The Disintegrating The Disintegrating Perimeter: Perimeter: Planning for the Shift Planning for the Shift
to Asset-based Securityto Asset-based Security
Adam Goldstein CCNP CISSPAdam Goldstein CCNP CISSP
IT Security OfficerIT Security Officer
Villanova UniversityVillanova University
Villanova University 2005Villanova University 2005 22
IntroductionIntroduction
Overview of Villanova and IT Overview of Villanova and IT Academic Strategic PlanAcademic Strategic Plan Evaluation of our environmentEvaluation of our environment Need for shift in our approachNeed for shift in our approach
Villanova University 2005Villanova University 2005 33
Discussion OutlineDiscussion Outline
Define Asset-based approachDefine Asset-based approach The Disintegrating Perimeter and The Disintegrating Perimeter and
other challengesother challenges The PlanThe Plan
• IT Security ModelIT Security Model• Strategic PlanStrategic Plan• IT ScorecardIT Scorecard
Villanova University 2005Villanova University 2005 44
Asset-based Security:Asset-based Security:
Focuses security efforts based on the Focuses security efforts based on the value of the information system and value of the information system and datadata
Villanova University 2005Villanova University 2005 55
Why Asset-based SecurityWhy Asset-based Security
Higher education institutions face Higher education institutions face different challenges in providing different challenges in providing information assuranceinformation assurance
Internal security incidents on the riseInternal security incidents on the rise Cannot secure every systemCannot secure every system
Villanova University 2005Villanova University 2005 66
The Disintegrating PerimeterThe Disintegrating Perimeter
Technological ChangesTechnological Changes Elevated RisksElevated Risks Obstacles for Higher Education Obstacles for Higher Education
InstitutionsInstitutions
Villanova University 2005Villanova University 2005 77
Disintegrating Perimeter-Disintegrating Perimeter-Technological ChangesTechnological Changes
Mobile Computing/Wireless NetworksMobile Computing/Wireless Networks Increased Remote Access NeedsIncreased Remote Access Needs Third-Party integrationThird-Party integration
• Business partnersBusiness partners• Research projectsResearch projects• Other institutionsOther institutions
Villanova University 2005Villanova University 2005 88
Disintegrating Perimeter-Disintegrating Perimeter-Elevated RisksElevated Risks
Improper Handling of University DataImproper Handling of University Data- Intent to commit fraud- Intent to commit fraud- Intent to commit espionage- Intent to commit espionage- Intent to harm an institution’s reputation- Intent to harm an institution’s reputation
Disruption of Critical ServicesDisruption of Critical Services- Unintentional disruption- Unintentional disruption- Malicious disruption- Malicious disruption
Unauthorized Access to University IT Unauthorized Access to University IT ResourcesResources
Villanova University 2005Villanova University 2005 99
The Disintegrating Perimeter-The Disintegrating Perimeter-Higher Ed ObstaclesHigher Ed Obstacles
Public Access RequirementsPublic Access Requirements
Diversity of SystemsDiversity of Systems
Diversity of User PopulationDiversity of User Population
Limited staff and resources for Limited staff and resources for information securityinformation security
Villanova University 2005Villanova University 2005 1010
Shifting Focus- Asset-based Shifting Focus- Asset-based SecuritySecurity
In this environment, Information In this environment, Information Assurance cannot be an all or Assurance cannot be an all or nothing propositionnothing proposition
The most important information The most important information “assets” must be protected first“assets” must be protected first
Villanova University 2005Villanova University 2005 1111
Strategic Approach- The PlanStrategic Approach- The Plan
Set goals by adopting a security Set goals by adopting a security modelmodel
Measure existing compliance with Measure existing compliance with modelmodel
Create initiatives to improve Create initiatives to improve compliancecompliance
Prioritize initiativesPrioritize initiatives Track progressTrack progress
Villanova University 2005Villanova University 2005 1212
Purpose of the Security ModelPurpose of the Security Model
The Model intends to:The Model intends to: Detail Villanova University’s overall Detail Villanova University’s overall
vision of information technology vision of information technology security security
Set security standards for University Set security standards for University IT systems and processesIT systems and processes
Villanova University 2005Villanova University 2005 1313
Format of Security ModelFormat of Security Model
The model uses a hierarchical architecture The model uses a hierarchical architecture All University systems and processes are All University systems and processes are
placed in a clearly defined security layerplaced in a clearly defined security layer Each layer sets standards for security Each layer sets standards for security
controls, administrative procedures, user controls, administrative procedures, user interaction, and acceptable risk. interaction, and acceptable risk.
