Date post: | 09-Apr-2018 |
Category: |
Documents |
Upload: | jake-tyler |
View: | 216 times |
Download: | 0 times |
of 30
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
1/30
Defining the SecurityDefining the Security
DomainDomainMarilu GoodyearMarilu Goodyear
John H. LouisJohn H. LouisUniversity of KansasUniversity of Kansas
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
2/30
Goals for the Security Policy?Goals for the Security Policy?
Protection of the networkProtection of the network
Physical assetsPhysical assets
Network functionality/reliabilityNetwork functionality/reliabilityProtect Institutional DataProtect Institutional Data
Protect Institutional SystemsProtect Institutional Systems
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
3/30
What is the SecurityWhat is the Security
DomainDomain??The people, data, systems, andThe people, data, systems, and
devices that must comply with yourdevices that must comply with yoursecurity policy, i.e. The scopesecurity policy, i.e. The scope
statement of your security policy.statement of your security policy.
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
4/30
The Complexity of the CampusThe Complexity of the Campus
EnvironmentEnvironmentCampuses are more than faculty, staff andCampuses are more than faculty, staff and
studentsstudents
Other organizations: institutes, affiliatesOther organizations: institutes, affiliates Related individuals to campus players:Related individuals to campus players:
parents, etc.parents, etc.
Network is complexNetwork is complex
Where does your network begin and end?Where does your network begin and end?
Where are the boundaries?Where are the boundaries?
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
5/30
Security Domain and PeopleSecurity Domain and People
Identity ManagementIdentity ManagementIdentity ManagementIdentity Management
Defines the people who are a part of yourDefines the people who are a part of your
institution (Identification and Authentication)institution (Identification and Authentication)
Authorizes access to systems on campusAuthorizes access to systems on campus
Passes credentials to other trusted institutionsPasses credentials to other trusted institutions
and systems (Shibboleth)and systems (Shibboleth)
Security DomainSecurity Domain Larger than Identity Management sinceLarger than Identity Management since
people are only one element of the domainpeople are only one element of the domain
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
6/30
The Security Domain isThe Security Domain is
Not just the campus networkNot just the campus network
Not just the campus administrativeNot just the campus administrative
structurestructureNot just campus dataNot just campus data
Not just campus peopleNot just campus people
But is a combination of allBut is a combination of all
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
7/30
Elements of Determining Who andElements of Determining Who and
What is in the Security DomainWhat is in the Security DomainWhy? andWhy? and
Who?Who?
What?What? How?How?
Whom to grantWhom to grant
access?access?
Why are youWhy are you
granting themgranting them
access?access?
DataData
OpenOpenRestrictedRestricted
SystemsSystems
OpenOpen
RestrictedRestricted
How do theyHow do they
get accessget access
(telecom path)?(telecom path)?
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
8/30
Why? and Who?Why? and Who?
Individuals authorized as a member of yourIndividuals authorized as a member of yourcommunitycommunity Employees (when acting within scope of employment)Employees (when acting within scope of employment)
StudentsStudents AffiliatesAffiliates
VisitorsVisitors
Means of authorizationMeans of authorization
Campus online ID/PKI/BiometricCampus online ID/PKI/Biometric Trusted Visitor authorizationTrusted Visitor authorization
No authorization (open/public wired or wirelessNo authorization (open/public wired or wirelessaccess)access)
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
9/30
The Security DomainThe Security Domain
and Policiesand PoliciesIn addition to the Security Policy yourIn addition to the Security Policy your
organization has other policies that includeorganization has other policies that include
scope statements (i.e. who the policyscope statements (i.e. who the policyapplies to) that relate to the security domainapplies to) that relate to the security domain
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
10/30
Policies that Relate to Who GetsPolicies that Relate to Who Gets
Access to Your SystemsAccess to Your Systems
EmployeesEmployees
StudentsStudents
AffiliatesAffiliatesVisitorsVisitors
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
11/30
What? DataWhat? Data
Freely available university dataFreely available university dataWeb site data (examples)Web site data (examples)
Basic institutional infoBasic institutional info
Research reportsResearch reports
Press releasesPress releases
Restricted or confidential dataRestricted or confidential dataFederal law confidential (examples)Federal law confidential (examples)
HIPPAHIPPA
FERPAFERPA
University policy restricted (examples)University policy restricted (examples) Email account contentEmail account content
University policy sensitive (examples)University policy sensitive (examples)
Financial dataFinancial data
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
12/30
What? SystemsWhat? Systems
Public systemsPublic systems Web pagesWeb pages
Library and Museum CatalogsLibrary and Museum Catalogs
Institutional repositoriesInstitutional repositorieswww.kuscholarworks.ku.eduwww.kuscholarworks.ku.edu
Institution systemsInstitution systems Administrative SystemsAdministrative Systems
Financial, Student Information, Human Resources, Parking,Financial, Student Information, Human Resources, Parking,etc.etc.
