security domain educause security conf 4-11-06

8/8/2019 Security Domain EDUCAUSE Security Conf 4-11-06

1/30

Defining the SecurityDefining the Security

DomainDomainMarilu GoodyearMarilu Goodyear

John H. LouisJohn H. LouisUniversity of KansasUniversity of Kansas


2/30

Goals for the Security Policy?Goals for the Security Policy?

Protection of the networkProtection of the network

Physical assetsPhysical assets

Network functionality/reliabilityNetwork functionality/reliabilityProtect Institutional DataProtect Institutional Data

Protect Institutional SystemsProtect Institutional Systems


3/30

What is the SecurityWhat is the Security

DomainDomain??The people, data, systems, andThe people, data, systems, and

devices that must comply with yourdevices that must comply with yoursecurity policy, i.e. The scopesecurity policy, i.e. The scope

statement of your security policy.statement of your security policy.


4/30

The Complexity of the CampusThe Complexity of the Campus

EnvironmentEnvironmentCampuses are more than faculty, staff andCampuses are more than faculty, staff and

studentsstudents

Other organizations: institutes, affiliatesOther organizations: institutes, affiliates Related individuals to campus players:Related individuals to campus players:

parents, etc.parents, etc.

Network is complexNetwork is complex

Where does your network begin and end?Where does your network begin and end?

Where are the boundaries?Where are the boundaries?


5/30

Security Domain and PeopleSecurity Domain and People

Identity ManagementIdentity ManagementIdentity ManagementIdentity Management

Defines the people who are a part of yourDefines the people who are a part of your

institution (Identification and Authentication)institution (Identification and Authentication)

Authorizes access to systems on campusAuthorizes access to systems on campus

Passes credentials to other trusted institutionsPasses credentials to other trusted institutions

and systems (Shibboleth)and systems (Shibboleth)

Security DomainSecurity Domain Larger than Identity Management sinceLarger than Identity Management since

people are only one element of the domainpeople are only one element of the domain


6/30

The Security Domain isThe Security Domain is

Not just the campus networkNot just the campus network

Not just the campus administrativeNot just the campus administrative

structurestructureNot just campus dataNot just campus data

Not just campus peopleNot just campus people

But is a combination of allBut is a combination of all


7/30

Elements of Determining Who andElements of Determining Who and

What is in the Security DomainWhat is in the Security DomainWhy? andWhy? and

Who?Who?

What?What? How?How?

Whom to grantWhom to grant

access?access?

Why are youWhy are you

granting themgranting them

access?access?

DataData

OpenOpenRestrictedRestricted

SystemsSystems

OpenOpen

RestrictedRestricted

How do theyHow do they

get accessget access

(telecom path)?(telecom path)?


8/30

Why? and Who?Why? and Who?

Individuals authorized as a member of yourIndividuals authorized as a member of yourcommunitycommunity Employees (when acting within scope of employment)Employees (when acting within scope of employment)

StudentsStudents AffiliatesAffiliates

VisitorsVisitors

Means of authorizationMeans of authorization

Campus online ID/PKI/BiometricCampus online ID/PKI/Biometric Trusted Visitor authorizationTrusted Visitor authorization

No authorization (open/public wired or wirelessNo authorization (open/public wired or wirelessaccess)access)


9/30

The Security DomainThe Security Domain

and Policiesand PoliciesIn addition to the Security Policy yourIn addition to the Security Policy your

organization has other policies that includeorganization has other policies that include

scope statements (i.e. who the policyscope statements (i.e. who the policyapplies to) that relate to the security domainapplies to) that relate to the security domain


10/30

Policies that Relate to Who GetsPolicies that Relate to Who Gets

Access to Your SystemsAccess to Your Systems

EmployeesEmployees

StudentsStudents

AffiliatesAffiliatesVisitorsVisitors


11/30

What? DataWhat? Data

Freely available university dataFreely available university dataWeb site data (examples)Web site data (examples)

Basic institutional infoBasic institutional info

Research reportsResearch reports

Press releasesPress releases

Restricted or confidential dataRestricted or confidential dataFederal law confidential (examples)Federal law confidential (examples)

HIPPAHIPPA

FERPAFERPA

University policy restricted (examples)University policy restricted (examples) Email account contentEmail account content

University policy sensitive (examples)University policy sensitive (examples)

Financial dataFinancial data


12/30

What? SystemsWhat? Systems

Public systemsPublic systems Web pagesWeb pages

Library and Museum CatalogsLibrary and Museum Catalogs

Institutional repositoriesInstitutional repositorieswww.kuscholarworks.ku.eduwww.kuscholarworks.ku.edu

Institution systemsInstitution systems Administrative SystemsAdministrative Systems

Financial, Student Information, Human Resources, Parking,Financial, Student Information, Human Resources, Parking,etc.etc.

