Main Nav

EDUCAUSE Security Conference: Herding cats and campuses: addressing distributed security and compliance issues

Herding cats and campuses: addressing distributed security and compliance issues
Kathleen Kimball, Senior Director, ITS Security Operations and Services, PennState
David Lindstrom, Chief Privacy Office, PennState
2007 EDUCAUSE Security Professionals Conference
Thursday, April 12, 2007
Denver, CO
Kimball and Lindstrom began their presentation with a quick overview of their statewide environment which serves 83,721 students plus more than 60K staff and faculty at 24 campuses, a medical school, agriculture extensions, and their World Campus online learning program. They have one backbone network statewide and push terabits of data.
Their distributed governance and other issues make the security problem more difficult. Many users aren’t doing the “traditional” things like teaching and many are “home users” and that’s the level of their skills as well. In addition, culturally there is a tradition of independence among the campuses and the emphasis on process by committee and consensus makes for a slow process.
They see their major security threats coming from constant hostile probes in a situation where security is often dependent on non-technical users.
What’s happening in the security arena?
Watching trends they note that there is
  • growing sophistication of network attacks (bots, bots, and more bots)
  • increasing complexity of detecting and removing residual malicious software
  • growing number of vendor security updates to be handled
  • Increasingly mobile population of Internet capable devices connecting to unmanaged networks and then returning to PennState nets.
At the same time they see
  • decreasing amount of time for global spread of worms and other malware
  • less ability to stop intruders at the network border
  • less time available to keep up with vendor security updates
  • Decreasing window of time to detect and deter network based attacks.
Legal and regulatory landscape
Lindstrom suggested that when in doubt, laws are passed, or policy is written, in an attempt to control what is increasingly becoming uncontrollable. He pointed out the 9 or so policies that PennState has produced relating to security and privacy. 
Lindstrom and Kimball represent the two sides of the house:  administrative and academic and find that they work together well in their respective institutional duties to reasonably secure sensitive data in their care.
At PennState, the network is distributed and so is the responsibility for data security. Each Dean or Administrative Officer is responsible for the data security policies and security implementations in their respective units. These local policies have the force of overall university policy and are intended to be guidelines for systems administrators.
In order for any unit to connect to the university network they must have a network administrative, technical, and security contact. These folks are key in incident notifications. There are financial officers in each unit and they help with compliance issues. Currently the biggest problem is that only a network address is generally knows for university systems when an incident response begins.
Lindstrom noted that units handing administrative data have additional requirements that are outlined in their “Trusted Network Specifications” and access to the net is not given unless they sign in ink that they’ll be responsible. Units with an exception to hold SSNs have even more requirements. In spite of these policies and security precautions--there is a perceived gap between policy and performance for a number of reasons. Those reasons are primarily the plethora of compliance issues such as FERPA, HIPPA, Graham Leach Bliley, Pennsylvania’s Breach of Personal Information Notification, PCI-DSS (credit card industry standards) and undoubtedly more coming.
PennState feels that they must do better.
  • Improving the state of privacy and network security practices is essential and it is a distributed problem that needs a distributed solution
  • Raising the bar with regard to security practices and policies, ability to comply with existing policies and laws, and increase their agility for responding to new laws that come along. 
--and all of this across the 24+ fiefdoms that comprise PennState.
From this the PennState Information Privacy and Security (IPAS) project was born.
It developed from a joint effort between ITS and the Corporate Controller who sold university leadership on the gap between policy and practice. It is sponsored jointly by the Provost and CFO and the responsibility for oversight rests on the CIO and University Controller. Similarly, Kimball and Lindstrom represent the two sides of the house in their roles. It is a big enough central project that it was split 3 ways between budgets/budget executives. Audit, finance, corporate controller and firewall audit (small piece of the overall) was something they could all get their arms around.
This is a multi-year, multi-phase, university-wide project with some overlap in the timing of the phases.
Phase 1 – evaluate and remediate if necessary PCI-DSS systems and networks
Phase 2 – take lessons learned and apply to systems and networks handling sensitive university information
Three project team members were drafted from existing staff for two year assignments to the project: Project Manager, Senior Network Analyst, and Project Technical Coordinator. Copies of the brochure for IPAS were distributed to the session attendees and it was noted that it includes these three staff members, their responsibilities, and their contact information. Leadership from distributed units provided the staff resources.
Lindstrom and Kimball listed the specifics of the two phases.
Phase 1 included detailed requirements, payment card industry data security standards (also covered in their brochure), and a qualified data security company was engaged.   Incident response involving credit card data is now centralized. If someone is compromised it’s a compromise for the unit. Detail for a sample requirement of Phase 1 was covered for “build and maintain a secure network” during the session and full details for all 12 key requirements are available at
Phase 2 included overall privacy and networking security improvement and review and improvement of associated policy. Lindstrom and Kimball also covered 12 selected tasks in Phase 2 which basically outline a thorough and detailed review of the entire security infrastructure at PennState including people, policy, and technology – and physical safety is also being examined.   Two specifics: Distributed risk assessment process refined and Improve security role in the software development lifecycle.
They noted that they are moving quite fast and architecture changes will be very sensitive because they are so fine tuned at the moment. In addition, there is the question of funding to do the necessary steps. No one knows for sure where the money will come from to do all of this.
Additional points:
Support is crucial from the President and Provost to the Budget Executive and other unit IT and financial personnel must be involved as designated by the Budget Executive
Technical contacts, financial contacts, administrative contacts must all be assigned and there will be mandatory training for everyone in the project. At the moment 78 of the possible 90 are registered for training
IPAS will continue to define and implement cost effective solutions towards the objectives in the two phases.
In Phase 2 Faculty will be involved in the evaluation. 
For training the curriculum covers security awareness and compliance.
They noted that many units don’t want to believe the documentation so it has been necessary to obtain outside consultants on regulatory issues.
Common issues
Slow vendor responses
Getting right language in the contracts and oversight (we don’t want to get in the way of business process, for example, the idea of wireless vending in the field house)
Storage of paper records is not good
They may now be compliant but didn’t get rid of the old stuff that isn’t
Skill level at the local level isn’t in place yet
Shadow systems cause many problems.
Some questions:
Measurement to date? Will be easier in Phase 1 than in Phase 2?
What happens after the 2 years – Phase 3? What will it be? Perhaps ongoing issues that will not go away.
The presentation slides for “Herding cats and campuses: addressing distributed security and compliance issues” is available on the conference website at

Tags from the EDUCAUSE Library

Tags from the Community