Security Perimeters in Academia

1
Security Perimetersin Academia

• Keith A. Watson, CISSP
• Research Engineer
• Center for Education and Research in Information
  Assurance and Security

2
About CERIAS

• World Leader for Research Education in
  Information Security1st of Its Kind
• Multidisciplinary Approach Range from Highly
  Technical to Ethical, Legal, Educational,
  Communicational, Linguistic, and Economic Issues
• As a research and education center, CERIAS leads
  the nation in its understanding of computer,
  network, and communications security as well as
  information assurance.

3
Overview

• Challenges in Academia
• Perimeter definition
• Inside v. Outside
• Relevant regulation
• Changes over the years

4
Challenges in Academia Management

• The university (Purdue PRF) operates as a
• Large corporation (VPs, gt14k employees)
• Non-profit foundation (trusts, gift-acceptor,
  IP-holder)
• State agency (state funding, extension programs)
• Federally-funded research lab (DoE, DoD, NSF,
  NIH)
• Law enforcement agency (state police powers)
• Healthcare facility (patients and doctors)
• Landlord (mortgage-holder, property management)
• Financial services firm (admin financial aid and
  trusts)
• ISP (supplies network connections to departments)
• School (we have students too!)

5
Challenges in Academia Management

• University IT provides infrastructure
• WAN, campus network, WLAN
• Identity management and student services
• Shared, public instructional systems
• Optional security services
• Departments manage their own systems and internal
  infrastructure
• Internal, shared system administrators
• Aging equipment, unsupported software, updates?
• No internal separation of sensitive systems
• Viruses and Worms run rampant at times

6
Challenges in Academia Research

• Balance Openness and IP Protection
• Untrained IT Labor
• Undergrad/Grad student system admins
• Short-timers (average 1-2 semesters)
• Big insider threat problem
• Student hackers on the inside
• Workers chosen for technical skill rather ethics

7
Security Perimeters in Academia

• Perimeters are tough to define because they are
  not defined by policy
• Few universities have any security policies
• Policies on university operations and academics
  considered a necessity
• But, policies on research considered an
  impediment
• Openness is an asset to a research institution
• Very little coordination or cooperation

8
Security Perimeter Definition

• Network boundaries
• Anything past our router is outside.
• Firewall? Thatd be nice.
• Physical boundaries
• The research systems are kept behind that door,
  which we occasionally lock.
• The department servers sit in a nice office.
  They never get cold because its 93? in there.
• Buildings and labs open to all, most of the time
• No access control systems (just keys and open
  doors)

9
Inside v. Outside

• Inside the university network
• Only university IT-owned infrastructure trusted
• Residential networks not trusted
• Inside the department network
• Department-owned infrastructure trusted
• Client systems somewhat trusted
• Partnerships, Cooperative Agreements
• Interconnections somewhat trusted
• Everything else considered outside

10
Relevant Regulation

• Family Education Rights and Privacy Act
• Personally identifiable information student
  records must be protected
• Health Insurance Portability and Accountability
  Act
• University out-patient services (PUSH)
• Teaching hospitals (IUPUI)
• Computer Security Act
• Some research centers have Federal Interest
  systems

11
Changes Over the Years

• Moving to greater business participation
• From occasional interest in IP
• To big push for IP licensing and start-ups
• Moving to corporate style management
• From groups with multiple or unclear functions
• To clear definition of business function
• Moving to centralized management
• From department user accounts
• To campus identity management services and career
  accounts

12
Summary

• Academic security perimeters are
• Difficult to see
• Difficult to protect
• Not part of the usual security management