THE SYSTEMS LIBRARIAN
How Cloud Services Strengthen Library Security
by Marshall Breeding
I am often asked whether libraries can trust the security of cloud-based or vendor-hosted services. Moving away from locally hosted installations means a reliance on some external organization for many aspects of technology support, which may raise serious questions about security and data privacy. Libraries are often concerned about losing control as they migrate growing portions of their technology infrastructure to hosted services. My general observations lead me to have more confidence in cloud services than the levels of security that can be accomplished with in-house resources, but it is an issue that requires close examination as libraries consider such a transition.
|The large, if not massive, scale in which cloud-based computer services are delivered generally means a correspondingly high level of attention to security.
The move toward cloud-based or vendor-hosted systems prevails in the general business and consumer technology sectors. Library technologies likewise follow the same trend, although at a less aggressive pace. But it is almost inevitable that most libraries will eventually become reliant on software and systems hosted and managed externally rather than within their own premises. The security and privacy of data stand out as leading concerns among the many issues libraries need to raise as they consider such a transition.
The current threat level for computer security seems higher than at any previous time I’ve experienced; however, this perception may be fueled more by high-profile incidents than statistical evidence. Many organizations have seen major disruptions in their work because of ransomware. This type of attack involves some or all of the data and software on a network becoming encrypted through malicious software that enters through email attachments or web server vulnerabilities. Once encrypted, the attackers demand a payment, usually in bitcoin, in exchange for the digital keys needed to decrypt the data. Although paying the ransom often results in a successful restoration of the data, organizations are reluctant to cooperate. But restoring services without conceding to the ransom payment requires the ability to quickly rebuild the technical environment and restore reasonably recent copies of the pre-encrypted data. These efforts can often be considerably more costly than the demanded ransom payment, but can help thwart these types of attacks.
Weighing Security Levels
The large, if not massive, scale in which cloud-based computer services are delivered generally means a correspondingly high level of attention to security. The quality of security of any computing environment is directly proportionate to the resources available, including both technical and human components. The ability to defend a set of servers or services depends on a sophisticated firewall and monitoring equipment, automated processes for applying security patches for every component in the technology stack of every device, and well-trained security engineers or other professionals with up-to-the-minute awareness of any possible threat activity. Security also depends on robust disaster planning and recovery procedures. Multiple layers of redundancy or replication can enable an organization to quickly recover from a hardware or software failure or from disruptions caused through the activity of an unauthorized intruder.
Cloud-based services can have the capacity to deliver strong security since they operate on a large scale and have strong business interests in avoiding any type of service interruptions, including those related to security failures. A large data center might include tens, if not hundreds, of thousands of servers and other computing components. The operation of these data centers will have sophisticated monitoring of all aspects of the hardware and software, including detection of potentially malicious network activity. Large data centers routinely employ engineers whose skills span the full range of technical specialties. The depth of technical expertise available far exceeds what would be possible in a smaller operation (such as a cluster of servers operated by a library).
Although large facilities have the potential to wield ample resources in technical expertise and automated tools, it is also important to assess the security strategies and procedures that are in place before engaging with any given provider of cloud-based services.
Libraries, even when hosted in municipal or university data centers, operate at a relatively small scale. In many cases, these smaller data centers may have a more limited technical capacity. Libraries that house and operate their own servers may, at best, have a systems administrator who is responsible for all aspects of technical management across multiple servers, storage arrays, and network devices, each running different OSs and applications software. Even the most experienced systems administrator may not be able to allocate sufficient attention to the security of each component.
A common scenario in the library realm involves moving from a locally managed ILS to a hosted ILS or to one of the multi-tenant library services platforms. These transitions shift many aspects of security management from the library to the vendor. When considering such a change, the library needs to understand the division of responsibility for each aspect of technical administration and the expectations for security and privacy. In most cases, there will be at least some degree of shared responsibility. It is important to understand in advance the specific policies and practices that will be in place should the library move forward with a vendor-hosted solution.
Issues to Consider
Some of the questions and issues that need to be clarified as a library considers a vendor-hosted or cloud-based platform for strategic components of their technology environment include the following:
- What security-related certifications have the vendor or its hosting provider earned? Relevant certifications include:
- ISO 27001 Certification for General Information Security Management
- ISO 22301 Certification for Business Continuity Management
- ISO 27018 Certification for Cloud Privacy
- What specific threat-detection and monitoring are offered in the provider’s data centers?
- Are there firewalls and redundant internet connectivity options to withstand massive distributed denial-of-service attacks?
- What are the procedures in place to ensure that all available security patches are applied for OS and application components as they are issued by their respective vendors?
- Does the vendor have a chief security officer? Does the organization have engineering professionals specializing in security as part of the design and operations of its data centers?
- What levels of redundancy are in place for hardware and software components that comprise the platform or application?
- What procedures are followed and tested related to backing up customer data? What rollback options are possible in case of data corruption, including ransomware encryption attacks?
- Does the provider offer redundancy at the data-center level so that in the event of a major power or connectivity failure, the library’s instance of the system can be served from an alternate location?
- Are all network communications encrypted, such as staff-facing and patron-facing interfaces and all API requests and responses? (This includes SIP2 or NCIP connectivity with self-checkout and other peripheral equipment.)
- Are all patron data encrypted when stored within the system?
- Personally identifiable information and passwords should be encrypted for protection in the event of a security intrusion.
- What categories of data are stored as clear text, and which are stored with encryption? (While it may not be pragmatic to encrypt bibliographic records, for example, financial and budget data may be considered sensitive and subject to encrypted storage.)
- What are the specific responsibilities of the library and its personnel related to security?
- Who is responsible for various roles and authorizations for user account management?
- What password strength is required?
- What are the password-expiration policies?
- What responsibilities does the library have for maintenance and security of staff client software, browser configuration, or other local technology issues?
This list isn’t a comprehensive template; it gives examples of some of the issues that should be addressed as a library considers moving to a vendor-hosted or other cloud-based system. Other concerns may be stipulated by IT leadership of the library or its parent institution. Most university, municipal government, or corporate IT departments have specific requirements or certifications for remotely hosted solutions that may differ from those installed within their own data centers.
In the current climate of aggressive security threats, libraries and other organizations must look closely at the security protections incorporated into any technology-based product or service implemented. Libraries also need to ensure that these systems and the vendors involved manage personally identifiable information, use data, and other sensitive information to ensure that they are not unnecessarily exposed. They must also be consistent with library values and their stated policies on privacy. While the trend toward cloud-based technology systems seems inevitable and provides many benefits to libraries, it is important for libraries to select products and deployment options that provide the strongest levels of security protections.
This article originally appeared in Computers in Libraries magazine as "How Cloud Services Strengthen Security"