The security threats present today seem more prevalent and pervasive than in times past.
Thatís nothing new. The last decade or so has seen a steady escalation of attacks on the privacy and security of computer users worldwide. This environment leaves little room for error. Libraries must exercise constant vigilance to ensure the integrity of their resources and services and to protect the information that resides on their computer systems.
First, I should point out that libraries these days pay better attention to security than ever before. Itís relatively rare for a library to get clobbered by a security problem. Given the unrelenting waves of attack, if libraries were not generally practicing solid security practices, the problems would be epidemic. But there is always room for improvement, and there are some areas that demand special attention.
Today, itís just not an option to run outdated and unpatched operating systems and application software. Desktop and server computers running without the latest versions of the operating system, with all security patches applied, account for the broadest set of vulnerabilities. The interval between the time that a vulnerability is discovered and when exploits emerge in the real world can be as little as a few days. We all hope that the software developer will release patches before the vulnerability can be exploited. The worst scenario involves a major vulnerability, with an active exploit in circulation, with no known patch. Fortunately, thatís extremely rare.
Itís essential that libraries have a proactive strategy for keeping their computers up to date. If your operating system has an automatic update feature, by all means, activate itóat least for critical security patches. Some organizations may prefer to test updates before releasing them to all their computers and might maintain a local updating service to maintain that level of control. Whether you accept updates directly from the developer or distribute them locally, get them installed across your organization expeditiously.
The second problem I see most often involves inadequate data storage strategies and disaster recovery capabilities. Itís essential that no data be lost, regardless of what hardware or software failure or mishap might occur. Even when things go bad and the active version of data files are lost, backup copies exist that can easily be restored.
To achieve this level of protection, itís essential that all important data be placed on well-managed storage devices. Iíve long recommended that libraries save all their data on file servers protected by automated daily backups, rather than allow data to be stored on local drives that are rarely, if ever, backed up. A well-managed file server provides a much higher level of security and control compared to the vagaries of having important files distributed among dozens of individual computers.
I would recommend that libraries perform a review of how they store their data files. Some of the basic points of this review might include:
- Are all data files on servers backed up at least daily? This would include file servers, the libraryís ILS server, and any other database applications.
- Perform tests to ensure that files can successfully be restored from backup media.
- Audit library staff computers and review procedures to be sure that all official library data files are stored on file servers or in directories that are integrated into an automated daily backup regimen.
The third area of concern I see involves the need for a comprehensive security architecture for library networks. Itís important to have multiple layers of protection against each category of threat and to have a network design where security is not an afterthought. To guard against viruses, for example, there should be filters integrated into mail servers to intercept malicious content as it enters the network, as well as the traditional anti-virus software that operates on individual computers.
A well-secured network will have multiple firewalls on the network, as well as on individual systems. Often called personal firewalls, this genre of security software allows the administrator of a computer to establish detailed rules to ensure that only authorized network traffic enters or leaves the system, providing an additional thick layer of protection to supplement the network-level firewalls.
Another important aspect of a libraryís security architecture involves a design that separates the network traffic of public computers from that of staff computers. Library computers used by the public should be treated differently than those used by staff. Public computers pose a higher security risk, since they are used anonymously without authentication and without supervision. While libraries typically install software to lock down the computer to provide controlled access to the operating system and applications, none are completely effective.
In order to protect the staff side of the network, which includes all the data related to library operations and activities, I recommend that libraries, to the largest extent possible, isolate the traffic of all their public computers. This can be accomplished either through physical separation or by using the VLAN (Virtual Local Area Network) technology built into most Ethernet switch environments. A VLAN can make groups of computers completely invisible to each other. Having a clear line of separation between public and staff networks also makes it easy to establish a wireless hotspot without endangering the libraryís computing environment.
A wireless LAN that connects through the public side of the network poses little or no threat to the staff side of the library network, if an effective barrier of separation has been established.
While these three topics stand out in my thinking as important security concerns, they do not comprise a comprehensive list. Each library must give careful consideration to the security of its network, continually reassessing its ability to withstand the continual barrage of attacks. Itís also important that libraries not become so hamstrung by security concerns that they diminish the services they offer. Itís possible to take full advantage of networked computing and offer a robust set of Web-based services for library users while still maintaining solid security.