• 280 likes • 655 Views
IT Security and Privacy in Educational Environments. Terry Roebuck University of Saskatchewan. IT Security Issues in an Educational Environment. Understanding Security and Technology Differing Drivers and Resource Conflicts Administrative Requirement / Academic Need
E N D
IT Security and Privacy in Educational Environments Terry Roebuck University of Saskatchewan
IT Security Issues in anEducational Environment • Understanding Security and Technology • Differing Drivers and Resource Conflicts • Administrative Requirement / Academic Need • Achieving Balance in Privacy and Security • Strategies for Success • Common Goals and Community
The Technology of Security • Security and privacy are not media dependent • Protection techniques are media dependent • Security and privacy rely on trust: • Trust in policy (to provide rules and guidance) • Trust in process (to ensure compliance) • Trust in technology (to deliver anticipated results) • Trust in people (to act responsibly)
C - Confidentiality C “Keep secrets”
C - Confidentiality I - Integrity C I “Keep data intact”
C - Confidentiality I - Integrity C I A - Accessibility A - “Allow availability on demand”
C - Confidentiality I - Integrity C I ? A - Accessibility A Security: somewhere around the intersection in The CIA Model
C - Confidentiality * granularity & data mining I - Integrity C I • Network • Hardware • Software • Procedures • People A A - Accessibility * Timeliness & Scope Complexities within the CIA Model
Drivers Opposing Balance in Privacy and Security • IT security & privacy: addition or integration? • Separating security from technology • Technology (h/w, s/w, network) life cycles • Knowledge and the transience of community • Changing requirements and standards • Scalability in problems and solutions • The internal perception of responsibility • The public perception of blame
Administrative Requirementsand Academic Needs • Administration: Security, Stability & Consistency • Commercial (production) s/w may not be well designed for security within an open environment (assume an ‘Intranet’) • Academia: Flexibility, Capacity & Capability • Academic applications may be more robust but expects user management & control (ex: wireless devices, web browsing) • ‘Permit unless Denied’ or ‘Deny unless Permitted’?
So How Much is Too Much? IT Security verses Productivity in Educational Environments
Too Little Security Net ‘Background Noise’ Affects Operations Technology becomes unstable Increased Risk of Critical Information Loss High Risk of System Compromise Through Attack
Too Much Security Device & network capability curtailed Divergence of user & support resources Diminished information accessibility Increase risk of compromise through workarounds
How to Strike a Balance - Understand our Community - Understand our unique Risks - Provide Education and Training - Embrace ‘Security Best Practices’ - Target Defense Resources to Risk - Use a Structured Methodology - Be BOTH Reactive and Proactive - Use Metrics, Records & Statistics
How to Strike a Balance - Understand our Community - Understand our unique Risks - Provide Education and Training - Embrace ‘Security Best Practices’ - Target Defense Resources to Risk - Use a Structured Methodology - Be BOTH Reactive and Proactive - Use Metrics, Records & Statistics
Will All of This Work? No Guarantees! - No Site is ‘fully secured” - No Attack Detected is not ‘secured’ - Maintaining 100% Effort - Conflicting Resource Demands
Common Goals and Community • Community members share a duty to security • Compromise will be required • There are no ‘sides’ - just advocates • Students advocate for open communication • Administration advocates for stable platforms • Faculty advocates for flexible functionality
IT securityis a community problem ... Any solution will require community involvementand commitment Terry.Roebuck@usask.ca
Academic - Administrative Paradigm • Limited Resources Force Tough Choices • Communication Barriers • Critical Senior Management Involvement • Metrics and Reporting - “Fixing the Problems I See” - The perceived value of measurement and structure
Tolerance For Risk • Academic & Administrative see different risks • Risk can not be eliminated in either view • Risk can be mitigated and managed if known • Level of risk tolerance is a management issue • Risk education and awareness lacking
How to Strike a Balance Understanding Security - Security is NOT full defense - All Systems have ‘holes’ - Tied to Defense & Attack Effort - Security: Risk Management - Security: Due Diligence - Security: A Management Function - Security: Based on Policy
How to Strike a Balance Understanding Risk - Determine Site Risk Tolerance - Know What Could Be a Target - Know Where Target is Located - Know Who Seeks The Target - Know Why They Seek The Target - Know When Target is Vulnerable
How to Strike a Balance General ‘Security Best Practices’ - Assign Security as a Responsibility - Awareness Training for Users - Security Training for IT Staff - Maintain Virus Detection Systems - Patch Systems and Applications - Limit Access & Capability by Need - Log & Investigate Incidences
How to Strike a Balance Target Defense to Attack & Risk - Focus Defense On Target Weakness - Vary Security by Risk of Loss - Make Security Application Oriented - Provide Flexibility for Change - Base Security in Unit Policy
How to Strike a Balance Use Structured Methodology - Information Inventory - Risk Assessment - Mitigation Analysis & Planning - Periodic Review - Set Management Oversight
How to Strike a Balance Metrics, Records and Statistics - Log Critical Events - Maintain Site Records - Investigate Anomalies - Set & Maintain Site Standards - Follow Security Trends