Academic SystemsAcademic SystemsCourse management, library integrated systems, emailCourse management, library integrated systems, email

Research SystemsResearch Systems


13/30

Data and Systems PoliciesData and Systems Policies

University Data and Records PoliciesUniversity Data and Records Policies

Policies that relate to legally definedPolicies that relate to legally defined

confidential data (e.g. HIPPA, GLB, etc.)confidential data (e.g. HIPPA, GLB, etc.)Policies that relate to access toPolicies that relate to access to

confidential dataconfidential data

Authorization policies and procedures asAuthorization policies and procedures asthey relate to defining access to campusthey relate to defining access to campus

systems (the why of the who)systems (the why of the who)


14/30

Public and Private NetworksPublic and Private Networks

Federal law provides definitions for public andFederal law provides definitions for public and

private networksprivate networks

Our institutional networks are generallyOur institutional networks are generally

considered to be private networksconsidered to be private networks

Public networks or common carriers generallyPublic networks or common carriers generally

Charge a fee to their usersCharge a fee to their users

Are considered public networks because theyAre considered public networks because theyprovide(mostly sell) services to any individualprovide(mostly sell) services to any individual


15/30

The Campus Network as a PrivateThe Campus Network as a Private

NetworkNetworkIt is important to higher education institutionsIt is important to higher education institutions

that our networks be defined as private networksthat our networks be defined as private networks

in relation to federal law. This allows us toin relation to federal law. This allows us to

manage the network and the privacy of the usersmanage the network and the privacy of the usersand data.and data.

As federal government requires more of networkAs federal government requires more of network

operators, it is important that we know andoperators, it is important that we know and

understand the boundaries of our networks, i.e.understand the boundaries of our networks, i.e.

What exactly are we responsible for?What exactly are we responsible for?


16/30

What are the network boundaries?What are the network boundaries?

Institutional NetworkInstitutional Network Institutionally infrastructure owned and run by Institution, either byInstitutionally infrastructure owned and run by Institution, either by

Central ITCentral IT

Departmental UnitDepartmental Unit

Cluster of Units in BuildingsCluster of Units in Buildings

Institutionally owned but run by other entity (outsourced)Institutionally owned but run by other entity (outsourced) Corporation owned infrastructure either:Corporation owned infrastructure either:

managed by the institutionmanaged by the institution

managed by the private entitymanaged by the private entity

In this case contract language would be important in delineatingIn this case contract language would be important in delineatingresponsibilityresponsibility

Public NetworkPublic Network Member of the University has an individual account on a network ownedMember of the University has an individual account on a network owned

and managed by a corporate entity (i.e. faculty members home accountand managed by a corporate entity (i.e. faculty members home accounton local cable provider system)on local cable provider system)


17/30

Network Policies and the SecurityNetwork Policies and the Security

DomainDomainInstitutional Network PolicyInstitutional Network Policy

Domain sometimes is limited to centrallyDomain sometimes is limited to centrally

managed networkmanaged network

Domain should include networks run byDomain should include networks run by

departmentsdepartments

A good Network Policy should define theA good Network Policy should define the

network boundary which in turn affects thenetwork boundary which in turn affects thedefinition of the security domaindefinition of the security domain


18/30

Inside or Outside of the SecurityInside or Outside of the Security

Domain ?Domain ?When will a security breach affect theWhen will a security breach affect the

institution in some way?institution in some way?

A function of three questions:A function of three questions: Who?Who?

What?What?

DataData

SystemsSystems

How?How?


19/30

Example #1Example #1

Employee of institution is at their privateEmployee of institution is at their private

residence on a local cable networkresidence on a local cable network

searching the institution library catalogsearching the institution library catalog

Are they in the Security Domain?Are they in the Security Domain?

