Defining the Security Defining the Security DomainDomain

Marilu GoodyearMarilu Goodyear

John H. LouisJohn H. Louis

University of KansasUniversity of Kansas

Goals for the Security Policy?Goals for the Security Policy?

Protection of the networkProtection of the network Physical assetsPhysical assets Network functionality/reliabilityNetwork functionality/reliability

Protect Institutional DataProtect Institutional Data

Protect Institutional SystemsProtect Institutional Systems

What is the Security What is the Security DomainDomain??

The people, data, systems, and The people, data, systems, and devices that must comply with your devices that must comply with your

security policy, i.e. The scope security policy, i.e. The scope statement of your security policy.statement of your security policy.

The Complexity of the Campus The Complexity of the Campus EnvironmentEnvironment

Campuses are more than faculty, staff and Campuses are more than faculty, staff and studentsstudents Other organizations: institutes, affiliatesOther organizations: institutes, affiliates Related individuals to campus players: Related individuals to campus players:

parents, etc.parents, etc.

Network is complexNetwork is complex Where does your network begin and end?Where does your network begin and end?

Where are the boundaries?Where are the boundaries?

Security Domain and People Security Domain and People Identity ManagementIdentity Management

Identity ManagementIdentity Management Defines the people who are a part of your Defines the people who are a part of your

institution (Identification and Authentication)institution (Identification and Authentication) Authorizes access to systems on campus Authorizes access to systems on campus Passes credentials to other trusted institutions Passes credentials to other trusted institutions

and systems (Shibboleth)and systems (Shibboleth)

Security DomainSecurity Domain Larger than Identity Management since Larger than Identity Management since

people are only one element of the domainpeople are only one element of the domain

The Security Domain is The Security Domain is

Not just the campus networkNot just the campus network

Not just the campus administrative Not just the campus administrative structurestructure

Not just campus dataNot just campus data

Not just campus peopleNot just campus people

But is a combination of all But is a combination of all

Elements of Determining Who and Elements of Determining Who and What is in the Security DomainWhat is in the Security Domain

Why? and Why? and Who?Who?

What?What? How?How?

Whom to grant Whom to grant access?access?

Why are you Why are you granting them granting them access?access?

DataData

OpenOpen

RestrictedRestricted

SystemsSystems

OpenOpen

RestrictedRestricted

How do they How do they get accessget access

(telecom path)?(telecom path)?

Why? and Who?Why? and Who?

Individuals authorized as a member of your Individuals authorized as a member of your communitycommunity Employees (when acting within scope of employment)Employees (when acting within scope of employment) StudentsStudents AffiliatesAffiliates VisitorsVisitors

Means of authorizationMeans of authorization Campus online ID/PKI/BiometricCampus online ID/PKI/Biometric Trusted Visitor authorizationTrusted Visitor authorization No authorization (open/public wired or wireless No authorization (open/public wired or wireless

access) access)

The Security Domain The Security Domain and Policiesand Policies

In addition to the Security Policy your In addition to the Security Policy your organization has other policies that include organization has other policies that include

“scope statements” (i.e. who the policy “scope statements” (i.e. who the policy applies to) that relate to the security domainapplies to) that relate to the security domain

Policies that Relate to Who Gets Policies that Relate to Who Gets Access to Your Systems Access to Your Systems

EmployeesEmployees

StudentsStudents

AffiliatesAffiliates

Visitors Visitors

What? DataWhat? Data

Freely available university data Freely available university data Web site data (examples)Web site data (examples)

Basic institutional infoBasic institutional info Research reportsResearch reports Press releasesPress releases

Restricted or confidential dataRestricted or confidential dataFederal law confidential (examples)Federal law confidential (examples)

HIPPAHIPPA FERPAFERPA

University policy restricted (examples)University policy restricted (examples) Email account content Email account content

University policy sensitive (examples)University policy sensitive (examples) Financial dataFinancial data

What? SystemsWhat? Systems

Public systems Public systems Web pagesWeb pages Library and Museum CatalogsLibrary and Museum Catalogs Institutional repositoriesInstitutional repositories

www.kuscholarworks.ku.eduwww.kuscholarworks.ku.edu

Institution systemsInstitution systems Administrative SystemsAdministrative Systems

Financial, Student Information, Human Resources, Parking, Financial, Student Information, Human Resources, Parking, etc.etc.

