IT Security and Higher Education

December 3, 2009 — djgreer

I’ve been spending more time lately looking at information security. In Information Security Today – Has Anything Changed? I wrote about Stephen Northcutt, President of the SANS Technology Institute.  I pointed out that the SANS 20 Critical Security Controls has, in broad terms, been the same for the last twenty years.

My interview with Stephen Northcutt is now available on Mich Kabay’s Security Strategies Alert newsletter on Networking World. In that interview Stephen talked about evaluating the risks of information security. For example, as we move into Cloud Computing organizations are focusing on the cost savings without looking at the change in the risk profile. In some cases, the risk goes up dramatically in a Cloud environment, because one agressive attack that wipes out disc drives can wipe data for many organizations and not just one.

Recently, I’ve been helping Birket Foster CEO of MB Foster Associates with his initiatives to greatly simply the provisioning and deprovisioning of application data for higher education institutions. This is a challenging problem. At my alma mater, the University of British Columbia, there were over 5,000 new students this fall. Institutions like UBC face enormous challenges at the start and end of each term.

Higher education institutions have numerous applications that students must interact with. These include administrative systems that track registration, fees, and payments, timetable applications, learning management systems, and the library just to start. Behind the scenes each of these applications must be provisioned with the details of each new student. MB Foster is working with Denmark-based SystemTech to help higher education institutions fully automate the provisioning of the details of all applications that a student, faculty, or staff must deal with.

There are obvious benefits to automating the provisioning of new students, such as reduced human costs, lower duplication, and a vast reduction in errors, but that’s only the start of the process. The fall term is coming to a close at UBC. Soon, student records must be removed from many of the applications that were provisioned in September. Students will remain in the administrative system, but must be removed from all the learning management systems just for a start. At a place the size of UBC, the problem is even bigger. In addition to 5000 new first year students, there are 35,000 more full- and part-time students in undergraduate and graduate courses. Professors take sabaticals, visiting professors visit, and staff come and go. Accurately keeping all applications up-to-date with the identify and roles of each individual student, staff, or faculty member is an enormous challenge that is ripe for automation.

Getting it wrong exposes the unviersity to a wide variety of security risks that stephen Northcutt and the SANS Institute make clear.

How do you provision and decommission user identities and roles throughout your organization?

Related Posts

Posted in Business, Customer Service, Security. No Comments »

Information Security Today – Has Anything Changed?

September 23, 2009 — djgreer
Stephen Northcutt, President SANS Institute

Stephen Northcutt, President SANS Institute

I recently interviewed Stephen Northcutt, President of the SANS Technology Institute, about how the security problems have remained the same for the last twenty years. He reminded me of the SANS 20 Critical Security Controls:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  5. Boundary Defense
  6. Maintenance, Monitoring, and Analysis of Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based on Need to Know
  10. Continuous Vulnerability Assessment and Remediation
  11. Account Monitoring and Control
  12. Malware Defenses
  13. Limitation and Control of Network Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Loss Prevention
  16. Secure Network Engineering
  17. Penetration Tests and Red Team Exercises
  18. Incident Response Capability
  19. Data Recovery Capability
  20. Security Skills Assessment and Appropriate Training to Fill Gaps

The majority of these controls existed twenty years ago. The specific details of how we provide security around each of the controls has changed, but the basic principles have not changed.

 As we move to Cloud Computing environments, consider these questions: 

  1. In a shared environment where your data is hosted by a third-party, what is to prevent someone at your supplier from using their administrator privileges from accessing your data and making it available to your competitors (#8)?
  2. How will you provide fine-grained control to your data and applications based on individual rights within your application (#9)?
  3. Does your vendor immediately inform you of any invalid use of your accounts (#11)?
  4. How does your vendor conduct pentration testing and if so do they report the results to you (#17)?

 The questions may be the same, but you might be surprised at the answers that you get.

Posted in Security. No Comments »
«
»