300 likes | 559 Views
Defining the Security Domain. Marilu Goodyear John H. Louis University of Kansas. Goals for the Security Policy?. Protection of the network Physical assets Network functionality/reliability Protect Institutional Data Protect Institutional Systems. What is the Security Domain ?.
E N D
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas
Goals for the Security Policy? • Protection of the network • Physical assets • Network functionality/reliability • Protect Institutional Data • Protect Institutional Systems
What is the Security Domain? The people, data, systems, and devices that must comply with your security policy, i.e. The scope statement of your security policy.
The Complexity of the Campus Environment • Campuses are more than faculty, staff and students • Other organizations: institutes, affiliates • Related individuals to campus players: parents, etc. • Network is complex • Where does your network begin and end? • Where are the boundaries?
Security Domain and People Identity Management • Identity Management • Defines the people who are a part of your institution (Identification and Authentication) • Authorizes access to systems on campus • Passes credentials to other trusted institutions and systems (Shibboleth) • Security Domain • Larger than Identity Management since people are only one element of the domain
The Security Domain is • Not just the campus network • Not just the campus administrative structure • Not just campus data • Not just campus people • But is a combination of all
Elements of Determining Who and What is in the Security Domain
Why? and Who? • Individuals authorized as a member of your community • Employees (when acting within scope of employment) • Students • Affiliates • Visitors • Means of authorization • Campus online ID/PKI/Biometric • Trusted Visitor authorization • No authorization (open/public wired or wireless access)
The Security Domain and Policies In addition to the Security Policy your organization has other policies that include “scope statements” (i.e. who the policy applies to) that relate to the security domain
Policies that Relate to Who Gets Access to Your Systems • Employees • Students • Affiliates • Visitors
What? Data • Freely available university data • Web site data (examples) • Basic institutional info • Research reports • Press releases • Restricted or confidential data • Federal law confidential (examples) • HIPPA • FERPA • University policy restricted (examples) • Email account content • University policy sensitive (examples) • Financial data
What? Systems • Public systems • Web pages • Library and Museum Catalogs • Institutional repositories • www.kuscholarworks.ku.edu • Institution systems • Administrative Systems • Financial, Student Information, Human Resources, Parking, etc. • Academic Systems • Course management, library integrated systems, email • Research Systems
Data and Systems Policies • University Data and Records Policies • Policies that relate to legally defined confidential data (e.g. HIPPA, GLB, etc.) • Policies that relate to access to confidential data • Authorization policies and procedures as they relate to defining access to campus systems (the why of the who)
Public and Private Networks • Federal law provides definitions for public and private networks • Our institutional networks are generally considered to be private networks • Public networks or common carriers generally • Charge a fee to their users • Are considered “public” networks because they provide(mostly sell) services to any individual
The Campus Network as a Private Network • It is important to higher education institutions that our networks be defined as private networks in relation to federal law. This allows us to manage the network and the privacy of the users and data. • As federal government requires more of network operators, it is important that we know and understand the boundaries of our networks, i.e. What exactly are we responsible for?
What are the network boundaries? • Institutional Network • Institutionally infrastructure owned and run by Institution, either by • Central IT • Departmental Unit • Cluster of Units in Buildings • Institutionally owned but run by other entity (outsourced) • Corporation owned infrastructure either: • managed by the institution • managed by the private entity • In this case contract language would be important in delineating responsibility • Public Network • Member of the University has an individual account on a network owned and managed by a corporate entity (i.e. faculty members home account on local cable provider system)
Network Policies and the Security Domain • Institutional Network Policy • Domain sometimes is limited to centrally managed network • Domain should include networks run by departments • A good Network Policy should define the network boundary which in turn affects the definition of the security domain
Inside or Outside of the Security Domain ? • When will a security breach affect the institution in some way? • A function of three questions: • Who? • What? • Data • Systems • How?
Example #1 • Employee of institution is at their private residence on a local cable network searching the institution library catalog • Are they in the Security Domain? • Who? Yes (employee) • What? No (public system and data) • How? No (private network) • NO
Example #2 • A student is in their private apartment on a cable network accessing their grades through the portal and student information system • Are they in the Security Domain? • Who? Yes (student) • What? Yes (Confidential data and private system) • How? No (private network) • Yes
Example #3 • A affiliated corporation employee is in their office on the institution owned and run network searching the CNN Web site • Are they in the Security Domain? • Who? Yes (affiliate employee) • What? No (assessing public system and data) • How? Yes (institution network) • Yes
Example #4 • Institutional employee at an off campus location on a cable network is searching the Student Information System for information about a student • Are they in the Security Domain? • Who? Yes (employee) • What? Yes (confidential data and private system) • How? No (private network) • Yes
Example #5 • Institutional employee at an off campus location on a cable network is searching the institution web site for information on an academic program • Are they in the Security Domain? • Who? Yes (employee) • What? No (public data and system) • How? No (private network) • Yes or No
Example #6 • University IT employee at an EDUCAUSE Security Conference in Denver through the EDUCAUSEAir Wireless service reading an email about an employee discipline problem. • Are they in the Security Domain? • Who? Yes (employee) • What? Yes (confidential data and institutional system) • How? No (EDUCAUSE and hotel network) or Yes (if on VPN) • Yes
Most of the time you are in the Security Domain, if • If you are on the (or an) institutional network • If you are accessing confidential data or systems, • Unless data as moved beyond the institution • If you are acting in your role as a university employee or student employee • But not if you are a student
Thinking about Control and Responsibility • When do we want control? • When behavior can affect us we need sanctions • Who do we want to be responsible for? • As few people as possible • Particularly interested in NOT being responsible for students. • If inside the security domain the institution is affected by the behavior and maybe responsible for the behavior.
Conclusion • Defining a Security Domain for your institution is a critical step in implementing your Security Policy and the scope of other policies • Boundaries can be fuzzy, but need definition so that accountability is as clear as it can be.
Marilu GoodyearJohn Louis University of Kansas goodyear@ku.edu jlouis@ku.edu
KU Network Definitions • The University network begins at the point where an end-user device (located on University-owned or leased property, or on KU Endowment property utilized by the University’s Lawrence or Edwards campuses) gains access to this infrastructure and ends at the point where the University network attaches to external non-KU networks. • End-user devices that indirectly connect via a third-party telecommunications provider (a connection made to the KU network via a home broadband or dial up connection for example) are not considered part of the University network.