As today’s campus planners consider the student experience of the future, many of them are looking to create “smarter” campuses that promote connectivity, health and wellness, and sustainability. This trend is similar to what organizations are seeing with the return of employees to the office; every campus now has a mandate from students to provide a more holistic and connected student experience. Whether such mandates are intentional or implied, the benefits of these imminent changes merit discussion around strategies such as high-speed data infrastructure; pervasive Wi-Fi; Internet of Things (IoT) sensors for monitoring environments; enhanced digital services for students; classroom technology to support hybrid learning; smarter transportation; and greater data insights.
While there are an abundance of organizations extolling the virtues of these smart campus strategies, many fail to adequately highlight risks and subsequent mitigation considerations. As we’ve learned from great innovators like Edison, no quantum leaps in innovation come without some hard lessons learned. As the curtain is lifted on big tech’s less-than-transparent data collection policies, smart services are revealed to be an ongoing balancing act between convenience and security. This article will outline some of the risk considerations campus planners should be thinking about during smart campus planning conversations.
Complex Systems, Complex Challenges
To make systems around campus smarter, they need to be capable of exchanging data between operational and information technology services. For example, a student utilizes a single ID badge to access a building, pay for food in the café, and reserve a group study room with a simple badge tap or swipe. Here you have multiple cyberphysical systems that potentially need to exchange data, for example, the access control system, the room reservation system, student directory information, and a point-of-sale system. When implemented correctly, these present an added convenience to the student and reduce viscosity when flowing through campus. However, some risk factors present themselves here that should be considered:
- For new construction projects, has this sequence of operations been properly documented in the project manual?
- Are the divisions of responsibility between the different vendors clearly articulated for pricing?
- Are the systems being specified interoperable so that the intended data can be exchanged?
- Who provides system commissioning, service, and support for an interconnected set of systems?
- Who owns the issue when the integrated functions fail to operate?
There are literally thousands of examples of these connectivity issues occurring with both new and legacy campus systems. Simply put, the higher the degree of complexity in your smart campus, the greater the likelihood of problems cropping up. That’s why it’s essential that the system complexity versus end-user convenience benefit calculation is done early to determine if the net result is worth the costs and effort to pursue.
If the term “shadow IoT” sounds somewhat sinister, it’s because it is. Shadow IoT, also known as “rogue IoT,” refers to those devices that are Internet-connected but are not authorized to be on a campus or enterprise network. Often times the IT department is not even aware these sensors or devices are even actively connected to their network. According to a survey conducted by Statista,¹ the average person has approximately 11 Internet-connected devices; arguably the average student has more devices than the average person. Many of these are in the form of personal devices such as smartphones, tablets, smartwatches, smart headphones, smart speakers, fitness trackers, health devices, and more. Couple that with all of the new IoT sensors and devices that are being deployed for intelligent buildings within the campus (e.g., smart lighting, audiovisual, HVAC, occupancy measurement, etc.), and you’ve got an exponential increase in devices ready to sneak onto your network. The main concern is that many of these IoT devices lack basic security features such as Wi-Fi Protected Access 2 (WPA2) password protection or Advanced Encryption Standard (AES) encryption, opening up a myriad of network vulnerabilities.² That said, here are some questions to help mitigate the risks presented by Shadow IoT devices:
- Do you have a formal policy that clearly defines which student and staff personal devices can be connected to your network?
- Do you have a formal process to allow users to request authorization for IoT devices?
- Have you segregated IoT device traffic to its own isolated network?
- Does your IT department have a way to proactively monitor for shadow IoT?
Student Data Security and Privacy
When we examine the connected student and their flow through a smart campus, we can see points at which student data is exposed to various systems and services. Take for example the emergence of campus companion mobile apps. These smartphone apps are quickly becoming a useful way for students to navigate around campus via wayfinding tools, check transportation schedules from the local bus route, order food delivered to their preferred place of study, and tap into news and events. As these apps create more convenience, they also open the door for student data to be captured without any knowledge of university IT. Some risks to consider:
- Where is the data from the app hosted? Is it secure and does it meet university InfoSec (information security) policies and best practices?
- Do students have the ability to disable location services within the student app?
- Does the campus app have integration with Active Directory, lightweight directory access protocol (LDAP), or other single sign-on (SSO) services to authenticate app usage?
- Is the app platform sharing any student data with third-party vendors it connects to?
- Is the app using end-to-end encryption for messaging?
- Are students able to opt-out of certain notifications, app tracking, etc.?
According to Symantec Endpoint Protection, 89% of Android apps and 39% of iOS apps request risky permissions for access to data such as phone numbers, email addresses, usernames, and home addresses.³ Protecting students’ personal information does not just stop with mobile apps. Advancements in IoT devices pose a similar potential threat for collecting personally identifiable information (PII) and should be closely scrutinized during the discovery process.
Creating a smarter campus requires a spirit of innovation, stakeholder engagement, partnership with trusted vendors and consultants, and a fundamental shift in how we think about students’ experience on campus. However, an acknowledgment of the inherent risks needs to be front and center, supplemented with intentional frameworks and policies for data security, privacy, and system interoperability. The question becomes: Do these risks outweigh the benefits in the campus of the future?
Ernie Beck is a senior consultant for NV5, formerly The Sextant Group. He works in the Baltimore, MD, area and can be reached at ernie.beck@NV5.com.