Educause Annual 2007


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Educause Annual 2007

  1. 1. <ul><li>Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base </li></ul><ul><li>Joshua Drummond, Security Architect </li></ul><ul><li>Neil Matatall, Security Programmer/Analyst </li></ul><ul><li>Marina Arseniev, Associate Director of Enterprise Architecture </li></ul><ul><li>University of California, Irvine </li></ul>
  2. 2. About us… <ul><li>Located in Southern California </li></ul><ul><li>Year Founded:  1965 </li></ul><ul><li>Enrollment: over 24K students </li></ul><ul><li>1,400 Faculty (Academic Senate) </li></ul><ul><li>8,300 Staff </li></ul><ul><li>6,000 degrees awarded annually </li></ul><ul><li>Carnegie Classification:  Doctoral/Research – Extensive </li></ul><ul><li>Extramural Funding - 311M in 2005-2006 </li></ul><ul><li>Undergoing significant enrollment growth </li></ul>
  3. 3. Security Status Across Higher Ed? <ul><ul><li>800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants. </li></ul></ul><ul><ul><li>5,800 in August, 2007: Computer with the SSNs of students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft. </li></ul></ul><ul><ul><li>4,375 on September, 2007: Former students at risk for identity fraud after an instructor's laptop computer was stolen. </li></ul></ul><ul><ul><li>3,100 on September, 2007: A technical problem in the way student bills are printed possibly allowed student SSNs to be sent to another student's address. </li></ul></ul>
  4. 4. Security is Multi-layer
  5. 5. We do a lot… SDLC and Change Management <ul><li>Security requirements and design reviews from get-go. </li></ul><ul><li>Code reviews </li></ul><ul><li>Developers reuse security components </li></ul><ul><li>Automated nightly code and application security scanning </li></ul><ul><li>Scheduled network & configuration vulnerability scanning </li></ul><ul><li>Consolidated storage of sensitive data, database model reviews of personal identity data </li></ul><ul><li>Concurrency and stress testing to detect thread security </li></ul>
  6. 6. Still had problems <ul><li>Urgent call from our director: </li></ul><ul><ul><li>Have you patched server X? </li></ul></ul><ul><ul><li>Is Server Y behind a firewall? </li></ul></ul><ul><ul><li>Did Server Y have any Credit Card information stored? </li></ul></ul><ul><ul><li>Is the database encrypted? </li></ul></ul><ul><ul><li>When was the last time a security review of Application X was done? </li></ul></ul><ul><li>Peter The Anteater is on vacation! </li></ul><ul><li>Peter is now at Google! </li></ul><ul><li>Different answers from different people. </li></ul><ul><li>Little confidence that information is current. </li></ul>
  7. 7. Not enough… <ul><ul><li>Many security layers meant many documents owned by many people </li></ul></ul><ul><ul><li>Scattered checklists, spreadsheets, and diagrams not accessible </li></ul></ul><ul><ul><li>Host IP change = document update nightmare. </li></ul></ul><ul><ul><li>New server? Update how many firewalls? </li></ul></ul><ul><ul><li>Missing information, such as whom to contact </li></ul></ul><ul><ul><li>Proprietary knowledge departed with staff turnover </li></ul></ul><ul><ul><li>Spreadsheet Hell! </li></ul></ul>
  8. 8. What we learned … <ul><li>Maintaining separate spreadsheets on server configurations, firewalls, and personal identity data, each with redundant and inconsistent information, is inappropriate in today's security climate . </li></ul><ul><li>Explored different approaches and tools – both vendor and open source. </li></ul><ul><li>Merged with the Enterprise Architecture approach to use Stanford’s Protégé Knowledgebase. </li></ul><ul><ul><li>Open source ontology and knowledge-based tool, to intelligently capture and maintain comprehensive enterprise security information in a single repository. </li></ul></ul>
  9. 9. Objectives <ul><li>Quickly respond to threats. </li></ul><ul><li>Organize, consolidate, and centralize security procedures and facts about layers of security. </li></ul><ul><ul><li>Facts about data, architectures, components, applications, encryption, auditing/logging, firewalls/rules, backup procedures, etc </li></ul></ul><ul><ul><li>Track security checklists </li></ul></ul><ul><ul><li>Track code, database, and security reviews, results and follow-up </li></ul></ul><ul><ul><li>Track oversight functions for secure development, acquisition, maintenance, operations and decommissioning . </li></ul></ul>
  10. 10. Agenda <ul><li>Background on Ontologies and Protégé </li></ul><ul><li>Realized value - demonstration of our knowledgebase and reports </li></ul><ul><li>How to implement this in your organization </li></ul><ul><li>Summary </li></ul><ul><li>Useful URLs and Q&A </li></ul>
  11. 11. Background <ul><li>What is an Ontology? </li></ul><ul><ul><li>“ An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge . Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “ </li></ul></ul><ul><ul><li>Supports inheritable properties (is-a) </li></ul></ul><ul><ul><li>Attributes of an object can be complex objects themselves (rich). Nestable… </li></ul></ul>Writing Short Story Historical Novel Classic Medieval Modern Book Ontology
  12. 12. Stanford University’s Protégé <ul><li>Allows easy modeling and creation of ontology </li></ul><ul><li>Auto generates forms for collecting and capturing information based on ontology and class definitions. </li></ul><ul><li>“ Reverse slots” allow rich linking ability and automatic updates of changing relationships. </li></ul><ul><ul><li>Remember the removal of the server and associated updates of firewall rules? </li></ul></ul>
  13. 13. Stanford University’s Protégé <ul><li>Generates an HTML view of knowledge and ontology. </li></ul><ul><li>Can be exported in XML format </li></ul><ul><ul><li>generate reports in other formats and for specific audiences, without storing redundant data. </li></ul></ul><ul><li>Multi-user capable </li></ul><ul><li>Highly Scaleable </li></ul><ul><ul><li>Simulations have handled over 5 million objects </li></ul></ul><ul><li>Open source at </li></ul><ul><ul><li>Java API to program against </li></ul></ul><ul><ul><li>Under active development (last release Aug 24, 2007) </li></ul></ul>
  14. 14. Protégé GUI
  15. 15. Protégé – Knowledge Capture
  16. 17. HIPAA?
