Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
-
Upload
paola-dovell -
Category
Documents
-
view
214 -
download
0
Transcript of Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Defining the Security Defining the Security DomainDomain
Marilu GoodyearMarilu Goodyear
John H. LouisJohn H. Louis
University of KansasUniversity of Kansas
Goals for the Security Policy?Goals for the Security Policy?
Protection of the networkProtection of the network Physical assetsPhysical assets Network functionality/reliabilityNetwork functionality/reliability
Protect Institutional DataProtect Institutional Data
Protect Institutional SystemsProtect Institutional Systems
What is the Security What is the Security DomainDomain??
The people, data, systems, and The people, data, systems, and devices that must comply with your devices that must comply with your
security policy, i.e. The scope security policy, i.e. The scope statement of your security policy.statement of your security policy.
The Complexity of the Campus The Complexity of the Campus EnvironmentEnvironment
Campuses are more than faculty, staff and Campuses are more than faculty, staff and studentsstudents Other organizations: institutes, affiliatesOther organizations: institutes, affiliates Related individuals to campus players: Related individuals to campus players:
parents, etc.parents, etc.
Network is complexNetwork is complex Where does your network begin and end?Where does your network begin and end?
Where are the boundaries?Where are the boundaries?
Security Domain and People Security Domain and People Identity ManagementIdentity Management
Identity ManagementIdentity Management Defines the people who are a part of your Defines the people who are a part of your
institution (Identification and Authentication)institution (Identification and Authentication) Authorizes access to systems on campus Authorizes access to systems on campus Passes credentials to other trusted institutions Passes credentials to other trusted institutions
and systems (Shibboleth)and systems (Shibboleth)
Security DomainSecurity Domain Larger than Identity Management since Larger than Identity Management since
people are only one element of the domainpeople are only one element of the domain
The Security Domain is The Security Domain is
Not just the campus networkNot just the campus network
Not just the campus administrative Not just the campus administrative structurestructure
Not just campus dataNot just campus data
Not just campus peopleNot just campus people
But is a combination of all But is a combination of all
Elements of Determining Who and Elements of Determining Who and What is in the Security DomainWhat is in the Security Domain
Why? and Why? and Who?Who?
What?What? How?How?
Whom to grant Whom to grant access?access?
Why are you Why are you granting them granting them access?access?
DataData
OpenOpen
RestrictedRestricted
SystemsSystems
OpenOpen
RestrictedRestricted
How do they How do they get accessget access
(telecom path)?(telecom path)?
Why? and Who?Why? and Who?
Individuals authorized as a member of your Individuals authorized as a member of your communitycommunity Employees (when acting within scope of employment)Employees (when acting within scope of employment) StudentsStudents AffiliatesAffiliates VisitorsVisitors
Means of authorizationMeans of authorization Campus online ID/PKI/BiometricCampus online ID/PKI/Biometric Trusted Visitor authorizationTrusted Visitor authorization No authorization (open/public wired or wireless No authorization (open/public wired or wireless
access) access)
The Security Domain The Security Domain and Policiesand Policies
In addition to the Security Policy your In addition to the Security Policy your organization has other policies that include organization has other policies that include
“scope statements” (i.e. who the policy “scope statements” (i.e. who the policy applies to) that relate to the security domainapplies to) that relate to the security domain
Policies that Relate to Who Gets Policies that Relate to Who Gets Access to Your Systems Access to Your Systems
EmployeesEmployees
StudentsStudents
AffiliatesAffiliates
Visitors Visitors
What? DataWhat? Data
Freely available university data Freely available university data Web site data (examples)Web site data (examples)
Basic institutional infoBasic institutional info Research reportsResearch reports Press releasesPress releases
Restricted or confidential dataRestricted or confidential dataFederal law confidential (examples)Federal law confidential (examples)
HIPPAHIPPA FERPAFERPA
University policy restricted (examples)University policy restricted (examples) Email account content Email account content
University policy sensitive (examples)University policy sensitive (examples) Financial dataFinancial data
What? SystemsWhat? Systems
Public systems Public systems Web pagesWeb pages Library and Museum CatalogsLibrary and Museum Catalogs Institutional repositoriesInstitutional repositories
www.kuscholarworks.ku.eduwww.kuscholarworks.ku.edu
Institution systemsInstitution systems Administrative SystemsAdministrative Systems
Financial, Student Information, Human Resources, Parking, Financial, Student Information, Human Resources, Parking, etc.etc.
