The IT Security Jungle of Higher Education
-
Upload
nicholas-davis -
Category
Documents
-
view
59 -
download
0
Transcript of The IT Security Jungle of Higher Education
![Page 1: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/1.jpg)
The IT Security Jungle of Higher Education
Presented by Nicholas Davis, CISA, CISSPWTA Conference, May, 2015
![Page 2: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/2.jpg)
Overview
• Question: Why are security breaches in higher education on the rise?
• How the environment in a university setting differs from the private sector
• What happens when you try to do it like everyone else• The approach of motivating rather than obligating, and
federating rather than centralizing
• Eduroam as an example of how higher education does things differently (and in this case—better)
• Using outside influence, embracing differences
• Summary, question and answer session
![Page 3: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/3.jpg)
Why Us?
Question: Why have there been security breaches in the higher education community?
Let’s take a look at the culture of academia
![Page 4: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/4.jpg)
Academic Environment
• Highly decentralized in many cases, from authority to funding to infrastructure
• Many smart people, who want to have their say and who want to their research freedom ensured
• Unique situations are the norm
• Funding is always a huge concern
![Page 5: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/5.jpg)
Imagine This
• “Higher education is the only institution in which a vote of 15 to 1 is defined as a tie”– Unknown Author
• No forward movement until consensus is achieved
• This often means that forward movement depends upon everyone getting their second choice, which nobody loves, but nobody hates…..Often diluted solutions
![Page 6: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/6.jpg)
Look at Our Technology Infrastructure
Multiple variants of Operating Systems means it is difficult to have a consistently applied security patch program
![Page 7: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/7.jpg)
If You Thought Apple Was a Challenge
• How does one go about securing a Commodore 64, connected to proprietary research equipment, saving sensitive data to a network drive, through a cassette tape I/O port?
![Page 8: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/8.jpg)
Funding Models
• Research grants provide a great deal of revenue to a large public university
• Grants cover everything form staff salaries to computer equipment
• The researchers buy what they like, and use it as they like
• Difficult for central IT to manage what they do not own
![Page 9: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/9.jpg)
Private Sector Vs Higher Education
• Private sector typically has standard hardware and software builds, manages end user machines, has rigid equipment use guidelines, monitors usage, blocks access to “dangerous” websites
• Higher education always has freedom in the forefront of thoughts: Freedom from standards, freedom from restricted use
![Page 10: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/10.jpg)
Well, How Difficult Can It Be?
• No overall managed endpoint environment• No centralized log collection• Ambiguous perimeters of network, firewalls,
intrusion detection, intrusion prevention• BYOD gone crazy!• Central equipment inventory not available• Equipment moving constantly• Massive amounts of data, being used in many
non-standard ways• Decentralized data management
![Page 11: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/11.jpg)
Defining the Community
• Transient student population
• International students on campus
• American students overseas
• Visiting professors, not officially a university employee
• Research taking place all over the globe
• Making network available for visitors
![Page 12: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/12.jpg)
It’s Simple, Just Do What I Say
• Diverse structure of university does not fit well with a top-down model
• My primary allegiance is to those who fund my research
• If I can’t do it my way, here, I may go someplace else where I have more freedom
![Page 13: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/13.jpg)
From the Technical Side
• Decentralized firewall management makes network assets unreachable
• Decentralized management prohibits owning endpoints by a central authority
• Multiple types of OS and hardware makes it difficult to manage
• Specialized software means that patching is often not possible
![Page 14: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/14.jpg)
The Secret Sauce
• We try to motivate rather than obligate• Give the people information, let them
decide• Authority and accountability• Make it easy for them, make it
inexpensive• Avoid client footprint whenever possible• Thanks to the cloud, it is getting easier to
manage in the jungle
![Page 15: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/15.jpg)
Instead of Controlling Others, We Choose to Trust Them
• Centralized identity management is challenging in our amorphous customer base
• Instead of owning everything, we set standards of trust and we have confidence in others to manage their individual systems better than they could be managed centrally
• Mainstream is not the only way to achieve success
• Let’s look at one example
![Page 16: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/16.jpg)
Eduroam – Trust Through Federation
• Eduroam (education roaming) is an international roaming service for users in research, and higher education.