  17. 18. Protégé – Application Instances
  18. 19. Protégé – Authentication Instances
  19. 20. Protégé – Authorization Instances
  20. 21. Protégé – Patching Procedures
  21. 22. Protégé – Backup Procedures
  22. 23. Protégé – Query Capability
  23. 24. Agenda <ul><li>Background on Ontologies and Protégé </li></ul><ul><li>Realized value - demonstration of our knowledgebase and reports </li></ul><ul><li>How to implement it in your organization </li></ul><ul><li>Summary </li></ul><ul><li>Useful URLs and Q&A </li></ul>
  24. 25. Using Protégé to Capture Reviews
  25. 26. Using Protégé to Capture Reviews
  26. 28. Realized Value: Auto-generated Reports from Protégé <ul><li>Network Inventory Report </li></ul><ul><ul><li>By Host Name </li></ul></ul><ul><ul><li>By IP Address </li></ul></ul><ul><li>Firewall Rules Report </li></ul><ul><ul><li>By Firewall </li></ul></ul><ul><ul><li>By Host Name </li></ul></ul><ul><ul><li>By IP Address </li></ul></ul><ul><li>Personal Identity Database Report </li></ul><ul><ul><li>By Server </li></ul></ul><ul><ul><li>By Database </li></ul></ul><ul><li>Personal Identity Datafile Report </li></ul><ul><ul><li>By Server </li></ul></ul><ul><li>Application Report </li></ul><ul><ul><li>Includes developed and vendor applications </li></ul></ul>
  27. 29. Before and After - Firewalls Unix Sys Admin Windows Sys Admin Department Firewall Admin Campus Border Firewall Admin Database Admin
  28. 31. Report: Firewall by Host
  29. 32. Reports: Personal Identity Database by Server
  30. 33. Reports: Personal Identity Datafile by Server
  31. 34. Agenda <ul><li>Background on Ontologies and Protégé </li></ul><ul><li>Realized value - demonstration of our knowledgebase and reports </li></ul><ul><li>How to implement it in your organization </li></ul><ul><li>Summary </li></ul><ul><li>Useful URLs and Q&A </li></ul>
  32. 35. How to Implement in your Organization… <ul><li>Step 1: Inventory existing spreadsheets and documents </li></ul><ul><li>Step 2: Identify information you want to track centrally. </li></ul><ul><li>Step 3: Design your ontology (or copy ours) </li></ul><ul><li>Step 4: Assign roles – who updates, who views </li></ul><ul><li>Step 5: Capture information </li></ul><ul><li>Step 6: Add any customizations to Protégé </li></ul><ul><li>Step 7: Create secured reports for various audiences </li></ul>
  33. 36. Our Ontology
  34. 37. Updates <ul><li>3 ways to update your knowledge base </li></ul><ul><li>Desktop Client / Local Project </li></ul><ul><ul><li>Only one person can update at a time </li></ul></ul><ul><ul><li>Must have access to project file </li></ul></ul><ul><li>Web Server </li></ul><ul><ul><li>Multi-User, access anywhere </li></ul></ul><ul><ul><li>Interface has its weaknesses </li></ul></ul><ul><li>Client / Server </li></ul><ul><ul><li>Best of both worlds </li></ul></ul><ul><ul><li>Must have desktop client installed </li></ul></ul>
  35. 38. Updates – Client / Server <ul><li>Use built-in client-server mode for multi-user updates </li></ul><ul><li>Grant access to individual users </li></ul><ul><ul><li>Support for role-based permissions </li></ul></ul><ul><li>Updates are propagated in near-real-time </li></ul><ul><li>BE CAREFUL! </li></ul><ul><ul><li>Everything is stored in plain text </li></ul></ul>
  36. 39. Customizations <ul><li>Modified the existing HTML Export plug-in to change the structure of the output HTML </li></ul><ul><ul><li>Encrypt Sensitive Values </li></ul></ul><ul><ul><li>List Instances before Slots on Class pages </li></ul></ul><ul><ul><li>Made string attributes that are URLs actual hyperlinks </li></ul></ul><ul><ul><li>Add line breaks between multiple Slot values </li></ul></ul>
  37. 40. Using Protégé to Capture Reviews