Academic SystemsAcademic SystemsCourse management, library integrated systems, emailCourse management, library integrated systems, email

Research SystemsResearch Systems

Data and Systems PoliciesData and Systems Policies

University Data and Records PoliciesUniversity Data and Records Policies

Policies that relate to legally defined Policies that relate to legally defined confidential data (e.g. HIPPA, GLB, etc.) confidential data (e.g. HIPPA, GLB, etc.)

Policies that relate to access to Policies that relate to access to confidential dataconfidential data

Authorization policies and procedures as Authorization policies and procedures as they relate to defining access to campus they relate to defining access to campus systems (the why of the who)systems (the why of the who)

Public and Private Networks Public and Private Networks

Federal law provides definitions for public and Federal law provides definitions for public and private networks private networks

Our institutional networks are generally Our institutional networks are generally considered to be private networksconsidered to be private networks

Public networks or common carriers generallyPublic networks or common carriers generally Charge a fee to their usersCharge a fee to their users Are considered “public” networks because they Are considered “public” networks because they

provide(mostly sell) services to any individual provide(mostly sell) services to any individual

The Campus Network as a Private The Campus Network as a Private NetworkNetwork

It is important to higher education institutions It is important to higher education institutions that our networks be defined as private networks that our networks be defined as private networks in relation to federal law. This allows us to in relation to federal law. This allows us to manage the network and the privacy of the users manage the network and the privacy of the users and data. and data.

As federal government requires more of network As federal government requires more of network operators, it is important that we know and operators, it is important that we know and understand the boundaries of our networks, i.e. understand the boundaries of our networks, i.e. What exactly are we responsible for?What exactly are we responsible for?

What are the network boundaries?What are the network boundaries?

Institutional NetworkInstitutional Network Institutionally infrastructure owned and run by Institution, either by Institutionally infrastructure owned and run by Institution, either by

Central IT Central IT Departmental Unit Departmental Unit Cluster of Units in BuildingsCluster of Units in Buildings

Institutionally owned but run by other entity (outsourced)Institutionally owned but run by other entity (outsourced) Corporation owned infrastructure either:Corporation owned infrastructure either:

managed by the institutionmanaged by the institutionmanaged by the private entitymanaged by the private entityIn this case contract language would be important in delineating In this case contract language would be important in delineating responsibility responsibility

Public NetworkPublic Network Member of the University has an individual account on a network owned Member of the University has an individual account on a network owned

and managed by a corporate entity (i.e. faculty members home account and managed by a corporate entity (i.e. faculty members home account on local cable provider system)on local cable provider system)

Network Policies and the Security Network Policies and the Security DomainDomain

Institutional Network Policy Institutional Network Policy Domain sometimes is limited to centrally Domain sometimes is limited to centrally

managed network managed network Domain should include networks run by Domain should include networks run by

departmentsdepartments

A good Network Policy should define the A good Network Policy should define the network boundary which in turn affects the network boundary which in turn affects the definition of the security domaindefinition of the security domain

Inside or Outside of the Security Inside or Outside of the Security Domain ?Domain ?

When will a security breach affect the When will a security breach affect the institution in some way?institution in some way?

A function of three questions:A function of three questions: Who?Who? What? What?

DataData

SystemsSystems How?How?

