the it security jungle of higher education
TRANSCRIPT
The IT Security Jungle of Higher Education
Presented by Nicholas Davis, CISA, CISSPWTA Conference, May, 2015
Overview
• Question: Why are security breaches in higher education on the rise?
• How the environment in a university setting differs from the private sector
• What happens when you try to do it like everyone else• The approach of motivating rather than obligating, and
federating rather than centralizing
• Eduroam as an example of how higher education does things differently (and in this case—better)
• Using outside influence, embracing differences
• Summary, question and answer session
Why Us?
Question: Why have there been security breaches in the higher education community?
Let’s take a look at the culture of academia
Academic Environment
• Highly decentralized in many cases, from authority to funding to infrastructure
• Many smart people, who want to have their say and who want to their research freedom ensured
• Unique situations are the norm
• Funding is always a huge concern
Imagine This
• “Higher education is the only institution in which a vote of 15 to 1 is defined as a tie”– Unknown Author
• No forward movement until consensus is achieved
• This often means that forward movement depends upon everyone getting their second choice, which nobody loves, but nobody hates…..Often diluted solutions
Look at Our Technology Infrastructure
Multiple variants of Operating Systems means it is difficult to have a consistently applied security patch program
If You Thought Apple Was a Challenge
• How does one go about securing a Commodore 64, connected to proprietary research equipment, saving sensitive data to a network drive, through a cassette tape I/O port?
Funding Models
• Research grants provide a great deal of revenue to a large public university
• Grants cover everything form staff salaries to computer equipment
• The researchers buy what they like, and use it as they like
• Difficult for central IT to manage what they do not own
Private Sector Vs Higher Education
• Private sector typically has standard hardware and software builds, manages end user machines, has rigid equipment use guidelines, monitors usage, blocks access to “dangerous” websites
• Higher education always has freedom in the forefront of thoughts: Freedom from standards, freedom from restricted use
Well, How Difficult Can It Be?
• No overall managed endpoint environment• No centralized log collection• Ambiguous perimeters of network, firewalls,
intrusion detection, intrusion prevention• BYOD gone crazy!• Central equipment inventory not available• Equipment moving constantly• Massive amounts of data, being used in many
non-standard ways• Decentralized data management
Defining the Community
• Transient student population
• International students on campus
• American students overseas
• Visiting professors, not officially a university employee
• Research taking place all over the globe
• Making network available for visitors
It’s Simple, Just Do What I Say
• Diverse structure of university does not fit well with a top-down model
• My primary allegiance is to those who fund my research
• If I can’t do it my way, here, I may go someplace else where I have more freedom
From the Technical Side
• Decentralized firewall management makes network assets unreachable
• Decentralized management prohibits owning endpoints by a central authority
• Multiple types of OS and hardware makes it difficult to manage
• Specialized software means that patching is often not possible
The Secret Sauce
• We try to motivate rather than obligate• Give the people information, let them
decide• Authority and accountability• Make it easy for them, make it
inexpensive• Avoid client footprint whenever possible• Thanks to the cloud, it is getting easier to
manage in the jungle
Instead of Controlling Others, We Choose to Trust Them
• Centralized identity management is challenging in our amorphous customer base
• Instead of owning everything, we set standards of trust and we have confidence in others to manage their individual systems better than they could be managed centrally
• Mainstream is not the only way to achieve success
• Let’s look at one example
Eduroam – Trust Through Federation
• Eduroam (education roaming) is an international roaming service for users in research, and higher education.
• It provides researchers, teachers and students easy and secure network access when visiting an institution other than their own.
Eduroam Introduction
https://www.youtube.com/watch?feature=player_embedded&v=TVCmcMZS3uA
How Eduroam Works
• Authentication of users is performed by their home institution, using the same credentials as when they access the network locally, while authorization to access the Internet and possibly other resources is handled by the visited institution. Users do not have to pay for using eduroam.
Eduroam Has a Risk
• When placing trust in Eduroam, you are placing trust in others, who from time to time may not meet the standards which you were expecting
• The solution is to understand the level of authentication provided and that authentication should not be synonymous with authorization
Eduroam
• How does your business deal with visitors from other companies?
• How do other companies deal with granting you access when you are on-site?
• Generic logins? No logins? Who is on the network? Nobody knows!
• Have you ever seen a solution as elegant, safe, flexible and useful as Eduroam?
Eduroam
• Federation isn’t the industry standard, but it certainly recognizes the reality of the world we live in.
• The people in higher education might be on to something here
• When you can’t own everything, you need to be pragmatic
• Lack of rigidity, makes higher education very innovative
Eduroam Makes SenseFederation of Communities
It Is All About Trust
• Which do you trust more, Facebook, which gave an account to my stuffed cow –or a home institution, with more rigorous credential issuance policies and procedures, such as a university?
Federation Does Not Mean Loss of Control
• Federation with Eduroam handles authentication, at LOA2’ish levels
• Eduroam reports-----you decide!
• Logging in with Facebook is more LOA1’ish
A New World Order of Centralized Identity
Management Is Highly Unlikely• Not everyone in the world is going
to join Facebook• Even if they did, the LOA of
Facebook sets the bar low to the ground
• Do you really want Facebook to own your organization’s authentication?
• It is OK not to own everything, as long as you know who to trust
Outside Influence Never Hurts
• HIPAA, PCI, FERPA
• “Sorry, it isn’t me, it is an external requirement” is an extra ace in pocket!
• NIST 800-53 (federal government IT security controls)
• “If you want your grant money, you must first prove NIST 800-53 compliance”
Budget Constraints
• In the past, individual freedom was a top priority• In the current environment, campuses are
looking to save money wherever possible and become more efficient
• Redundancy in policy, process development and deployment is being sought out and removed wherever possible
Summary View
• IT Security in higher education is a greater challenge than in the private sector
• You often have to work without the benefit of the infrastructure and control which is taken for granted in the private sector
• Freedom of choice is held as a core value in academia
Jungles Are For Roaming
• Amazing things can happen in the jungle
• Obligation is a dying breed of animal in an interconnected world
• The IT security jungle should be appreciated, embraced and not approached as something which needs to be “controlled” at all costs.
Questions & Comments
Nicholas Davis, CISA, CISSP
Chief Information Security Officer
UW-System
facebook.com/nicholas.a.davis
https://www.linkedin.com/in/nicholascv