Academic SystemsAcademic SystemsCourse management, library integrated systems, emailCourse management, library integrated systems, email
Research SystemsResearch Systems
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
13/30
Data and Systems PoliciesData and Systems Policies
University Data and Records PoliciesUniversity Data and Records Policies
Policies that relate to legally definedPolicies that relate to legally defined
confidential data (e.g. HIPPA, GLB, etc.)confidential data (e.g. HIPPA, GLB, etc.)Policies that relate to access toPolicies that relate to access to
confidential dataconfidential data
Authorization policies and procedures asAuthorization policies and procedures asthey relate to defining access to campusthey relate to defining access to campus
systems (the why of the who)systems (the why of the who)
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
14/30
Public and Private NetworksPublic and Private Networks
Federal law provides definitions for public andFederal law provides definitions for public and
private networksprivate networks
Our institutional networks are generallyOur institutional networks are generally
considered to be private networksconsidered to be private networks
Public networks or common carriers generallyPublic networks or common carriers generally
Charge a fee to their usersCharge a fee to their users
Are considered public networks because theyAre considered public networks because theyprovide(mostly sell) services to any individualprovide(mostly sell) services to any individual
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
15/30
The Campus Network as a PrivateThe Campus Network as a Private
NetworkNetworkIt is important to higher education institutionsIt is important to higher education institutions
that our networks be defined as private networksthat our networks be defined as private networks
in relation to federal law. This allows us toin relation to federal law. This allows us to
manage the network and the privacy of the usersmanage the network and the privacy of the usersand data.and data.
As federal government requires more of networkAs federal government requires more of network
operators, it is important that we know andoperators, it is important that we know and
understand the boundaries of our networks, i.e.understand the boundaries of our networks, i.e.
What exactly are we responsible for?What exactly are we responsible for?
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
16/30
What are the network boundaries?What are the network boundaries?
Institutional NetworkInstitutional Network Institutionally infrastructure owned and run by Institution, either byInstitutionally infrastructure owned and run by Institution, either by
Central ITCentral IT
Departmental UnitDepartmental Unit
Cluster of Units in BuildingsCluster of Units in Buildings
Institutionally owned but run by other entity (outsourced)Institutionally owned but run by other entity (outsourced) Corporation owned infrastructure either:Corporation owned infrastructure either:
managed by the institutionmanaged by the institution
managed by the private entitymanaged by the private entity
In this case contract language would be important in delineatingIn this case contract language would be important in delineatingresponsibilityresponsibility
Public NetworkPublic Network Member of the University has an individual account on a network ownedMember of the University has an individual account on a network owned
and managed by a corporate entity (i.e. faculty members home accountand managed by a corporate entity (i.e. faculty members home accounton local cable provider system)on local cable provider system)
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
17/30
Network Policies and the SecurityNetwork Policies and the Security
DomainDomainInstitutional Network PolicyInstitutional Network Policy
Domain sometimes is limited to centrallyDomain sometimes is limited to centrally
managed networkmanaged network
Domain should include networks run byDomain should include networks run by
departmentsdepartments
A good Network Policy should define theA good Network Policy should define the
network boundary which in turn affects thenetwork boundary which in turn affects thedefinition of the security domaindefinition of the security domain
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
18/30
Inside or Outside of the SecurityInside or Outside of the Security
Domain ?Domain ?When will a security breach affect theWhen will a security breach affect the
institution in some way?institution in some way?
A function of three questions:A function of three questions: Who?Who?
What?What?
DataData
SystemsSystems
How?How?
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
19/30
Example #1Example #1
Employee of institution is at their privateEmployee of institution is at their private
residence on a local cable networkresidence on a local cable network
searching the institution library catalogsearching the institution library catalog
Are they in the Security Domain?Are they in the Security Domain?
