Michael Corn, Deputy CIO & CISO, Brandeis University
University networks have long been viewed as poor models for information security. However in practice many of the challenges facing these networks (broad adoption of consumer-grade services and BYOD for example) are increasingly challenging corporate networks. Many of the strategies developed by the higher education community have been highly successful and are worthy of examination and adoption within the corporate and government IT ecosystems.
“The cornerstone for effective information security within the higher education community is a deep commitment to information sharing and collaboration”
Higher Education Models for Corporate and Government Security
It may be grass is greener syndrome, but those of us working in security at colleges and universities secretly envy our corporate brethren. We imagine an environment where compliance and policy drives behavior, hard boundaries still exist between the Internet and the inside of the network, and resources are plentiful and available on request.
Universities, on the other hand, are viewed as having ‘open’ networks where anything is permitted; that are burdened by a student population more concerned with Facebook and downloading music than their studies, and a faculty population who view policy as an infringement of academic freedom.
Obviously these are stereotypes; institutional maturity levels vary from business to business and from school to school. While each may have elements of truth to them, the nuanced differences are important.
Universities are often criticized for not operating more like businesses. But historically the business metaphor hasn’t mapped well to Universities. A University is more akin to a municipality. Universities have police departments, libraries, banking, housing, food service, large facility and infrastructure functions. They publish books and magazines, run athletic events, hotels, hospitals and farms as well as world-class research labs and HPC (High Performance Computing) facilities. And let’s not forget that 25-30 percent of our community changes every year as new students arrive and graduating students leave—all of whom bring their own personal computers and phones with them. To the network security vendor accustomed to securing two or three public facing ports, our network traffic looks more like white noise than data traffic. This level of variety brings an entirely new scope to the ‘open vs. closed’ network discussion.
Yet in many critical ways such as the adoption of consumer technologies within businesses, the speed of adoption of cloud services and the impact of these on the expectations of our communities suggests that our two environments are looking more and more alike.
What Higher Ed does Right: Transparency and Collaboration
The cornerstone for effective information security within the higher education community is a deep commitment to information sharing and collaboration. Under the auspices of the various professional and consortial bodies (Educause and Internet2 among others), a rich set of tools, standards, and partnerships have been forged allowing the diffusion of well honed effective practices throughout the community. Operationally many of us simply could not imagine achieving what success we have without the trust community of the REN-ISAC. Open communications and collaboration between institutions has proven essential for incident response while world-class tools such as the Bro intrusion detection system are essentially products of this larger ecosystem.
As an example, it is worth looking more closely at the REN-ISAC (RI). Within the RI there has developed a uniquely collaborative culture. One founded on the willingness to share experiences, techniques, and data on malicious actors and traffic in near real-time. The REN-ISAC is a closed trust community. Individuals are required to be vetted as both worthy of trust by the community as well as dedicated security professionals. Strict policies govern information sharing and deferred trusts can be created so that networking and systems staff who handle infrastructure can utilize intelligence collected by the community.
Curiously, the larger, better-resourced Universities do not dominate dialog within the RI. Sure, like any professional community, the REN-ISAC has thought leaders who tend to be heavier contributors, but expertise is recognized and eagerly embraced on its merits, not its personality. This not only benefits the entire membership but also has a normalizing influence on the community of practice.
More challenging for our practitioners is information sharing related to actual data breaches. Typically there are legal and policy constraints that bind operational staff from acknowledging or discussing details in breach scenarios. However even in these circumstances it is possible to utilize the expertise of the community. Brandeis University benefited directly from this: by implementing some of the recommendations of the RI community we were protected from a direct deposit redirection attack in 2014.
Community Response to Compliance and Risk for Cloud Services
As our sourcing portfolio changes to increasingly include cloud infrastructure and SAAS services, Universities have struggled with the challenge of managing the risk these services bring. Few operational security staff or our Legal Counsels have extensive experience addressing data security and privacy in cloud service agreements. By coming together as a community through consortial partnerships such as the Internet2 Netplus program, we have given ourselves a louder voice with cloud providers than even the largest single institution can muster (Internet2 member institutions represent over 6 million students).
Despite our differences as institutions—from large to small, public and private, whether focused on the liberal arts, sciences, or the professional schools—we have found it possible to leverage our combined expertise and are steadily developing master agreements for services that address data security and privacy (as well as risk more generally), including the unique requirements of student records.
In essence the higher education community is slowly coalescing around a common standard of practice for contract language for cloud services. I don’t want to undersell the difficulty of this or the work remaining; the public institutions in particular live under a patchwork of State procurement codes, which make taking advantage of consortial agreements challenging. We have a long way to go but when enough of us point to common control instruments (such as the Cloud Security Alliance), vendors do take notice.
The importance of information sharing was highlighted in the December Cybersecurity Legislative Proposal from the Whitehouse. The higher education experience has shown that operational collaboration and information sharing can act proactively to better position universities and the corporate sector to prevent cyberattacks. The higher education ecosystem is built around the premise of increasing the flow of information. The information security culture and practice of higher education reflects this attitude and because of it has thrived in one of the most challenging to secure environments.