NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP
Nick Lewis Internet2 NET+ Program Manager, Security and Identity
© 2015 Internet2
Outline for this portion
• Future information security improvement to NET+ program – Communications – Documentation – How-to guide – Do we need a how-to guide for the information security aspects of
service validation? – Incident Response – Data security matrix – How to handle privacy, IT compliance, PCI, etc
• Campus value • NET+ Security and Identity portfolio • Service providers
Future information security improvement to NET+ program
Communications
• Standard updates on service portfolio • Changes at service providers • Changes in overall NET+ program around security • Other activities underway or in discussion as part of
NET+ SI portfolio • Marketing on the portfolio and services • Presentation at other forums? • Outreach to other groups or regional groups
Documentation
• What needs to be document? Who should create? • Formalness of documentation • Retention • Provided by Internet2 or service provider? Under
NDA? • Available for early adopter or general availability
subscribers?
Documentation for campus on NET+
• How-to guide – Do we need a how-to guide for the information security aspects of service validation?
Incident Response
• What is Internet2’s role in a service provider incident? How to include REN-ISAC? – Or, critical vulnerability?
• Template contract says we need to be contacted, but with minimal details
• What is currently done • What can/should we do? • Examples
– Heartbleed – LastPass
• Small group discussion – How should it work?
NET+ and Privacy
• Core data owned by campus • Data stored by service providers about campuses or campus
usage of the service • How to handle data de-identification • What data can be shared with Internet2 about campuses
usage of NET+ services • Should we do transparency reports on the types of legal
requests SPs are getting? Or, more added to template contract?
NET+ and Logging
• What kind of standards should service providers use for sharing log data – RFC, syslog, other?
• Must be able to be integrated into campus SIEM/logging systems
• Extracting logs vs logs being pushed • Cloud services, locally hosted, hybrid, others all need to be
included in the campus systems
Data security matrix
• Do campuses want a service provider to be labeled as “campuses have approved for HIPAA data” or something like that (with appropriate disclaimers)
• Would a sensitive data matrix be helpful? Maybe based on laws, reg, etc?
How to handle compliance?
• IT compliance – Is this more than what is being done for FERPA,
HIPAA, and GLBA? • PCI – It’s not addressed in current templates. Not
sure how it would be incorporated. – Is this something you’re interested in?
• Other?
Campus value
Campus Value
• How to define the value to the campuses? • Benchmarking with other campuses • How does this fit into an institutions information
security program? • Part of building IT risk management and cloud
services security assessments • Assurance to exec management and boards the
appropriate steps are being taken to manage risk. • Current NET+ formula • Can reducing IT security risk be included in this?
NET+ Security and Identity portfolio
Security and Identity Portfolio
• Bring NET+ Principles to Security and Identity community
• Engage with the broadly defined higher education information security community in the portfolio development and adoption.
• Disrupt the status quo of how information security is integrated and executed at a campus to better manager the information security risk, improves privacy, and compliance on campuses.
• Make tools and services quickly available to campuses that aren’t currently available because of cost, resources, or technical resources required.
NET+ Security and Identity portfolio
– What should be in this portfolio? – Program advisory group and CISO oversight
group (or is this just HEISC) – What do campuses want?
• IDM-as-a-service, forensics, etc as a service? • Security-as-a-service
– HEISC top infosec priorities – Categories – suggestions for service providers in
each category – Small group discussion - How should it work?
Service providers
Service providers
• In the works • Other NET+ portfolio with services of interest to
information security • Details on individual service providers? • NET+ can help a service provider awareness in HE
and help them engage with HE • What services are not unique to your campus that
could be beneficial to the community to adopt? • What is a HE unique challenge that we could work
with a service provider to meet this need?
Example service providers
• Webapp security – Whitehat security • Anti-phishing • Mobile Device Management • Enterprise Risk management / IT Security Risk
Management • Security awareness and training • Threat intelligence / SIEM • DDoS • Cloud Security training? • Non-traditional NET+ providers (ie, locally installed
and managed software)
Other Service Providers
We have also talked with several potential service providers
• Qualys • Tenable • HP Fortify on Demand • Akamai for DDoS service • Black Lotus (acquired by Level 3) for DDoS service • AlienVault for SIEM service
Any interest in these types of tools
• Web app security scanners – Whitehat Security • Endpoint security – Bit9+Carbon Black? • Mobile Device Management – Airwatch? • ITGRC – Service Now (in SV), RSAM, etc? • Threat intelligence – Fidelis Cybersecurity?