Who? Yes (employee)Who? Yes (employee)
What? No (public system and data)What? No (public system and data)
How? No (private network)How? No (private network)
NONO
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
20/30
Example #2Example #2
A student is in their private apartment on a cableA student is in their private apartment on a cable
network accessing their grades through thenetwork accessing their grades through the
portal and student information systemportal and student information system
Are they in the Security Domain?Are they in the Security Domain? Who? Yes (student)Who? Yes (student)
What? Yes (Confidential data and private system)What? Yes (Confidential data and private system)
How? No (private network)How? No (private network)
YesYes
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
21/30
Example #3Example #3
A affiliated corporation employee is in theirA affiliated corporation employee is in theiroffice on the institution owned and runoffice on the institution owned and runnetwork searching the CNN Web sitenetwork searching the CNN Web site
Are they in the Security Domain?Are they in the Security Domain? Who? Yes (affiliate employee)Who? Yes (affiliate employee)
What? No (assessing public system andWhat? No (assessing public system and
data)data) How? Yes (institution network)How? Yes (institution network)
YesYes
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
22/30
Example #4Example #4
Institutional employee at an off campus locationInstitutional employee at an off campus location
on a cable network is searching the Studenton a cable network is searching the Student
Information System for information about aInformation System for information about a
studentstudentAre they in the Security Domain?Are they in the Security Domain?
Who? Yes (employee)Who? Yes (employee)
What? Yes (confidential data and private system)What? Yes (confidential data and private system)
How? No (private network)How? No (private network)
YesYes
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
23/30
Example #5Example #5
Institutional employee at an off campusInstitutional employee at an off campuslocation on a cable network is searchinglocation on a cable network is searchingthe institution web site for information onthe institution web site for information on
an academic programan academic programAre they in the Security Domain?Are they in the Security Domain?
Who? Yes (employee)Who? Yes (employee)
What? No (public data and system)What? No (public data and system) How? No (private network)How? No (private network)
Yes or NoYes or No
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
24/30
Example #6Example #6
University IT employee at an EDUCAUSEUniversity IT employee at an EDUCAUSESecurity Conference in Denver through theSecurity Conference in Denver through theEDUCAUSEAir Wireless service reading anEDUCAUSEAir Wireless service reading an
email about an employee discipline problem.email about an employee discipline problem.Are they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee)
What? Yes (confidential data and institutionalWhat? Yes (confidential data and institutionalsystem)system)
How? No (EDUCAUSE and hotel network) or Yes (ifHow? No (EDUCAUSE and hotel network) or Yes (ifon VPN)on VPN)
YesYes
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
25/30
Most of the time you are in theMost of the time you are in the
Security Domain, ifSecurity Domain, if
If you are on the (or an) institutionalIf you are on the (or an) institutional
networknetwork
If you are accessing confidential data orIf you are accessing confidential data orsystems,systems,
Unless data as moved beyond the institutionUnless data as moved beyond the institution
If you are acting in your role as aIf you are acting in your role as a
university employee or student employeeuniversity employee or student employee
But not if you are a studentBut not if you are a student
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
26/30
Thinking about Control andThinking about Control and
ResponsibilityResponsibility
When do we want control?When do we want control?
When behavior can affect us we need sanctionsWhen behavior can affect us we need sanctions
Who do we want to be responsible for?Who do we want to be responsible for?
As few people as possibleAs few people as possible
Particularly interested in NOT being responsible forParticularly interested in NOT being responsible for
students.students.
If inside the security domain the institution isIf inside the security domain the institution is
affected by the behavior andaffected by the behavior and maybemaybe responsibleresponsible
for the behavior.for the behavior.
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
27/30
ConclusionConclusion
Defining a Security Domain for yourDefining a Security Domain for your
institution is a critical step in implementinginstitution is a critical step in implementing
your Security Policy and the scope ofyour Security Policy and the scope of
other policiesother policies
Boundaries can be fuzzy, but needBoundaries can be fuzzy, but need
definition so that accountability is as cleardefinition so that accountability is as clear
as it can be.as it can be.
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
28/30
Questions?Questions?
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
29/30
Marilu GoodyearMarilu Goodyear
John LouisJohn LouisUniversity of KansasUniversity of Kansas
8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06
30/30
KU Network DefinitionsKU Network Definitions
The University network begins at the point where anThe University network begins at the point where anendend--user device (located on Universityuser device (located on University--owned or leasedowned or leasedproperty, or on KU Endowment property utilized by theproperty, or on KU Endowment property utilized by theUniversitys Lawrence or Edwards campuses) gainsUniversitys Lawrence or Edwards campuses) gains
access to this infrastructure and ends at the point whereaccess to this infrastructure and ends at the point wherethe University network attaches to external nonthe University network attaches to external non--KUKUnetworks.networks.
EndEnd--user devices that indirectly connect via a thirduser devices that indirectly connect via a third--partypartytelecommunications provider (a connection made to thetelecommunications provider (a connection made to the
KU network via a home broadband or dial up connectionKU network via a home broadband or dial up connectionfor example) are not considered part of the Universityfor example) are not considered part of the Universitynetwork.network.