Example #1Example #1

Employee of institution is at their private Employee of institution is at their private residence on a local cable network residence on a local cable network searching the institution library catalogsearching the institution library catalog

Are they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee) What? No (public system and data)What? No (public system and data) How? No (private network)How? No (private network)

NONO

Example #2Example #2

A student is in their private apartment on a cable A student is in their private apartment on a cable network accessing their grades through the network accessing their grades through the portal and student information systemportal and student information system

Are they in the Security Domain?Are they in the Security Domain? Who? Yes (student)Who? Yes (student) What? Yes (Confidential data and private system)What? Yes (Confidential data and private system) How? No (private network)How? No (private network)

YesYes

Example #3Example #3

A affiliated corporation employee is in their A affiliated corporation employee is in their office on the institution owned and run office on the institution owned and run network searching the CNN Web sitenetwork searching the CNN Web siteAre they in the Security Domain?Are they in the Security Domain? Who? Yes (affiliate employee)Who? Yes (affiliate employee) What? No (assessing public system and What? No (assessing public system and

data)data) How? Yes (institution network)How? Yes (institution network)

YesYes

Example #4Example #4

Institutional employee at an off campus location Institutional employee at an off campus location on a cable network is searching the Student on a cable network is searching the Student Information System for information about a Information System for information about a studentstudent

Are they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee) What? Yes (confidential data and private system)What? Yes (confidential data and private system) How? No (private network)How? No (private network)

Yes Yes

Example #5Example #5

Institutional employee at an off campus Institutional employee at an off campus location on a cable network is searching location on a cable network is searching the institution web site for information on the institution web site for information on an academic programan academic programAre they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee) What? No (public data and system)What? No (public data and system) How? No (private network)How? No (private network)

Yes or No Yes or No

Example #6Example #6

University IT employee at an EDUCAUSE University IT employee at an EDUCAUSE Security Conference in Denver through the Security Conference in Denver through the EDUCAUSEAir Wireless service reading an EDUCAUSEAir Wireless service reading an email about an employee discipline problem.email about an employee discipline problem.Are they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee) What? Yes (confidential data and institutional What? Yes (confidential data and institutional

system)system) How? No (EDUCAUSE and hotel network) or Yes (if How? No (EDUCAUSE and hotel network) or Yes (if

on VPN)on VPN)

Yes Yes

Most of the time you are in the Most of the time you are in the Security Domain, if Security Domain, if

If you are on the (or an) institutional If you are on the (or an) institutional network network

If you are accessing confidential data or If you are accessing confidential data or systems, systems, Unless data as moved beyond the institution Unless data as moved beyond the institution

If you are acting in your role as a If you are acting in your role as a university employee or student employee university employee or student employee

But not if you are a student But not if you are a student

Thinking about Control and Thinking about Control and ResponsibilityResponsibility

When do we want control?When do we want control? When behavior can affect us we need sanctionsWhen behavior can affect us we need sanctions

Who do we want to be responsible for?Who do we want to be responsible for? As few people as possibleAs few people as possible Particularly interested in NOT being responsible for Particularly interested in NOT being responsible for

students.students.

If inside the security domain the institution is If inside the security domain the institution is affected by the behavior and affected by the behavior and maybemaybe responsible responsible for the behavior. for the behavior.

ConclusionConclusion

Defining a Security Domain for your Defining a Security Domain for your institution is a critical step in implementing institution is a critical step in implementing your Security Policy and the scope of your Security Policy and the scope of other policiesother policies

Boundaries can be fuzzy, but need Boundaries can be fuzzy, but need definition so that accountability is as clear definition so that accountability is as clear as it can be.as it can be.

Questions?Questions?

Marilu GoodyearMarilu GoodyearJohn LouisJohn Louis

University of KansasUniversity of Kansas

goodyear@ku.edugoodyear@ku.edu

jlouis@ku.edujlouis@ku.edu

KU Network DefinitionsKU Network Definitions

The University network begins at the point where an The University network begins at the point where an end-user device (located on University-owned or leased end-user device (located on University-owned or leased property, or on KU Endowment property utilized by the property, or on KU Endowment property utilized by the University’s Lawrence or Edwards campuses) gains University’s Lawrence or Edwards campuses) gains access to this infrastructure and ends at the point where access to this infrastructure and ends at the point where the University network attaches to external non-KU the University network attaches to external non-KU networks. networks. End-user devices that indirectly connect via a third-party End-user devices that indirectly connect via a third-party telecommunications provider (a connection made to the telecommunications provider (a connection made to the KU network via a home broadband or dial up connection KU network via a home broadband or dial up connection for example) are not considered part of the University for example) are not considered part of the University network. network.