140 likes | 249 Views
NSF and IT Security. George O. Strawn NSF CIO. Outline. Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community The future of IT security. Confessions of a CIO.
E N D
NSF and IT Security George O. Strawn NSF CIO
Outline • Confessions of a CIO • Otoh • NSF matters • IT security progress at NSF • IT security progress in the Community • The future of IT security
Confessions of a CIO • To a scientist, there are more interesting things in the world than IT security • Until I became a CIO, I also had little interest in the subject • I was surprised to find out how much can be done for IT security with today’s tools (ie, we’re not using the tools we have) • I worry about unfunded mandates, too
But … • It’s not interesting doing no science on a shut-down-for-scrubbing facility • Attending to IT security requires a culture change for most people and organizations • You have to learn what are the elements of a IT security program • Full cost accounting would show that lost productivity and remediation can exceed the cost of a security program
NSF Matters • NSF makes $5B+ of assistance awards annually, many to faculty and students at US colleges and universities • Assistance awards are outside the FARs; they used to be viewed as gifts to HE; now they are viewed as highly orchestrated purchases of research capability • NSF awardees are bound by terms and conditions, which tend to say what is required, but not how to do it
More NSF context • NSF support can be approximately divided into $3B for research; $1B for education; and $1B for research tools • Of the $1B support for research tools, 36 projects are designated as MREFC-class facilities (called large facilities below) • Most of our large facilities look to the CIO like networked computers with strange I/O devices attached. • We are focusing on large facility IT security
IT Security at NSF • Management committed to IT security as a strategic priority • The staff created and implemented of a comprehensive IT security program • We have received sustained levels of investment (~10% of IT budget) • We have performance goals and measures
Security Management at NSF • Roles and responsibilities (CIO & SISO) • Policies and procedures (SWG) • FISMA, including system inventory and Certification & Accreditation (C&A) • Plan of action and milestones (POAM) • Security reviews and assessments (contingency planning, DR, Coop) • Security awareness and training
Security Technology at NSF • Connectivity standards (and deconn) • External and internal networks • Laptop scanning • Firewall architecture • Vulnerability scans and penetration tests • Anti-virus protection • Patch management • Intrusion detection
Thinking about ITsec • Consider both risk (possible damage) and vulnerability (possible danger) • Design security into systems • Keep hackers out: proactive security • Detect computer incidents • Report and remediate: reactive security
Keeping them out • Firewall(s): shut down all possible ports and open necessary ports by special rules • Passwords: use strong passwords and change them; consider OTP • Encrypt wireless net traffic • Run the latest virus scans constantly • Patch, patch, patch known vulnerabilities • Attack your own system
Detection/Reaction • Intrusion Detection services • Intrusion Detection techniques • CIRT (computer incident response team) • Report to Fed CIRC (federal computer incident report center)
Progress in the Community • FacSec subgroup of NSF Security Working Group (SWG) • Large Facility Security Workshop(s) • Educause Security Task Force/Internet2 • HE moving towards • Separating authentication and authorization • Using stronger authentication • Sharing/bridging authentication
The future of IT security • Culture changes slowly: management attention and/or incidents can speed it up • Investment is required • Next generation IT security products and services may be better • Next generation hackers will be worse • Good luck to us all!