The boundaries between the layers serve The boundaries between the layers serve to prevent unauthorized access from lower to prevent unauthorized access from lower security layers to higher security layers security layers to higher security layers
Villanova University 2005Villanova University 2005 1414
Security Model LayersSecurity Model LayersThere are three layers to the There are three layers to the
Security Model:Security Model:
University SystemsUniversity Systems – – Systems not directly Systems not directly administered by UNITadministered by UNIT
Core UNIT SystemsCore UNIT Systems – – Academic, Administrative and Academic, Administrative and IT systems administered by IT systems administered by UNITUNIT
Security DomainsSecurity Domains – Systems – Systems that contain sensitive data, that contain sensitive data, perform critical University perform critical University functions, and/or require high functions, and/or require high security environmentssecurity environments
SecurityDomain
SecurityDomain
UniversitySystems
Core UNITSystems
SecurityDomain
Internet RemoteAccess
Villanova University 2005Villanova University 2005 1515
Security Layer DefinitionSecurity Layer Definition
Each layer is defined by the following criteria:Each layer is defined by the following criteria:
Included SystemsIncluded Systems: The systems and resources : The systems and resources that fall under the specific layerthat fall under the specific layer
Security ControlsSecurity Controls: Specify the baseline security : Specify the baseline security standards required at the given level. Controls standards required at the given level. Controls include:include:• Technical Controls: Hardware and software security Technical Controls: Hardware and software security
requirementsrequirements• Administrative Controls: Required security measures for Administrative Controls: Required security measures for
system administrationsystem administration• User Interaction: Security requirements for system usersUser Interaction: Security requirements for system users
ExposuresExposures: Assumed risk at the given layer: Assumed risk at the given layer
Villanova University 2005Villanova University 2005 1616
Strategic Plan- InitiativesStrategic Plan- Initiatives
Assessment of our current state Assessment of our current state against the Security Model against the Security Model highlighted deficiencieshighlighted deficiencies
Determined initiatives to protect Determined initiatives to protect assetsassets
Prioritized initiatives and developed Prioritized initiatives and developed multi-year planmulti-year plan
Villanova University 2005Villanova University 2005 1717
Strategic Plan – Technical Strategic Plan – Technical InitiativesInitiatives
Firewalls/network segmentationFirewalls/network segmentation Network traffic scanningNetwork traffic scanning Integrity checkingIntegrity checking Enhanced monitoring toolsEnhanced monitoring tools Secure remote accessSecure remote access
Villanova University 2005Villanova University 2005 1818
Strategic Plan- Administrative Strategic Plan- Administrative InitiativesInitiatives
Change management procedureChange management procedure Incident Response PolicyIncident Response Policy Security StandardsSecurity Standards Internal information system audit Internal information system audit
processprocess Security Monitoring ProcedureSecurity Monitoring Procedure Data Handling ProcedureData Handling Procedure ““Focused” User Awareness CampaignFocused” User Awareness Campaign
Villanova University 2005Villanova University 2005 1919
Strategic Plan- IT Security Strategic Plan- IT Security ScorecardScorecard
Developed a scorecard that rated Developed a scorecard that rated compliance with the security modelcompliance with the security model
Updated quarterly to monitor Updated quarterly to monitor improvementsimprovements
Highlights weaknesses and aids in Highlights weaknesses and aids in setting prioritiessetting priorities
Villanova University 2005Villanova University 2005 2020
Benefits of Asset-based ApproachBenefits of Asset-based Approach
Critical systems better protected from Critical systems better protected from internal threatsinternal threats
Critical data is more secureCritical data is more secure Heightened awareness among end usersHeightened awareness among end users System owners more involved with System owners more involved with
security practicessecurity practices• Increased compliance with security standardsIncreased compliance with security standards• Lowered incident response timeLowered incident response time
Villanova University 2005Villanova University 2005 2121
Challenges to Asset-based Challenges to Asset-based ApproachApproach
Overcoming “higher ed” obstaclesOvercoming “higher ed” obstacles Legacy systemsLegacy systems Asset inventoryAsset inventory
Villanova University 2005Villanova University 2005 2222
Thanks!Thanks!
[email protected]@villanova.edu