The document discusses the challenges of IT security in higher education, highlighting the decentralized structure and culture that often lead to security breaches. It emphasizes the importance of motivation over obligation and presents eduroam as a successful example of trust-based federation in network access. The author argues that the unique environment of academia requires innovative approaches to security that differ significantly from private sector practices.

1. The IT Security Jungle of
Higher Education
Presented by Nicholas Davis, CISA, CISSP
WTA Conference, May, 2015

2. Overview
• Question: Why are security breaches in higher education
on the rise?
• How the environment in a university setting differs from
the private sector
• What happens when you try to do it like everyone else
• The approach of motivating rather than obligating, and
federating rather than centralizing
• Eduroam as an example of how higher education does
things differently (and in this case—better)
• Using outside influence, embracing differences
• Summary, question and answer session

3. Why Us?
Question: Why have there been security
breaches in the higher education
community?
Let’s take a look at the culture of academia

4. Academic Environment
• Highly decentralized in many cases, from
authority to funding to infrastructure
• Many smart people, who want to have
their say and who want to their research
freedom ensured
• Unique situations are the norm
• Funding is always a huge concern

5. Imagine This
• “Higher education is the only institution in
which a vote of 15 to 1 is defined as a tie”
– Unknown Author
• No forward movement until consensus is
achieved
• This often means that forward movement
depends upon everyone getting their
second choice, which nobody loves, but
nobody hates…..Often diluted solutions

6. Look at Our Technology
Infrastructure
Multiple variants
of Operating
Systems means
it is difficult to
have a
consistently
applied security
patch program

7. If You Thought Apple Was a
Challenge
• How does one go about securing
a Commodore 64, connected to
proprietary research equipment,
saving sensitive data to a network
drive, through a cassette tape I/O
port?

8. Funding Models
• Research grants provide a great deal of
revenue to a large public university
• Grants cover everything form staff salaries
to computer equipment
• The researchers buy what they like, and
use it as they like
• Difficult for central IT to manage what they
do not own

9. Private Sector Vs Higher
Education
• Private sector typically has standard
hardware and software builds, manages
end user machines, has rigid equipment
use guidelines, monitors usage, blocks
access to “dangerous” websites
• Higher education always has freedom in
the forefront of thoughts: Freedom from
standards, freedom from restricted use

10. Well, How Difficult Can It Be?
• No overall managed endpoint environment
• No centralized log collection
• Ambiguous perimeters of network, firewalls,
intrusion detection, intrusion prevention
• BYOD gone crazy!
• Central equipment inventory not available
• Equipment moving constantly
• Massive amounts of data, being used in many
non-standard ways
• Decentralized data management

11. Defining the Community
• Transient student population
• International students on campus
• American students overseas
• Visiting professors, not officially a
university employee
• Research taking place all over the globe
• Making network available for visitors

12. It’s Simple, Just Do What I Say
• Diverse structure of university
does not fit well with a top-down
model
• My primary allegiance is to those
who fund my research
• If I can’t do it my way, here, I
may go someplace else where I
have more freedom

13. From the Technical Side
• Decentralized firewall management makes
network assets unreachable
• Decentralized management prohibits
owning endpoints by a central authority
• Multiple types of OS and hardware makes
it difficult to manage
• Specialized software means that patching
is often not possible

14. The Secret Sauce
• We try to motivate rather than obligate
• Give the people information, let them
decide
• Authority and accountability
• Make it easy for them, make it
inexpensive
• Avoid client footprint whenever possible
• Thanks to the cloud, it is getting easier to
manage in the jungle

15. Instead of Controlling Others,
We Choose to Trust Them
• Centralized identity management is challenging
in our amorphous customer base
• Instead of owning everything, we set standards
of trust and we have confidence in others to
manage their individual systems better than they
could be managed centrally
• Mainstream is not the only way to achieve
success
• Let’s look at one example

16. Eduroam – Trust Through
Federation
• Eduroam (education roaming) is
an international roaming service
for users in research, and higher
education.
• It provides researchers,
teachers and students easy and
secure network access when
visiting an institution other than
their own.

17. Eduroam Introduction
https://www.youtube.com/watch?feature=player_embedded&v=TVCmcMZS3uA

18. How Eduroam Works
• Authentication of users is performed by
their home institution, using the same
credentials as when they access the
network locally, while authorization to
access the Internet and possibly other
resources is handled by the visited
institution. Users do not have to pay for
using eduroam.

19. Eduroam Has a Risk
• When placing trust in Eduroam,
you are placing trust in others,
who from time to time may not
meet the standards which you
were expecting
• The solution is to understand the
level of authentication provided
and that authentication should
not be synonymous with
authorization

20. Eduroam
• How does your business deal with
visitors from other companies?
• How do other companies deal with
granting you access when you are
on-site?
• Generic logins? No logins? Who is
on the network? Nobody knows!
• Have you ever seen a solution as
elegant, safe, flexible and useful as
Eduroam?

21. Eduroam
• Federation isn’t the industry standard, but it
certainly recognizes the reality of the world we
live in.
• The people in higher education might be on to
something here
• When you can’t own everything, you need to be
pragmatic
• Lack of rigidity, makes higher education very
innovative

22. Eduroam Makes Sense
Federation of Communities

23. It Is All About Trust
• Which do you trust more, Facebook, which gave an
account to my stuffed cow –or a home institution, with
more rigorous credential issuance policies and
procedures, such as a university?

24. Federation Does Not Mean
Loss of Control
• Federation with Eduroam handles
authentication, at LOA2’ish levels
• Eduroam reports-----you decide!
• Logging in with Facebook is more
LOA1’ish

25. A New World Order of
Centralized Identity
Management Is Highly Unlikely
• Not everyone in the world is going
to join Facebook
• Even if they did, the LOA of
Facebook sets the bar low to the
ground
• Do you really want Facebook to
own your organization’s
authentication?
• It is OK not to own everything, as
long as you know who to trust

26. Outside Influence Never Hurts
• HIPAA, PCI, FERPA
• “Sorry, it isn’t me, it is an external
requirement” is an extra ace in pocket!
• NIST 800-53 (federal government IT
security controls)
• “If you want your grant money, you must
first prove NIST 800-53 compliance”

27. Budget Constraints
• In the past, individual freedom was a top priority
• In the current environment, campuses are
looking to save money wherever possible and
become more efficient
• Redundancy in policy, process development and
deployment is being sought out and removed
wherever possible

28. Summary View
• IT Security in higher education is a greater
challenge than in the private sector
• You often have to work without the benefit
of the infrastructure and control which is
taken for granted in the private sector
• Freedom of choice is held as a core value
in academia

29. Jungles Are For Roaming
• Amazing things can happen in
the jungle
• Obligation is a dying breed of
animal in an interconnected
world
• The IT security jungle should be
appreciated, embraced and not
approached as something
which needs to be “controlled”
at all costs.

30. Questions & Comments
Nicholas Davis, CISA, CISSP
Chief Information Security Officer
UW-System
ndavis@uwsa.edu
facebook.com/nicholas.a.davis
https://www.linkedin.com/in/nicholascv