Who? Yes (employee)Who? Yes (employee)

What? No (public system and data)What? No (public system and data)

How? No (private network)How? No (private network)

NONO


20/30


A student is in their private apartment on a cableA student is in their private apartment on a cable

network accessing their grades through thenetwork accessing their grades through the

portal and student information systemportal and student information system

Are they in the Security Domain?Are they in the Security Domain? Who? Yes (student)Who? Yes (student)

What? Yes (Confidential data and private system)What? Yes (Confidential data and private system)


YesYes


21/30


A affiliated corporation employee is in theirA affiliated corporation employee is in theiroffice on the institution owned and runoffice on the institution owned and runnetwork searching the CNN Web sitenetwork searching the CNN Web site

Are they in the Security Domain?Are they in the Security Domain? Who? Yes (affiliate employee)Who? Yes (affiliate employee)

What? No (assessing public system andWhat? No (assessing public system and

data)data) How? Yes (institution network)How? Yes (institution network)

YesYes


22/30


Institutional employee at an off campus locationInstitutional employee at an off campus location

on a cable network is searching the Studenton a cable network is searching the Student

Information System for information about aInformation System for information about a

studentstudentAre they in the Security Domain?Are they in the Security Domain?


What? Yes (confidential data and private system)What? Yes (confidential data and private system)


YesYes


23/30


Institutional employee at an off campusInstitutional employee at an off campuslocation on a cable network is searchinglocation on a cable network is searchingthe institution web site for information onthe institution web site for information on

an academic programan academic programAre they in the Security Domain?Are they in the Security Domain?


What? No (public data and system)What? No (public data and system) How? No (private network)How? No (private network)

Yes or NoYes or No


24/30


University IT employee at an EDUCAUSEUniversity IT employee at an EDUCAUSESecurity Conference in Denver through theSecurity Conference in Denver through theEDUCAUSEAir Wireless service reading anEDUCAUSEAir Wireless service reading an

email about an employee discipline problem.email about an employee discipline problem.Are they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee)

What? Yes (confidential data and institutionalWhat? Yes (confidential data and institutionalsystem)system)

How? No (EDUCAUSE and hotel network) or Yes (ifHow? No (EDUCAUSE and hotel network) or Yes (ifon VPN)on VPN)

YesYes


25/30

Most of the time you are in theMost of the time you are in the

Security Domain, ifSecurity Domain, if

If you are on the (or an) institutionalIf you are on the (or an) institutional

networknetwork

If you are accessing confidential data orIf you are accessing confidential data orsystems,systems,

Unless data as moved beyond the institutionUnless data as moved beyond the institution

If you are acting in your role as aIf you are acting in your role as a

university employee or student employeeuniversity employee or student employee

But not if you are a studentBut not if you are a student


26/30

Thinking about Control andThinking about Control and

ResponsibilityResponsibility

When do we want control?When do we want control?

When behavior can affect us we need sanctionsWhen behavior can affect us we need sanctions

Who do we want to be responsible for?Who do we want to be responsible for?

As few people as possibleAs few people as possible

Particularly interested in NOT being responsible forParticularly interested in NOT being responsible for

students.students.

If inside the security domain the institution isIf inside the security domain the institution is

affected by the behavior andaffected by the behavior and maybemaybe responsibleresponsible

for the behavior.for the behavior.


27/30

ConclusionConclusion

Defining a Security Domain for yourDefining a Security Domain for your

institution is a critical step in implementinginstitution is a critical step in implementing

your Security Policy and the scope ofyour Security Policy and the scope of

other policiesother policies

Boundaries can be fuzzy, but needBoundaries can be fuzzy, but need

definition so that accountability is as cleardefinition so that accountability is as clear

as it can be.as it can be.


28/30

Questions?Questions?


29/30

Marilu GoodyearMarilu Goodyear

John LouisJohn LouisUniversity of KansasUniversity of Kansas

[email protected]@[email protected]@ku.edu


30/30

KU Network DefinitionsKU Network Definitions

The University network begins at the point where anThe University network begins at the point where anendend--user device (located on Universityuser device (located on University--owned or leasedowned or leasedproperty, or on KU Endowment property utilized by theproperty, or on KU Endowment property utilized by theUniversitys Lawrence or Edwards campuses) gainsUniversitys Lawrence or Edwards campuses) gains

access to this infrastructure and ends at the point whereaccess to this infrastructure and ends at the point wherethe University network attaches to external nonthe University network attaches to external non--KUKUnetworks.networks.

EndEnd--user devices that indirectly connect via a thirduser devices that indirectly connect via a third--partypartytelecommunications provider (a connection made to thetelecommunications provider (a connection made to the

KU network via a home broadband or dial up connectionKU network via a home broadband or dial up connectionfor example) are not considered part of the Universityfor example) are not considered part of the Universitynetwork.network.

security domain educause security conf 4-11-06

Documents