Information Security at Waterloo: Past, Present, and Future

Jason A. Testart, BMath, CISSP

Director, Information Security Services

Information Systems & Technology

Hacked by an iron.

#watitis2013

#watitis2013

Five Eyes

#watitis2013

#watitis2013

#watitis2013

Security Portfolio: 1998

• A single FTE• UWDir (identity management)• Best Practices for OS and Application

Security• Awareness• Certificate Authority

#watitis2013

Security Portfolio: 2008

• A single FTE• Best Practices for OS and Application

Security• Awareness• Certificate Authority• Compliance (PCI DSS, FIPPA)

• Network Security

#watitis2013

Tools: 2008

• Netflow for IDS• Nessus scanner• Focus on baselines• Email for incident response• Email for certificate management

#watitis2013

Status 2011

• Added 4 FTEs (5 total)• Renamed “Information Security Services”• Security reports to senior IT leader• Security Operations Centre• Policy 8 approved and in force• More formal incident response (RTIR)

#watitis2013

2011 continued

• VPN• Self-serve certificates (Globalsign)• Proactive vulnerability management

– AppScan– QualysGuard

• Encryption support• Investigations Support

#watitis2013

2012/2013

• NetID• SIEM (log correlation)• Metasploit• Threat Intelligence

#watitis2013

2014 and Beyond

• Evolve current capabilities in IDS, IR, and vulnerability management

• More standards (all layers of stack)• PSIA• WatIAM:TNG IAMNG• More compliance

– Anti-spam law– New copyright legislation

#watitis2013

ISS Previous Structure

Director

Systems Integration Specialist

Systems Integration Specialist

Systems Integration Specialist

Systems Integration Specialist

#watitis2013

ISS Current Structure

#watitis2013

Director

Manager, Information Security

Operations

Security Operations Analyst

Security Operations Analyst

(co-op student)

Information Security Specialist

Information Security Specialist

Information Security Specialist IAM Specialist IAM Specialist

Key Partnerships

• Secretariat– Privacy– Records Management– Law

• IST Portfolio Group– Policy, Standards, Compliance, Risk Management

• Finance– PCI DSS Compliance

• Office of Research– Compliance

• UW Police– Investigations

#watitis2013

PSIA

• What is it?– Mechanism for the identification, assessment,

and mitigation of privacy and security risks for information-centric university initiatives

– Assessors: Privacy Officer, Information Security Officer

#watitis2013

Proposed PSIA Process

Stage of Initiative

Privacy Action(s) Security Action(s)

Sign-off?

Proposal/Business Case

Review/Assess Review Sponsor + Privacy

Solution Design (or “RFP Response”)

Review/Assess Review/Assess Sponsor/Project Team + Privacy + Security

Development/Pre-production

Review/Assess Project Team + Security

Implementation/Production

Review Review Sponsor + Project Team + Privacy + Security

Jason’s Principles of Identity Management

1. A person can assume more than one role at one time (badges, not hats).

2. There is no “primary role”.

3. Every role has a sponsor (i.e. someone needs to attest to you being here).

4. “Expired” means you are status VSA.

#watitis2013

Identity Management

1. Enumerate Roles

2. Determine lifecycles of each role

3. Business process analysis

4. Requirements Definition

5. Architecture

6. RFP

#watitis2013

Access Management

• CAS may not be the ultimate solution.• Centralize/automate where possible.• Require multi-factor authentication for

certain types of access/transactions.• Approach problem with EA-like

abstractions.

#watitis2013

Enterprise Architecture (Zachman)(from zachman.com)

#watitis2013

Networking Models

#watitis2013

Testart’s EA-Lite

Business View

Logical View

Physical View

EA-Lite for Access Control

Role Definition/Requirements

ACL in generic language

Implementation

Simplified Example

Academic Advisor

Bio+Marks: RO Access

Program/Plan: RW Access

Peoplesoft Security Controls

Online Advising Tool (OAT) ACLs

Active Directory Security Group

For your consideration…

• ISS is not just about IT infrastructure.• Let us know about current challenges you

see with WatIAM• Stay-tuned for the potential IT impact of

new legislation.• You MUST report breaches. We have legal

obligations to uphold.

#watitis2013

THANK YOU

Jason Testart

Email: jason.testart@uwaterloo.ca

Telephone: Ext. 38393

#watitis2013