NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP

Nick Lewis Internet2 NET+ Program Manager, Security and Identity

© 2015 Internet2

Outline for this portion

•  Future information security improvement to NET+ program –  Communications –  Documentation –  How-to guide – Do we need a how-to guide for the information security aspects of

service validation? –  Incident Response –  Data security matrix –  How to handle privacy, IT compliance, PCI, etc

•  Campus value •  NET+ Security and Identity portfolio •  Service providers

Future information security improvement to NET+ program

Communications

•  Standard updates on service portfolio •  Changes at service providers •  Changes in overall NET+ program around security •  Other activities underway or in discussion as part of

NET+ SI portfolio •  Marketing on the portfolio and services •  Presentation at other forums? •  Outreach to other groups or regional groups

Documentation

•  What needs to be document? Who should create? •  Formalness of documentation •  Retention •  Provided by Internet2 or service provider? Under

NDA? •  Available for early adopter or general availability

subscribers?

Documentation for campus on NET+

•  How-to guide – Do we need a how-to guide for the information security aspects of service validation?

Incident Response

•  What is Internet2’s role in a service provider incident? How to include REN-ISAC? – Or, critical vulnerability?

•  Template contract says we need to be contacted, but with minimal details

•  What is currently done •  What can/should we do? •  Examples

– Heartbleed – LastPass

•  Small group discussion – How should it work?

NET+ and Privacy

•  Core data owned by campus •  Data stored by service providers about campuses or campus

usage of the service •  How to handle data de-identification •  What data can be shared with Internet2 about campuses

usage of NET+ services •  Should we do transparency reports on the types of legal

requests SPs are getting? Or, more added to template contract?

NET+ and Logging

•  What kind of standards should service providers use for sharing log data – RFC, syslog, other?

•  Must be able to be integrated into campus SIEM/logging systems

•  Extracting logs vs logs being pushed •  Cloud services, locally hosted, hybrid, others all need to be

included in the campus systems

Data security matrix

•  Do campuses want a service provider to be labeled as “campuses have approved for HIPAA data” or something like that (with appropriate disclaimers)

•  Would a sensitive data matrix be helpful? Maybe based on laws, reg, etc?

How to handle compliance?

•  IT compliance –  Is this more than what is being done for FERPA,

HIPAA, and GLBA? •  PCI – It’s not addressed in current templates. Not

sure how it would be incorporated. –  Is this something you’re interested in?

•  Other?

Campus value

Campus Value

•  How to define the value to the campuses? •  Benchmarking with other campuses •  How does this fit into an institutions information

security program? •  Part of building IT risk management and cloud

services security assessments •  Assurance to exec management and boards the

appropriate steps are being taken to manage risk. •  Current NET+ formula •  Can reducing IT security risk be included in this?

NET+ Security and Identity portfolio

Security and Identity Portfolio

•  Bring NET+ Principles to Security and Identity community

•  Engage with the broadly defined higher education information security community in the portfolio development and adoption.

•  Disrupt the status quo of how information security is integrated and executed at a campus to better manager the information security risk, improves privacy, and compliance on campuses.

•  Make tools and services quickly available to campuses that aren’t currently available because of cost, resources, or technical resources required.

NET+ Security and Identity portfolio

– What should be in this portfolio? – Program advisory group and CISO oversight

group (or is this just HEISC) – What do campuses want?

•  IDM-as-a-service, forensics, etc as a service? •  Security-as-a-service

– HEISC top infosec priorities – Categories – suggestions for service providers in

each category – Small group discussion - How should it work?

Service providers

Service providers

•  In the works •  Other NET+ portfolio with services of interest to

information security •  Details on individual service providers? •  NET+ can help a service provider awareness in HE

and help them engage with HE •  What services are not unique to your campus that

could be beneficial to the community to adopt? •  What is a HE unique challenge that we could work

with a service provider to meet this need?

Example service providers

•  Webapp security – Whitehat security •  Anti-phishing •  Mobile Device Management •  Enterprise Risk management / IT Security Risk

Management •  Security awareness and training •  Threat intelligence / SIEM •  DDoS •  Cloud Security training? •  Non-traditional NET+ providers (ie, locally installed

and managed software)

Other Service Providers

We have also talked with several potential service providers

•  Qualys •  Tenable •  HP Fortify on Demand •  Akamai for DDoS service •  Black Lotus (acquired by Level 3) for DDoS service •  AlienVault for SIEM service

Any interest in these types of tools

•  Web app security scanners – Whitehat Security •  Endpoint security – Bit9+Carbon Black? •  Mobile Device Management – Airwatch? •  ITGRC – Service Now (in SV), RSAM, etc? •  Threat intelligence – Fidelis Cybersecurity?