Academic SystemsAcademic SystemsCourse management, library integrated systems, emailCourse management, library integrated systems, email
Research SystemsResearch Systems
Data and Systems PoliciesData and Systems Policies
University Data and Records PoliciesUniversity Data and Records Policies
Policies that relate to legally defined Policies that relate to legally defined confidential data (e.g. HIPPA, GLB, etc.) confidential data (e.g. HIPPA, GLB, etc.)
Policies that relate to access to Policies that relate to access to confidential dataconfidential data
Authorization policies and procedures as Authorization policies and procedures as they relate to defining access to campus they relate to defining access to campus systems (the why of the who)systems (the why of the who)
Public and Private Networks Public and Private Networks
Federal law provides definitions for public and Federal law provides definitions for public and private networks private networks
Our institutional networks are generally Our institutional networks are generally considered to be private networksconsidered to be private networks
Public networks or common carriers generallyPublic networks or common carriers generally Charge a fee to their usersCharge a fee to their users Are considered “public” networks because they Are considered “public” networks because they
provide(mostly sell) services to any individual provide(mostly sell) services to any individual
The Campus Network as a Private The Campus Network as a Private NetworkNetwork
It is important to higher education institutions It is important to higher education institutions that our networks be defined as private networks that our networks be defined as private networks in relation to federal law. This allows us to in relation to federal law. This allows us to manage the network and the privacy of the users manage the network and the privacy of the users and data. and data.
As federal government requires more of network As federal government requires more of network operators, it is important that we know and operators, it is important that we know and understand the boundaries of our networks, i.e. understand the boundaries of our networks, i.e. What exactly are we responsible for?What exactly are we responsible for?
What are the network boundaries?What are the network boundaries?
Institutional NetworkInstitutional Network Institutionally infrastructure owned and run by Institution, either by Institutionally infrastructure owned and run by Institution, either by
Central IT Central IT Departmental Unit Departmental Unit Cluster of Units in BuildingsCluster of Units in Buildings
Institutionally owned but run by other entity (outsourced)Institutionally owned but run by other entity (outsourced) Corporation owned infrastructure either:Corporation owned infrastructure either:
managed by the institutionmanaged by the institutionmanaged by the private entitymanaged by the private entityIn this case contract language would be important in delineating In this case contract language would be important in delineating responsibility responsibility
Public NetworkPublic Network Member of the University has an individual account on a network owned Member of the University has an individual account on a network owned
and managed by a corporate entity (i.e. faculty members home account and managed by a corporate entity (i.e. faculty members home account on local cable provider system)on local cable provider system)
Network Policies and the Security Network Policies and the Security DomainDomain
Institutional Network Policy Institutional Network Policy Domain sometimes is limited to centrally Domain sometimes is limited to centrally
managed network managed network Domain should include networks run by Domain should include networks run by
departmentsdepartments
A good Network Policy should define the A good Network Policy should define the network boundary which in turn affects the network boundary which in turn affects the definition of the security domaindefinition of the security domain
Inside or Outside of the Security Inside or Outside of the Security Domain ?Domain ?
When will a security breach affect the When will a security breach affect the institution in some way?institution in some way?
A function of three questions:A function of three questions: Who?Who? What? What?
DataData
SystemsSystems How?How?