What other service providers?
Service Provider Status
Area: Security and Identity Solution: Certificates Provider: InCommon Sponsor: InCommon
InCommon Certificate Service
Status • Provides unlimited SSL, extended
validation, client (personal), and code-signing certificates for one fixed annual fee, including all domains that you own or control.
Next Steps Collaborate with InCommon
Area: Security and Identity Solution: Multifactor Authentication Provider: Duo Security Sponsor: InCommon
Duo Security
Status • Through its program with Internet2's
InCommon, Duo Security offers an affordable pricing models for phone-based second-factor authentication: a site license for faculty/staff, faculty/staff/students, and campus associates.
Next Steps Bring into NET+ Program Forming Service Advisory Board
Area: Infrastructure and Platform Services; Identity and Security
Solution: Machine data analysis Provider: Splunk Sponsor: Multiple Universities
Splunk
Status • 3 year subscription term license at
discounted rates • 2nd Waterfall pricing threshold
reached • Community-developed software
license agreement
Next Steps Summer Advisory Board meeting. Discussing Splunk Cloud.
Area: Security and Identity Solution: Automated network access Provider: Internet2
eduroam
Status • Mature service (260+
participating institutions) • Available to non-members • About to enter General
Availability
Next Steps Complete service agreement, begin invoicing non-member institutions
Area: Security and Identity Solution: Digital Signatures Provider: DocuSign Sponsors: Temple University
DocuSign
Status • DocuSign creates secure methods
to capture electronic signatures and leverage paperless workflow
• Details on ordering and sign-up being worked out in early adopter
Next Steps Sign-up service validation and early adopters Service advisory board form
Area: Security and Identity Solution: Password Management Provider: LastPass Sponsors: Duke University
LastPass
Status • Online/offline password
manager • Ready for Early Adopters
Next Steps Webinar announcing service, start campus sign-ups and setup service advisory board
Area: Security and Identity Solution: Digital Signatures Provider: Adobe Sponsors: Clemson University
Adobe Document Cloud eSign
Status • Quickstart service validation • Starting Service Validation
Next Steps SV calls underway and sign business agreement.
© 2015 Internet2
Area: Security and Identity Solution: Umbrella Provider: OpenDNS (announced acquired by Cisco) Sponsors: Clemson
OpenDNS
Status • OpenDNS is a leader
Next Steps Working through quick start to get into NET+ program to complete SV within 2 years.
CloudDLP Service Providers
• We are currently talking or actively engaged with 9 different
CloudDLP providers • Started with the Box DLP Webinar series
• Adallom, CipherCloud, CloudLock, Code Green, Global Velocity,
Netskope, Skyhigh, Symantec, and Websense
• All have the basics of scanning for sensitive data
• Forming working group to evaluate feature, functionality, etc
• Address privacy issues up front • How does a campus actually address the privacy aspects?
Area: Security and Identity Solution: Cloud DLP Provider: CloudLock Sponsors: Arizona State University
CloudLock
Status • Quickstart service validation • Working with CloudLock on
service validation and identify additional campuses
Next Steps -Start SV calls, define use cases, and get campuses involved. Start working on privacy discussions. -Trying to get legal calls setup with campuses
Area: Security and Identity Solution: Cloud DLP Provider: Skyhigh Sponsors: Brandeis University
Skyhigh
Status • Quickstart service validation • Starting Service Validation
Next Steps Start SV calls and sign business agreement. Start working though privacy discussions.
© 2015 Internet2
Area: Security and Identity Solution: Cloud DLP Provider: Netskope Sponsors: Open for sponsors
Netskope
Status • Netskope is a leader in cloud app
analytics and policy enforcement. Netskope helps people safely use their favorite cloud apps so the business can move fast, with confidence.
Next Steps Start SV calls and sign business agreement. Start working though privacy discussions.
Area: Security and Identity Solution: Threat Intelligence Provider: General Dynamics Fidelis
Cybersecurity Solutions Sponsor: N/A
Fidelis Cybersecurity Solu1ons
Status • Working to understand NET+
model • Seeking sponsor/service
validators
Next Steps Identify sponsor campus
NET+ SECURITY AND IDENTITY PORTFOLIO DEVELOPMENT WORKSHOP
Nick Lewis Internet2 NET+ Program Manager, Security and Identity
© 2015 Internet2