What other service providers?

Service Provider Status

Area: Security and Identity Solution: Certificates Provider: InCommon Sponsor: InCommon

InCommon Certificate Service

Status •  Provides unlimited SSL, extended

validation, client (personal), and code-signing certificates for one fixed annual fee, including all domains that you own or control.

Next Steps Collaborate with InCommon

Area: Security and Identity Solution: Multifactor Authentication Provider: Duo Security Sponsor: InCommon

Duo Security

Status •  Through its program with Internet2's

InCommon, Duo Security offers an affordable pricing models for phone-based second-factor authentication: a site license for faculty/staff, faculty/staff/students, and campus associates.

Next Steps Bring into NET+ Program Forming Service Advisory Board

Area: Infrastructure and Platform Services; Identity and Security

Solution: Machine data analysis Provider: Splunk Sponsor: Multiple Universities

Splunk

Status •  3 year subscription term license at

discounted rates •  2nd Waterfall pricing threshold

reached •  Community-developed software

license agreement

Next Steps Summer Advisory Board meeting. Discussing Splunk Cloud.

Area: Security and Identity Solution: Automated network access Provider: Internet2

eduroam

Status •  Mature service (260+

participating institutions) •  Available to non-members •  About to enter General

Availability

Next Steps Complete service agreement, begin invoicing non-member institutions

Area: Security and Identity Solution: Digital Signatures Provider: DocuSign Sponsors: Temple University

DocuSign

Status •  DocuSign creates secure methods

to capture electronic signatures and leverage paperless workflow

•  Details on ordering and sign-up being worked out in early adopter

Next Steps Sign-up service validation and early adopters Service advisory board form

Area: Security and Identity Solution: Password Management Provider: LastPass Sponsors: Duke University

LastPass

Status •  Online/offline password

manager •  Ready for Early Adopters

Next Steps Webinar announcing service, start campus sign-ups and setup service advisory board

Area: Security and Identity Solution: Digital Signatures Provider: Adobe Sponsors: Clemson University

Adobe  Document  Cloud  eSign

Status •  Quickstart service validation •  Starting Service Validation

Next Steps SV calls underway and sign business agreement.

© 2015 Internet2

Area: Security and Identity Solution: Umbrella Provider: OpenDNS (announced acquired by Cisco) Sponsors: Clemson

OpenDNS

Status •  OpenDNS is a leader

Next Steps Working through quick start to get into NET+ program to complete SV within 2 years.

CloudDLP Service Providers

•  We are currently talking or actively engaged with 9 different

CloudDLP providers •  Started with the Box DLP Webinar series

•  Adallom, CipherCloud, CloudLock, Code Green, Global Velocity,

Netskope, Skyhigh, Symantec, and Websense

•  All have the basics of scanning for sensitive data

•  Forming working group to evaluate feature, functionality, etc

•  Address privacy issues up front •  How does a campus actually address the privacy aspects?

Area: Security and Identity Solution: Cloud DLP Provider: CloudLock Sponsors: Arizona State University

CloudLock

Status •  Quickstart service validation •  Working with CloudLock on

service validation and identify additional campuses

Next Steps -Start SV calls, define use cases, and get campuses involved. Start working on privacy discussions. -Trying to get legal calls setup with campuses

Area: Security and Identity Solution: Cloud DLP Provider: Skyhigh Sponsors: Brandeis University

Skyhigh

Status •  Quickstart service validation •  Starting Service Validation

Next Steps Start SV calls and sign business agreement. Start working though privacy discussions.

© 2015 Internet2

Area: Security and Identity Solution: Cloud DLP Provider: Netskope Sponsors: Open for sponsors

Netskope

Status •  Netskope is a leader in cloud app

analytics and policy enforcement. Netskope helps people safely use their favorite cloud apps so the business can move fast, with confidence.

Next Steps Start SV calls and sign business agreement. Start working though privacy discussions.

Area: Security and Identity Solution: Threat Intelligence Provider: General Dynamics Fidelis

Cybersecurity Solutions Sponsor: N/A

Fidelis  Cybersecurity  Solu1ons  

Status •  Working to understand NET+

model •  Seeking sponsor/service

validators

Next Steps Identify sponsor campus

NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP

Nick Lewis Internet2 NET+ Program Manager, Security and Identity

© 2015 Internet2