  38. 41. Automation <ul><li>Although editing of knowledge base is done centrally through the desktop client, we wanted to automate the generation of reports </li></ul><ul><li>Wrote two Java classes that use the Protégé API to emulate actions usually done through GUI </li></ul><ul><ul><li>edu.uci.adcom.protege.ProjectXmlExport </li></ul></ul><ul><ul><li>edu.uci.adcom.protege.ProjectHtmlExport </li></ul></ul>
  39. 42. Using XSLT for Reports <ul><li>Replicate exactly and replace former spreadsheets with the same functionality </li></ul><ul><li>Created canned reports for specific views on knowledge </li></ul><ul><li>XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML </li></ul><ul><li>Then again from the “simple” XML to multiple HTML views for each report </li></ul><ul><li>XSL and CSS are flexible and can be modified to customize presentation of data </li></ul>
  40. 43. Report Generation Process Outline Protégé Java - edu.uci.adcom.ProjectXMLExport XSLT – Massage to Domain Specific Data XSLT – Generate Individual Reports (For Web Reports) CSS – To Customize the Display
  41. 44. Reports: Personal Identity Datafile by Server
  42. 45. Putting it all together <ul><li>Ant script is used to tie everything together </li></ul><ul><li>Can be easily scheduled to generate reports </li></ul>
  43. 46. <ul><li>After </li></ul><ul><li>Centralized inventory of knowledge about firewall rules </li></ul><ul><li>Zero spreadsheets </li></ul><ul><li>3 custom reports – HTML and Excel </li></ul><ul><li>Centralize maintenance of single repository across organizational units </li></ul><ul><li>No redundancy </li></ul>Metrics – Firewall Management <ul><li>Before </li></ul><ul><ul><li>Border, Police, Financial Services, Windows OS, and Server Firewall </li></ul></ul><ul><ul><li>Each firewall had its own spreadsheet maintained by a different person (5 spreadsheets total) </li></ul></ul><ul><ul><li>30+ servers behind multiple firewalls. Servers duplicated across spreadsheets. </li></ul></ul>
  44. 47. <ul><li>After </li></ul><ul><li>New information - that didn’t exist </li></ul><ul><ul><li>Integrated database, network, and application information </li></ul></ul><ul><li>Zero spreadsheets </li></ul><ul><li>9 custom reports –HTML and Excel </li></ul><ul><li>Centralize maintenance of repository across organizational units </li></ul><ul><li>Access to repository extended to 60 individuals based on privileges </li></ul><ul><li>Clearer view of potential holes in security for analysis and proactive planning </li></ul><ul><li>Sensitive data tracked </li></ul><ul><ul><li>40 data files </li></ul></ul><ul><ul><li>50 database fields </li></ul></ul><ul><li>Added 40 hosts to backup and anti-virus scanning procedure </li></ul>Metrics – Network and Data Inventory <ul><li>Before </li></ul><ul><li>White Boards and Documents </li></ul><ul><ul><li>Partial Network Inventory </li></ul></ul><ul><ul><li>Unpatched servers on whiteboard </li></ul></ul><ul><li>4 units keeping redundant or out of sync information in private locations </li></ul><ul><li>Limited access - personal computers </li></ul><ul><li>Sensitive data locations unclear </li></ul><ul><li>Servers with no virus protection or backed up </li></ul>
  45. 48. Future Plans <ul><li>Continue to evolve the ontology to include more attributes and relationships </li></ul><ul><li>Continue capturing and updating new information </li></ul><ul><ul><li>Automate capture of information with tools </li></ul></ul><ul><li>Create an plugin for encrypting sensitive information </li></ul><ul><li>Create a slot-based authorization plugin </li></ul><ul><li>Generate checklists intelligently based on attributes </li></ul><ul><ul><li>Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment. </li></ul></ul><ul><li>Create notifications about potential trouble spots </li></ul><ul><ul><li>A personal identity database field that has not been encrypted. </li></ul></ul>
  46. 49. Q&A <ul><li>AdCom's application security checklist - </li></ul><ul><li>Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- </li></ul><ul><li>XML/XSLT processing - </li></ul><ul><li>Ant - </li></ul>