Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Security Architecture and Technology Tools
Security Architecture and Technology Tools
The Security Task Force's strategic goal associated with Security Architecture and Technology Tools is "to design, develop, and deploy infrastructures, systems, and services that incorporate security as a priority and to employ technology to monitor resources and minimize adverse consequences of security incidents." The term "security architecture" is the focus of an entire chapter written by Jack Suess (University of Maryland, Baltimore County), who is a co-chair of the Security Task Force, in the book "Computer and Network Security in Higher Education". A section on "Security Architecture Design" is also included in the Effective Security Practices Guide.
The Effective Security Practices Working Group of the Security Task Force is focused on identifying and promoting practices, tools, and procedures that higher education institutions have found to be practical solutions to preventing or responding to security problems with an emphasis on technology and process solutions. SALSA, an initiative of Internet2, is an oversight group consisting of technical representatives from the higher education community who will advise on leading edge technology issues. SALSA is future-oriented and state-of-the-art in nature, focusing on high performance and advanced networks. The Internet2 Security work is oriented towards improving our ability to integrate our advanced networking requirements with network security in an insecure world.
Another critical aspect of this goal is improving our relationships with IT vendors and the security of software products provided to educational institutions. Therefore, you will not be surprised that proposed solutions in this space include initiatives to "influence the development and delivery of "secure by default" vendor products (e.g. collective purchasing power, support from government), negotiation of higher education-wide site license for anti-virus and host firewall software, and work with government and industry to develop procurement guidelines that enforce secure software requirements." Accordingly, the Cyber Security Forum for Higher Education was established in the Fall of 2003 to "create a forum for the discussion of higher education computer and network security issues between the corporate community and the EDUCAUSE/Internet2 Computer and Network Security Task Force with the goal of improving higher education cyber security through mutual efforts." Additionally, the one-on-one relationships established between the Security Task Force and Microsoft, Symantec, McAfee, and others are in an effort to improve security and to make technology tools more affordable. A current effort that is part of Cong. Adam Putnam's (R-Fla.) Corporate Information Security Working Group is seeking ways to use the procurement power of government and industry to enforce security requirements between buyers and suppliers of IT products and services.
Authentication and authorization are also important ingredients to this goal. Therefore, the Security Task Force is working collaboratively with initiatives such as the NSF Middleware Initiative, NMI-EDIT, Higher Education Bridge Certification Authority, Internet2 Middleware Initiative, and Net@EDU PKI Working Group Additionally, SALSA has established a working group on NetAuth issues that is being chaired by Chris Misra (University of Massachusetts-Amherst).
Among the recommendations put forward to the Security Task Force are to encourage the "design and development of secure systems" that: 1) require authentication for all campus network connections, 2) are flexible and easy to use, 3) recognize range of user skills, 4) offer choices between degree of security responsibility and level of network access, 5) provide default security tools on the desktop, and 5) employ deterrent mechanisms: secure services, border filters, unit level filters, VPN's, and host based security. Additionally, recommendations to "maintain" secure computing environments include the following: 1) employ detective methods: self-assessment, vulnerability scans, process review, ITD, network monitoring and system audits, 2) take appropriate corrective actions, 3) conduct periodic assessments to determine present level of security and gap between current and desired state, 4) patch systems regularly, and 5) use EDUCAUSE as a body for certifying campus security compliance.
Although several of these recommendations are being pursued at the campus level and by the various working groups, no concrete steps have been taken or are planned for EDUCAUSE or the Security Task Force to become a certification body or compliance agency. Nonetheless, through the promotion of best practices and professional development opportunities, we are hoping that institutions will voluntarily elect to move in the direction of both developing and maintaining more secure environments. And we will continue to put pressure on the vendor community to make our jobs easier - not harder!