Stellenbosch University is currently in the process of taking a “great leap forward” into the “cloud” era, which will see the new finance and student systems, SUNFin and SUNStudent, operating in the cloud.
This is not only going to make all the difference to security against cyber threats but will also make the university’s systems more efficient and accessible, in a number of ways, for students and staff. The move into the cloud, which is the culmination of years of work, will take SU into an entirely different risk profile, said Marc-Allen Johnson, acting director IT Institutional Software Systems at SU.
“This is a big step in the right direction, as the threat of cyber fraud at universities is growing all the time, all over the world,” Mr Johnson said in an interview. To date, most of the university’s administrative systems have been housed on premises, in a data centre on campus. “But now they will be housed in the cloud, running in data centres in Johannesburg and Cape Town, and according to the latest standards in technology, to ensure that the personal information of both students and staff remains secure,” Mr Johnson said.
“At the same time, once fully operational, it will be possible to access the systems from anywhere without having to be affected by loadshedding or interrupted internet connectivity on the Stellenbosch campus. So, we are providing a much-improved service, while ensuring a secure system.”
Elaborating on the two new systems, SUNFin and SUNStudent, Mr Johnson said SUNFin refers to the university’s new financial system. “It is an Enterprise Resource Planning (ERP) system that SU will use to manage day-to-day business activities of the Finance capability within the organisation. It manages all the key financial requirements that a university has to fulfil to ensure that the books balance, that people get paid and that we manage our finances well. The implementation of the SUNFin project has been under way for the last two to three years.”
“SUNStudent refers to the new system that supports the Student Administration capability and all the related student services. The SUNStudent system will usher in a modern, integrated and cloud-based solution that will allow key university capabilities like Registration, Bursary Awards, Assessment and Degree Audits to be supported in a secure way. Although the staff and students have always had access to self-service functionality, the modernised interface provides it all levels. The new Application and Admission process went live in 2021 and facilitated a significant jump in the number of applicants and demographic.”
Mr Johnson said the university is planning to be fully operational with both systems by the end of next year. The application and admissions functionality of SUNStudent have already been live for two years.
He said that, for the IT team at the university, the new moves address “quite a few risks”. “We have legacy administrative systems of between 20 and 30 years old at the university. Through the years, the demands on these systems have been continuously growing and the world continues to throw security challenges our way. We’ve responded by making changes ourselves, but the technical debt has grown untenable over the years. Coupled with a technology that the industry is not actively pursuing anymore and people who have been part of building these systems retiring, it was necessary to make a leap.
“So, it is a great relief for me to see us moving into a new era where we are implementing software solutions that will last another 30 years. It is also exciting to know that, from now on, our system will be continuously improving and remain up to date.”
Part of the improved efficiency, he said, was the fact that the IT Division will work in close partnership with vendors like Oracle and Serosoft “to ensure that we have security by design”.
“We also know that we are not their only client, which means that we benefit from the collective. For instance, if they implement enhanced security measures, or conduct vulnerability tests for one client, they implement it for all of us. That is one of the benefits of going to the cloud –the vendor takes responsibility to keep the system up to date and secure according to a contract.”
Mr Johnson said that in the past many institutions bought software “off the shelves from a vendor” and then tried to maintain their systems themselves.
“But then they fall behind the latest versions and patches which opens them up to security risks. By moving to the cloud, Stellenbosch University will receive regular updates and be assisted regularly, and we will not fall behind as new functionalities are released.”
Mr Johnson said that the mechanisms implemented by the new systems will be a great deterrent to the ever-present cybersecurity threats.
“I recall a quote, often attributed to Thomas Jefferson, – “The price of freedom is eternal vigilance” – and it really rings true. With these new systems, we have invested in a solution that will continuously be kept up to date. Yes, along with the vendors, our team will have to be continuously vigilant, but it means newly discovered vulnerabilities will be quickly patched by our partners. We are contractually partnered with our vendors to provide that level of surety.”
Mr Johnson said once the system is up and running, “we will all sleep easier”.
“As the research shows, one of the most difficult IT challenges at any institution is to implement a new system. It involves a lot of change and the switchover from the one system to the other is a risk that can be easily exploited by people wanting to do harm.
“For instance, if cyber criminals know that a new system is being implemented, they could send out an email to a student or staff member and invite them to click on a link to be “onboarded” on the new system – potentially leading to compromised credentials. During this period of transition, we have to promote a heightened awareness and ensure we educate all students and staff about the risks. Our teams monitor and respond to phishing attacks like these that target our users. One of the measures that counter the reach of these attacks is to implement multi-factor authentication. For instance, when you log into the system, you receive a prompt to either supply a one-time PIN or approve the log in using a mobile app. For many staff and students, it feels like a burden, but that simple act is an important deterrent, because if someone gets hold of your username and password it makes it much harder to get past that hurdle.
“We can try to put in place as many security measures as we can, but if the attacker manages to use phishing techniques to trick a student or staff member to disclose their username or password, it could give the attacker access to sensitive information. This is a critical threat to administrative systems and something we are obviously concerned about, hence measures like Multi-factor Authentication.”
Mr Johnson continued: “SUNFin and SUNStudent will not only provide better functionality, to enable us to become a more modern and efficient university, but they will also make us more resilient to cyber-attacks. However, we really need everyone’s help to be vigilant by educating oneself and being on the lookout for suspicious messages. All students and staff are encouraged to reach out to us if they have any doubts or queries about suspicious emails or notifications they receive. Our IT support desks and relationship managers are there to assist, especially during this transition period to final implementation of SUNFin and SUNStudent.”