IT Security Policies and Campus Networks

Translating security policy to practical campus networking

Sara McAneneyIT Security OfficerTrinity College Dublin16/11/2007

Overview

• Creating the Security Policy

• The Implementation Dilemma

• What makes the Campus Environment Different?

• The Answer

• Trinity College Dublin Implementation…

Campus Networks & Security

90’s 2002/3 2007 ??

Cultural Resistance

Gradual infiltration

Acceptance

Rapid Catch Up

Maturity!

2003/04

• Sobig• Slammer• Lovgate• Fizzer• Blaster/Welchia/Mimail • Randex• Sasser

2005/06• Yahoo Search Returns Faculty, Student Social Security Numbers -

Utah Valley State College • Student Information "Inadvertently" Left Exposed On Public

Website- Mississippi State University • UC-Boulder Web Site Exploit Exposes 17,500 Student Records-

University of Colorado, Boulder • University of Texas Breach Exposes Student and Staff

Information --University of Texas, Dallas• Thief Makes Off With Years Of Research Data - University of

Colorado, Boulder• University Research Information Exposes Participant Data -

University of Iowa• Stolen USB Drive Contained 18 Years of Student Information

University of Kentucky

ECAR -Policies Implemented 2006

*ECAR – Educause Centre for Applied Research - 2006 IT Security Survey 492 Respondents

Creating the Security Policy

• ISO 27001• Relevant Legislation• Organisational Environment• Identify Assets• Resources E.g. UCISA Information

Security Toolkit

Policy

• Main Policy• Supporting policy areas:

– Email– Internet use– System development etc– Virus and Spam – Software Development – Data Backup – Disaster Recovery

Implementation….

• Governing Body Approval• Communication to Users• Translation to Operational Procedures• Enforcement

Campus Implementation Difficulties

• Traditional ethos of free & open access to systems and information

• Diverse user base - Admin, teaching, research, grids, commerce, corporations, clubs, societies, college life, public guests

• Complex collaborative arrangements - institutions, individuals and industry

• Need to facilitate the rapid adoption of emerging & often immature technologies

• Diversity and decentralised management…

Traditional Implementation

CEO

Area Head Area Head IT Function

Manager Manager

End User End User

Manager

End User

Policy Dissemination

College Structure

• Governing Body

• Committees

• Schools/Faculties

• Admin Areas

• Student Representatives

• Commercial Entities

Campus NetworkGoverning Body

Administration Campus Companies

Academic structure

Admin Area Committee

Academic Unit

End User

Committee

End User

Students

Clubs & Societies

End User

End User

User Groups

User Groups

Research

Research Group

End User

Central IT Function

IT Function

Similarities with all Large Networks

• Provide High Quality, Flexible Services

• Protect Confidential data

• Protect against Internal and External Security Threats

• Comply with Legislation

• Contingency and Disaster Recovery Planning

• Despite/Because of complexity & diversity it is vital to implement an IT Security Management system.

• Risk Assessment & Mitigation

• Framework which facilitates as well as protects

Goal

The Answer?

• Management Structure - Establish IT Security Governance/Management Structure

• Involve Stakeholders - Identify key stakeholders and involve in creating policy, encourage ongoing communication.

• High Value Assets - Identify core IT Assets and prioritise

• Segregation - Appetite for Risk• Flexibility – make provision for high risk activity -

Research, new technology etc

Trinity College Timeline

2003 2004 2005 2006 2007

IT Security Policy approved by Governing Body

User Awareness Campaign Email, Pamphlet, Website

Translation to Operational procedures

Identification of Stakeholders

Policy Review & Revision

Adoption of Security Technologies

Implementation

• Governance - Internal Agreements - Central computing department & local IT interests.

• Regular Communication• Dissemination to IT Administration Staff &

End Users• Translation to Operational Practices• Adoption of Technologies

IT Governance

Governing Body

Autonomous Network

End User

Autonomous Network

End User

Trinity College Data Network

Local Area Support Reps End User

End User

Translation to operating procedures

Translation to operating procedures

Translation to operating procedures

Adopting Technologies

• Network Security - VPN, VLANs, Firewall, IDS, NAC,802.1x, guest network services, Eduroam

• Host Security– Automatic Updates, Centrally Managed AV

• Enterprise Directory – Secure Authentication• Application Security – Encryption, Risk Analysis• Removal Insecure Protocols

Defense in Depth

Firewall

Intrusion Detection

VPN

NAC

Firewall

Intrusion Detection

VPN

NAC

Malware Protection

Software updates

Audit Logs

Standardised Build

Malware Protection

Software updates

Audit Logs

Standardised Build

Malware Protection

Software updates

Audit Logs

Standardised Build

Malware Protection

Software updates

Audit Logs

Standardised Build

ServerServerHostsHosts NetworkNetwork

Standards

Audit

Encryption

Threat Modelling

Audit Logs

Standards

Audit

Encryption

Threat Modelling

Audit Logs

Application Application UserUser

Code of Conduct

Online Password change

Code of Conduct

Online Password change

Teaching & General

Research

Student Services

Wireless Services Autonomous

Networks

Specialised Production cash

Registers etc

Specialised research

Risk Management

Central ServicesWeb, Mail, Proxy etc

Focus on Key Assets

• Staff/Student Data• Financial Data• Medical Data• Research Data

Assessing the Progress

• Improved communications – move away from duplication of service

• Improved focus – strategic planning• Improved Visibility• Incident Reporting• Internal Audit – systems, applications,• External Audit

Was it Successful?

Disruptive Security Incidents

0

2

4

6

8

2002 2003 2004 2005 2006 2007

Year

No.

Did it hurt?

• Time• Financial Cost• Complexity..

Future Challenges

• Exploding User Numbers – students/public on network, Guests, Eduroam

• Non traditional networked devices - PDA’s, phones, Xboxes, cameras, CEPOS

• Disappearing Network Boundary• Rapid Adoption New technology • Changing Threat profile• Data privacy concerns – Help users protect their

personal/financial data• More important than ever to deal with these

challenges via a strong IT Security Framework

Keeping Security on the Agenda

Security vs. Usability

References:

http://www.tcd.ie/itsecurity/policies/index.php

http://www.educause.edu/ecar

http://www.ucisa.ac.uk/