Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Similar presentations


Presentation on theme: "Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas."— Presentation transcript:

1 Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas

2 Goals for the Security Policy? Protection of the network Physical assets Physical assets Network functionality/reliability Network functionality/reliability Protect Institutional Data Protect Institutional Systems

3 What is the Security Domain? The people, data, systems, and devices that must comply with your security policy, i.e. The scope statement of your security policy.

4 The Complexity of the Campus Environment Campuses are more than faculty, staff and students Other organizations: institutes, affiliates Other organizations: institutes, affiliates Related individuals to campus players: parents, etc. Related individuals to campus players: parents, etc. Network is complex Where does your network begin and end? Where does your network begin and end? Where are the boundaries?

5 Security Domain and People Identity Management Identity Management Defines the people who are a part of your institution (Identification and Authentication) Defines the people who are a part of your institution (Identification and Authentication) Authorizes access to systems on campus Authorizes access to systems on campus Passes credentials to other trusted institutions and systems (Shibboleth) Passes credentials to other trusted institutions and systems (Shibboleth) Security Domain Larger than Identity Management since people are only one element of the domain Larger than Identity Management since people are only one element of the domain

6 The Security Domain is Not just the campus network Not just the campus administrative structure Not just campus data Not just campus people But is a combination of all

7 Elements of Determining Who and What is in the Security Domain Why? and Who? What?How? Whom to grant access? Why are you granting them access? Data Open Open Restricted RestrictedSystems Open Open Restricted Restricted How do they get access (telecom path)?

8 Why? and Who? Individuals authorized as a member of your community Employees (when acting within scope of employment) Employees (when acting within scope of employment) Students Students Affiliates Affiliates Visitors Visitors Means of authorization Campus online ID/PKI/Biometric Campus online ID/PKI/Biometric Trusted Visitor authorization Trusted Visitor authorization No authorization (open/public wired or wireless access) No authorization (open/public wired or wireless access)

9 The Security Domain and Policies In addition to the Security Policy your organization has other policies that include “scope statements” (i.e. who the policy applies to) that relate to the security domain

10 Policies that Relate to Who Gets Access to Your Systems EmployeesStudentsAffiliatesVisitors

11 What? Data Freely available university data Web site data (examples) Basic institutional info Basic institutional info Research reports Research reports Press releases Press releases Restricted or confidential data Federal law confidential (examples) HIPPA HIPPA FERPA FERPA University policy restricted (examples) account content account content University policy sensitive (examples) Financial data Financial data

12 What? Systems Public systems Web pages Web pages Library and Museum Catalogs Library and Museum Catalogs Institutional repositories Institutional repositorieswww.kuscholarworks.ku.edu Institution systems Administrative Systems Administrative Systems Financial, Student Information, Human Resources, Parking, etc. Academic Systems Academic Systems Course management, library integrated systems, Research Systems Research Systems

13 Data and Systems Policies University Data and Records Policies Policies that relate to legally defined confidential data (e.g. HIPPA, GLB, etc.) Policies that relate to access to confidential data Authorization policies and procedures as they relate to defining access to campus systems (the why of the who)

14 Public and Private Networks Federal law provides definitions for public and private networks Our institutional networks are generally considered to be private networks Public networks or common carriers generally Charge a fee to their users Charge a fee to their users Are considered “public” networks because they provide(mostly sell) services to any individual Are considered “public” networks because they provide(mostly sell) services to any individual

15 The Campus Network as a Private Network It is important to higher education institutions that our networks be defined as private networks in relation to federal law. This allows us to manage the network and the privacy of the users and data. As federal government requires more of network operators, it is important that we know and understand the boundaries of our networks, i.e. What exactly are we responsible for?

