Maintain Cybersecurity Vigilance
We will continue to enhance our cybersecurity processes and technologies, in line with best practices and the evolving threat landscape, to protect the confidentiality, availability and integrity of university digital services and information.
We will focus on two areas: Adopting tooling and awareness to address perennial issues like phishing and emerging threats like extortion via ransomware; and Improving the Identity and Access Management experience through adoption of new technologies to ease identity administration and support individual control over identity attributes.
Tooling and Awareness
- Data Center Firewalls, Phase 1 – Active
Install Palo Alto Networks Firewalls in front of our IS&T data centers.
- Data Center Firewalls, Phase 2 – Prioritized
Install Palo Alto Networks Firewalls in front of BUMC data centers and administrative systems at MGHPCC.
- Domain Name Service (DNS) Security – Active
Provide security controls at a low level of the network that can effectively thwart malware including ransomware with minimal impact on normal usage.
- Email Security Improvements – Active
Deploy additional industry-standard security controls (DKIM/DMARC) in the BU email environment that reduce the risk of receiving or being the source of phishing attacks and other fraudulent email on the internet and decrease the number of legitimate outgoing emails that are discarded as spam by remote mail systems.
- Entity Analytics – Prioritized
Provide analytical toolkit for our Security Event and Incident Management tool to detect new and anomalous behavior of devices on our network to enable better detection of compromised devices, especially “Internet of Things” devices.
- Expand Multifactor Authentication – Complete
Continuing from FY21, this effort will increase the number of places that multifactor authentication will be required including Office365, VPN services, and additional web applications.
- Integrate Vulnerability Management into ServiceNow – Prioritized
Integrate the results of our vulnerability scanner directly into our IT service management system to enable enhanced reporting and better risk assessment.
- Third Party Risk Management Tooling – Identified
Evaluate tools and services to measure, track, and manage the risk of vendors with access to our sensitive data.
Improving the Identity and Access Management experience
- Authorization Management – Investigating
Provide enhanced group management capabilities, potentially including self-service, to enable efficient use of centrally-stored attributes to define access control for applications.
- Identity and Directory Modernization – Complete
Replaces our legacy, homegrown, mainframe-based identity system with vended, cloud-based identity solution
- Identity Governance and Administration – Identified
Provides an enhanced toolset for leaders, managers, data trustees, auditors, and individuals to review, request, authorize, and revoke privileges for individuals.
- Student Lifecycle Provisioning and Deprovisioning – Active
Standardizes the processes by which student accounts are created and given access rights and manages how those rights evolve based on student status. This also includes a self-service portal to enable password reset and update of gender identity, pronouns, and preferred name.
- Campus Solutions Integration – Active
Integrates our IAM solution with the new Student Information System and addresses authorization of individuals within Campus Solutions for role-based and ad-hoc needs.
- Strong cybersecurity practices will require everyone’s participation and will benefit everyone as our data will be better protected. The Common Services and Information Security Governance Committee helps to govern the information security program and becomes the voice for everyone in the program, providing input on priorities, organizational change management, and communication efforts.
- The IAM program will bring particular benefits to non-binary individuals through support for gender fluidity, personal pronouns, and preferred name. The IAM Steering Committee will help guide the introduction of these and other features and includes representation from key identity providers: Enrollment Services, Human Resources, and Alumni Relations.
- The mission to secure the university’s data both provides input to and takes guidance from IS&T’s Data Governance program on data management policy, roles and responsibilities, and needed controls. Increasingly this work will need to align with the University Privacy Coordinating Committee, particularly as legal regulations on data privacy grow.
Key Success Metrics
Our single largest risk to data today is our rate of user account compromises and our best control is the adoption of multifactor authentication.
Age of Services
A key measure of our IAM services is the age of our services. Half of the component applications that make up our IAM ecosystem are past their end of service life, lack vendor support, or rely on legacy hardware. Retiring these older components and replacing them with modern and more flexible components is key to our future success.
Update: Over the 2021 to 2022 timeframe, we have added new healthy services to our portfolio, but still have not retired our older services. This will change over the next two years.