Example #1Example #1
Employee of institution is at their private Employee of institution is at their private residence on a local cable network residence on a local cable network searching the institution library catalogsearching the institution library catalog
Are they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee) What? No (public system and data)What? No (public system and data) How? No (private network)How? No (private network)
NONO
Example #2Example #2
A student is in their private apartment on a cable A student is in their private apartment on a cable network accessing their grades through the network accessing their grades through the portal and student information systemportal and student information system
Are they in the Security Domain?Are they in the Security Domain? Who? Yes (student)Who? Yes (student) What? Yes (Confidential data and private system)What? Yes (Confidential data and private system) How? No (private network)How? No (private network)
YesYes
Example #3Example #3
A affiliated corporation employee is in their A affiliated corporation employee is in their office on the institution owned and run office on the institution owned and run network searching the CNN Web sitenetwork searching the CNN Web siteAre they in the Security Domain?Are they in the Security Domain? Who? Yes (affiliate employee)Who? Yes (affiliate employee) What? No (assessing public system and What? No (assessing public system and
data)data) How? Yes (institution network)How? Yes (institution network)
YesYes
Example #4Example #4
Institutional employee at an off campus location Institutional employee at an off campus location on a cable network is searching the Student on a cable network is searching the Student Information System for information about a Information System for information about a studentstudent
Are they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee) What? Yes (confidential data and private system)What? Yes (confidential data and private system) How? No (private network)How? No (private network)
Yes Yes
Example #5Example #5
Institutional employee at an off campus Institutional employee at an off campus location on a cable network is searching location on a cable network is searching the institution web site for information on the institution web site for information on an academic programan academic programAre they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee) What? No (public data and system)What? No (public data and system) How? No (private network)How? No (private network)
Yes or No Yes or No
Example #6Example #6
University IT employee at an EDUCAUSE University IT employee at an EDUCAUSE Security Conference in Denver through the Security Conference in Denver through the EDUCAUSEAir Wireless service reading an EDUCAUSEAir Wireless service reading an email about an employee discipline problem.email about an employee discipline problem.Are they in the Security Domain?Are they in the Security Domain? Who? Yes (employee)Who? Yes (employee) What? Yes (confidential data and institutional What? Yes (confidential data and institutional
system)system) How? No (EDUCAUSE and hotel network) or Yes (if How? No (EDUCAUSE and hotel network) or Yes (if
on VPN)on VPN)
Yes Yes
Most of the time you are in the Most of the time you are in the Security Domain, if Security Domain, if
If you are on the (or an) institutional If you are on the (or an) institutional network network
If you are accessing confidential data or If you are accessing confidential data or systems, systems, Unless data as moved beyond the institution Unless data as moved beyond the institution
If you are acting in your role as a If you are acting in your role as a university employee or student employee university employee or student employee
But not if you are a student But not if you are a student
Thinking about Control and Thinking about Control and ResponsibilityResponsibility
When do we want control?When do we want control? When behavior can affect us we need sanctionsWhen behavior can affect us we need sanctions
Who do we want to be responsible for?Who do we want to be responsible for? As few people as possibleAs few people as possible Particularly interested in NOT being responsible for Particularly interested in NOT being responsible for
students.students.
If inside the security domain the institution is If inside the security domain the institution is affected by the behavior and affected by the behavior and maybemaybe responsible responsible for the behavior. for the behavior.
ConclusionConclusion
Defining a Security Domain for your Defining a Security Domain for your institution is a critical step in implementing institution is a critical step in implementing your Security Policy and the scope of your Security Policy and the scope of other policiesother policies
Boundaries can be fuzzy, but need Boundaries can be fuzzy, but need definition so that accountability is as clear definition so that accountability is as clear as it can be.as it can be.
Questions?Questions?
Marilu GoodyearMarilu GoodyearJohn LouisJohn Louis
University of KansasUniversity of Kansas
[email protected]@ku.edu
[email protected]@ku.edu
KU Network DefinitionsKU Network Definitions
The University network begins at the point where an The University network begins at the point where an end-user device (located on University-owned or leased end-user device (located on University-owned or leased property, or on KU Endowment property utilized by the property, or on KU Endowment property utilized by the University’s Lawrence or Edwards campuses) gains University’s Lawrence or Edwards campuses) gains access to this infrastructure and ends at the point where access to this infrastructure and ends at the point where the University network attaches to external non-KU the University network attaches to external non-KU networks. networks. End-user devices that indirectly connect via a third-party End-user devices that indirectly connect via a third-party telecommunications provider (a connection made to the telecommunications provider (a connection made to the KU network via a home broadband or dial up connection KU network via a home broadband or dial up connection for example) are not considered part of the University for example) are not considered part of the University network. network.