16 What are the network boundaries? Institutional Network Institutionally infrastructure owned and run by Institution, either by Institutionally infrastructure owned and run by Institution, either by Central IT Departmental Unit Cluster of Units in Buildings Institutionally owned but run by other entity (outsourced) Institutionally owned but run by other entity (outsourced) Corporation owned infrastructure either: Corporation owned infrastructure either: managed by the institution managed by the private entity In this case contract language would be important in delineating responsibility Public Network Member of the University has an individual account on a network owned and managed by a corporate entity (i.e. faculty members home account on local cable provider system) Member of the University has an individual account on a network owned and managed by a corporate entity (i.e. faculty members home account on local cable provider system)

17 Network Policies and the Security Domain Institutional Network Policy Domain sometimes is limited to centrally managed network Domain sometimes is limited to centrally managed network Domain should include networks run by departments Domain should include networks run by departments A good Network Policy should define the network boundary which in turn affects the definition of the security domain

18 Inside or Outside of the Security Domain ? When will a security breach affect the institution in some way? A function of three questions: Who? Who? What? What?DataSystems How? How?

19 Example #1 Employee of institution is at their private residence on a local cable network searching the institution library catalog Are they in the Security Domain? Who? Yes (employee) Who? Yes (employee) What? No (public system and data) What? No (public system and data) How? No (private network) How? No (private network)NO

20 Example #2 A student is in their private apartment on a cable network accessing their grades through the portal and student information system Are they in the Security Domain? Who? Yes (student) Who? Yes (student) What? Yes (Confidential data and private system) What? Yes (Confidential data and private system) How? No (private network) How? No (private network)Yes

21 Example #3 A affiliated corporation employee is in their office on the institution owned and run network searching the CNN Web site Are they in the Security Domain? Who? Yes (affiliate employee) Who? Yes (affiliate employee) What? No (assessing public system and data) What? No (assessing public system and data) How? Yes (institution network) How? Yes (institution network)Yes

22 Example #4 Institutional employee at an off campus location on a cable network is searching the Student Information System for information about a student Are they in the Security Domain? Who? Yes (employee) Who? Yes (employee) What? Yes (confidential data and private system) What? Yes (confidential data and private system) How? No (private network) How? No (private network)Yes

23 Example #5 Institutional employee at an off campus location on a cable network is searching the institution web site for information on an academic program Are they in the Security Domain? Who? Yes (employee) Who? Yes (employee) What? No (public data and system) What? No (public data and system) How? No (private network) How? No (private network) Yes or No

24 Example #6 University IT employee at an EDUCAUSE Security Conference in Denver through the EDUCAUSEAir Wireless service reading an about an employee discipline problem. Are they in the Security Domain? Who? Yes (employee) Who? Yes (employee) What? Yes (confidential data and institutional system) What? Yes (confidential data and institutional system) How? No (EDUCAUSE and hotel network) or Yes (if on VPN) How? No (EDUCAUSE and hotel network) or Yes (if on VPN)Yes

25 Most of the time you are in the Security Domain, if If you are on the (or an) institutional network If you are accessing confidential data or systems, Unless data as moved beyond the institution Unless data as moved beyond the institution If you are acting in your role as a university employee or student employee But not if you are a student

26 Thinking about Control and Responsibility When do we want control? When behavior can affect us we need sanctions When behavior can affect us we need sanctions Who do we want to be responsible for? As few people as possible As few people as possible Particularly interested in NOT being responsible for students. Particularly interested in NOT being responsible for students. If inside the security domain the institution is affected by the behavior and maybe responsible for the behavior.

27 Conclusion Defining a Security Domain for your institution is a critical step in implementing your Security Policy and the scope of other policies Boundaries can be fuzzy, but need definition so that accountability is as clear as it can be.

28 Questions?

29 Marilu Goodyear John Louis University of Kansas

30 KU Network Definitions The University network begins at the point where an end-user device (located on University-owned or leased property, or on KU Endowment property utilized by the University’s Lawrence or Edwards campuses) gains access to this infrastructure and ends at the point where the University network attaches to external non-KU networks. End-user devices that indirectly connect via a third-party telecommunications provider (a connection made to the KU network via a home broadband or dial up connection for example) are not considered part of the University network.


Download ppt "Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas."

Similar presentations


Ads by Google