

Andrea Siedsma, San Diego Business Journal. San Diego: Mar 29, 2010. Vol. 31, Iss. 13; pg. 18 Cloud Computing, Wikipedia. http://en.wikipedia.org/wiki/Cloud_computing, 28 April 2010 Curtis Franklin Jr. Network Computing. Manhasset: Oct 1, 2005. Vol. 16, Iss. 20; pg. 69, 3 pgs Florence Olsen. Federal Compter Week. Falls Church: Sep 5, 2005. Vol. 19, Iss. 30; pg. 62, 2 pgs