• It provides researchers, teachers and students easy and secure network access when visiting an institution other than their own.
![Page 17: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/17.jpg)
Eduroam Introduction
https://www.youtube.com/watch?feature=player_embedded&v=TVCmcMZS3uA
![Page 18: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/18.jpg)
How Eduroam Works
• Authentication of users is performed by their home institution, using the same credentials as when they access the network locally, while authorization to access the Internet and possibly other resources is handled by the visited institution. Users do not have to pay for using eduroam.
![Page 19: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/19.jpg)
Eduroam Has a Risk
• When placing trust in Eduroam, you are placing trust in others, who from time to time may not meet the standards which you were expecting
• The solution is to understand the level of authentication provided and that authentication should not be synonymous with authorization
![Page 20: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/20.jpg)
Eduroam
• How does your business deal with visitors from other companies?
• How do other companies deal with granting you access when you are on-site?
• Generic logins? No logins? Who is on the network? Nobody knows!
• Have you ever seen a solution as elegant, safe, flexible and useful as Eduroam?
![Page 21: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/21.jpg)
Eduroam
• Federation isn’t the industry standard, but it certainly recognizes the reality of the world we live in.
• The people in higher education might be on to something here
• When you can’t own everything, you need to be pragmatic
• Lack of rigidity, makes higher education very innovative
![Page 22: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/22.jpg)
Eduroam Makes SenseFederation of Communities
![Page 23: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/23.jpg)
It Is All About Trust
• Which do you trust more, Facebook, which gave an account to my stuffed cow –or a home institution, with more rigorous credential issuance policies and procedures, such as a university?
![Page 24: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/24.jpg)
Federation Does Not Mean Loss of Control
• Federation with Eduroam handles authentication, at LOA2’ish levels
• Eduroam reports-----you decide!
• Logging in with Facebook is more LOA1’ish
![Page 25: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/25.jpg)
A New World Order of Centralized Identity
Management Is Highly Unlikely• Not everyone in the world is going
to join Facebook• Even if they did, the LOA of
Facebook sets the bar low to the ground
• Do you really want Facebook to own your organization’s authentication?
• It is OK not to own everything, as long as you know who to trust
![Page 26: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/26.jpg)
Outside Influence Never Hurts
• HIPAA, PCI, FERPA
• “Sorry, it isn’t me, it is an external requirement” is an extra ace in pocket!
• NIST 800-53 (federal government IT security controls)
• “If you want your grant money, you must first prove NIST 800-53 compliance”
![Page 27: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/27.jpg)
Budget Constraints
• In the past, individual freedom was a top priority• In the current environment, campuses are
looking to save money wherever possible and become more efficient
• Redundancy in policy, process development and deployment is being sought out and removed wherever possible
![Page 28: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/28.jpg)
Summary View
• IT Security in higher education is a greater challenge than in the private sector
• You often have to work without the benefit of the infrastructure and control which is taken for granted in the private sector
• Freedom of choice is held as a core value in academia
![Page 29: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/29.jpg)
Jungles Are For Roaming
• Amazing things can happen in the jungle
• Obligation is a dying breed of animal in an interconnected world
• The IT security jungle should be appreciated, embraced and not approached as something which needs to be “controlled” at all costs.
![Page 30: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/30.jpg)
Questions & Comments
Nicholas Davis, CISA, CISSP
Chief Information Security Officer
UW-System
facebook.com/nicholas.a.davis
https://www.linkedin.com/in/nicholascv
![Page 31: The IT Security Jungle of Higher Education](https://reader030.fdocuments.in/reader030/viewer/2022032714/55aaadbb1a28ab557a8b46e8/html5/thumbnails/31.jpg)