The IT Security Jungle of Higher Education

Presented by Nicholas Davis, CISA, CISSPWTA Conference, May, 2015

Overview

• Question: Why are security breaches in higher education on the rise?

• How the environment in a university setting differs from the private sector

• What happens when you try to do it like everyone else• The approach of motivating rather than obligating, and

federating rather than centralizing

• Eduroam as an example of how higher education does things differently (and in this case—better)

• Using outside influence, embracing differences

• Summary, question and answer session

Why Us?

Question: Why have there been security breaches in the higher education community?

Let’s take a look at the culture of academia

Academic Environment

• Highly decentralized in many cases, from authority to funding to infrastructure

• Many smart people, who want to have their say and who want to their research freedom ensured

• Unique situations are the norm

• Funding is always a huge concern

Imagine This

• “Higher education is the only institution in which a vote of 15 to 1 is defined as a tie”– Unknown Author

• No forward movement until consensus is achieved

• This often means that forward movement depends upon everyone getting their second choice, which nobody loves, but nobody hates…..Often diluted solutions

Look at Our Technology Infrastructure

Multiple variants of Operating Systems means it is difficult to have a consistently applied security patch program

If You Thought Apple Was a Challenge

• How does one go about securing a Commodore 64, connected to proprietary research equipment, saving sensitive data to a network drive, through a cassette tape I/O port?

Funding Models

• Research grants provide a great deal of revenue to a large public university

• Grants cover everything form staff salaries to computer equipment

• The researchers buy what they like, and use it as they like

• Difficult for central IT to manage what they do not own

Private Sector Vs Higher Education

• Private sector typically has standard hardware and software builds, manages end user machines, has rigid equipment use guidelines, monitors usage, blocks access to “dangerous” websites

• Higher education always has freedom in the forefront of thoughts: Freedom from standards, freedom from restricted use

Well, How Difficult Can It Be?

• No overall managed endpoint environment• No centralized log collection• Ambiguous perimeters of network, firewalls,

intrusion detection, intrusion prevention• BYOD gone crazy!• Central equipment inventory not available• Equipment moving constantly• Massive amounts of data, being used in many

non-standard ways• Decentralized data management

Defining the Community

• Transient student population

• International students on campus

• American students overseas

• Visiting professors, not officially a university employee

• Research taking place all over the globe

• Making network available for visitors

It’s Simple, Just Do What I Say

• Diverse structure of university does not fit well with a top-down model

• My primary allegiance is to those who fund my research

• If I can’t do it my way, here, I may go someplace else where I have more freedom

From the Technical Side

• Decentralized firewall management makes network assets unreachable

• Decentralized management prohibits owning endpoints by a central authority

• Multiple types of OS and hardware makes it difficult to manage

• Specialized software means that patching is often not possible

The Secret Sauce

• We try to motivate rather than obligate• Give the people information, let them

decide• Authority and accountability• Make it easy for them, make it

inexpensive• Avoid client footprint whenever possible• Thanks to the cloud, it is getting easier to

manage in the jungle

Instead of Controlling Others, We Choose to Trust Them

• Centralized identity management is challenging in our amorphous customer base

• Instead of owning everything, we set standards of trust and we have confidence in others to manage their individual systems better than they could be managed centrally

• Mainstream is not the only way to achieve success

• Let’s look at one example

Eduroam – Trust Through Federation

• Eduroam (education roaming) is an international roaming service for users in research, and higher education.

• It provides researchers, teachers and students easy and secure network access when visiting an institution other than their own.

Eduroam Introduction

https://www.youtube.com/watch?feature=player_embedded&v=TVCmcMZS3uA

How Eduroam Works

• Authentication of users is performed by their home institution, using the same credentials as when they access the network locally, while authorization to access the Internet and possibly other resources is handled by the visited institution. Users do not have to pay for using eduroam.

Eduroam Has a Risk

• When placing trust in Eduroam, you are placing trust in others, who from time to time may not meet the standards which you were expecting

• The solution is to understand the level of authentication provided and that authentication should not be synonymous with authorization

Eduroam

• How does your business deal with visitors from other companies?

• How do other companies deal with granting you access when you are on-site?

• Generic logins? No logins? Who is on the network? Nobody knows!

• Have you ever seen a solution as elegant, safe, flexible and useful as Eduroam?

Eduroam

• Federation isn’t the industry standard, but it certainly recognizes the reality of the world we live in.

• The people in higher education might be on to something here

• When you can’t own everything, you need to be pragmatic

• Lack of rigidity, makes higher education very innovative

Eduroam Makes SenseFederation of Communities

It Is All About Trust

• Which do you trust more, Facebook, which gave an account to my stuffed cow –or a home institution, with more rigorous credential issuance policies and procedures, such as a university?

Federation Does Not Mean Loss of Control

• Federation with Eduroam handles authentication, at LOA2’ish levels

• Eduroam reports-----you decide!

• Logging in with Facebook is more LOA1’ish

A New World Order of Centralized Identity

Management Is Highly Unlikely• Not everyone in the world is going

to join Facebook• Even if they did, the LOA of

Facebook sets the bar low to the ground

• Do you really want Facebook to own your organization’s authentication?

• It is OK not to own everything, as long as you know who to trust

Outside Influence Never Hurts

• HIPAA, PCI, FERPA

• “Sorry, it isn’t me, it is an external requirement” is an extra ace in pocket!

• NIST 800-53 (federal government IT security controls)

• “If you want your grant money, you must first prove NIST 800-53 compliance”

Budget Constraints

• In the past, individual freedom was a top priority• In the current environment, campuses are

looking to save money wherever possible and become more efficient

• Redundancy in policy, process development and deployment is being sought out and removed wherever possible

Summary View

• IT Security in higher education is a greater challenge than in the private sector

• You often have to work without the benefit of the infrastructure and control which is taken for granted in the private sector

• Freedom of choice is held as a core value in academia

Jungles Are For Roaming

• Amazing things can happen in the jungle

• Obligation is a dying breed of animal in an interconnected world

• The IT security jungle should be appreciated, embraced and not approached as something which needs to be “controlled” at all costs.

Questions & Comments

Nicholas Davis, CISA, CISSP

Chief Information Security Officer

UW-System

ndavis@uwsa.edu

facebook.com/nicholas.a.davis

https://www.linkedin.com/in/nicholascv