How can we ensure library vendors are following the best security practices? What questions should we ask when looking to utilize their services to ensure their security practices best match our user's needs?
Libraries depend on their computer infrastructure for almost all aspects of their work and the services they offer to their patrons. The threats against that infrastructure seem to continually become more aggressive. Security breaches have many unfortunate consequences, including disruption of library services, negative impact on the library's reputation, possible exposure of personal data of library patrons or personnel, as well as financial costs related to responding to the event.
Since libraries largely depend on technology products provided by vendors, it is essential to understand and evaluate their security practices. In my experience, vendors generally do a good job in implementing their products securely. These vendors have a great deal at stake since any systematic vulnerability could be quite costly to their business, both in responding to incidents and in their ability to successfully market their products.
Good security is a shared responsibility between the vendor that develops a product and the library as it implements and operates it. Technology products must be designed to protect data and systems using stringent and up-to-date tools, components, and practices. Libraries must also take care in the way that they implement, configure, and operate these systems. Lapses on either side result in vulnerability. Vendors must create products that can be secured, but even well-constructed systems can be subject to attack if the library does not follow good security-related practices.
The balance of responsibility also varies according to how the product is deployed. The vendor assumes much more responsibility for security when it provides hosting services. Those based on multi-tenant platforms place the onus almost entirely on the provider since the library, as the user of the system, in most cases, will have no access to the internal components of the system. Server-based systems hosted by the vendor may enable more access to the operating environment but usually not at the root level. Libraries assume the burden of responsibility for security for the products they acquire as software that they install and manage on servers within their premises. Even in these cases, the strength of the security may depend on the design of the software and tools provided by the vendor. When implementing open source products, the responsibility for security will fall to the library if implementing it on their own, though it is common to depend on service providers for hosting and maintenance, including security-related procedures.
Given these various deployment strategies, some of the issues related to security that a library should consider when evaluating products might include:
- Ensuring that all underlying components of the system are current and receiving periodic security updates. These components would include the operating systems of any servers involved, database management systems, Java or other execution environments or containers, and web services. Libraries should be especially concerned if there are dependencies on outdated components that may not be eligible for current security updates. • Making sure standard disaster planning and recovery routines are in place. Any operational and configuration data must be backed up frequently, with replicates stored on multiple independent platforms. Ongoing transactions should be captured in such a way that any work performed since the last regular backup can also be recovered.
- All sensitive data should be encrypted when stored internally. In the library context, it isn't necessary to encrypt bibliographic, holdings, or item records, but patron records, circulation records that contain links to borrowers, financial data, passwords used by staff or patrons, or any other sensitive information must be stored securely. Doing so helps ensure that if the system is ever compromised, unauthorized persons cannot gain functional access. Libraries should expect vendors to disclose what types of data are encrypted and which are stored in readable formats.
- The systems should have reasonable password management functions, requiring strong passwords or pass phrases that cannot easily be defeated. Staff profiles should have role-based authorization, enabling access only to the data needed for each person's job functions.
- All staff and patron interfaces should communicate using encrypted channels. Web-based interfaces must be configured to use https, which provides an end-to-end encrypted communications stream between the user's web browser and the server based on an authoritative digital certificate. It is also important to configure services so that any attempt to access the service through the unencrypted http protocol is automatically redirected to https. Staff clients based on Windows or Java interfaces should likewise be configured to use encrypted communications. These staff clients may not make it apparent to their users whether their communications with the server are encrypted, so it is crucial for the library to require that the vendor disclose the communications protocols used.
- Any system-to-system communications should also be encrypted. Common scenarios include communicating with self-check kiosks or resource sharing systems via SIP2 or NCIP protocols. Many of these implementations of these protocols are not designed for encrypted communications, so additional layers, such as VPN (virtual private network) software should be implemented to ensure secure and private communications.
The internal infrastructure of multi-tenant platforms may not be apparent to the libraries using them. Ex Libris Alma or OCLC's WorldShare Platform, for example, provide web-based interfaces for all staff and patron functionality in such a way that the library is entirely unaware of what operating systems and other components are used internally. This approach is not unlike that for global services, such as Google, Facebook, and Twitter, which also do not expose their users to any aspect of their internal infrastructure. For these platforms, security is addressed at a more functional level, enforced contractually.
- Libraries should ask vendors to provide any securityrelated national or international certifications they have achieved. Many library vendors work through third-party data centers, which may also have security certifications. These certifications ensure that the providers have implemented the level of equipment and operational procedures to ensure the highest level of security.
- Libraries should ask vendors to disclose any recent security breaches that have taken place in libraries using their products, the cause of the incident, and how systems or operations have been updated to prevent future occurrences.
- It is essential for libraries to operate the latest versions of any software products they use. Libraries frequently operate older versions of their integrated library systems, deferring available upgrades for months or years. Many of these upgrades may include security-related features or patches and deferring their implementation may extend periods of vulnerability.
The technology-based systems used by libraries have never been more sophisticated, and the threats against systems are pervasive. Defending systems against attacks requires specialized technical expertise.