Characterizing the Security Domain

0
0
1781 days ago, 569 views
PowerPoint PPT Presentation
Objectives for the Security Policy?. Security of the networkPhysical assetsNetwork usefulness/reliabilityProtect Institutional DataProtect Institutional Systems. What is the Security Domain?. The general population, information, frameworks, and gadgets that must agree to your security arrangement, i.e. The degree articulation of your security strategy..

Presentation Transcript

Slide 1

´╗┐Characterizing the Security Domain Marilu Goodyear John H. Louis University of Kansas

Slide 2

Goals for the Security Policy? Insurance of the system Physical resources Network usefulness/unwavering quality Protect Institutional Data Protect Institutional Systems

Slide 3

What is the Security Domain ? The general population, information, frameworks, and gadgets that must consent to your security arrangement, i.e. The extension explanation of your security approach.

Slide 4

The Complexity of the Campus Environment Campuses are more than personnel, staff and understudies Other associations: establishments, members Related people to grounds players: guardians, and so on. System is unpredictable Where does your system start and end? Where are the limits?

Slide 5

Security Domain and People Identity Management Identity Management Defines the general population who are a piece of your establishment (Identification and Authentication) Authorizes access to frameworks on grounds Passes certifications to other put stock in foundations and frameworks (Shibboleth) Security Domain Larger than Identity Management since individuals are just a single component of the space

Slide 6

The Security Domain is Not quite recently the grounds arrange Not only the grounds managerial structure Not simply grounds information Not simply grounds individuals But is a blend of all

Slide 7

Elements of Determining Who and What is in the Security Domain

Slide 8

Why? furthermore, Who? People approved as an individual from your group Employees (when acting inside extent of business) Students Affiliates Visitors Means of approval Campus online ID/PKI/Biometric Trusted Visitor approval No approval (open/open wired or remote get to)

Slide 9

The Security Domain and Policies notwithstanding the Security Policy your association has different arrangements that incorporate "extension articulations" (i.e. who the arrangement applies to) that identify with the security area

Slide 10

Policies that Relate to Who Gets Access to Your Systems Employees Students Affiliates Visitors

Slide 11

What? Information Freely accessible college information Web website information (illustrations) Basic institutional data Research reports Press discharges Restricted or classified information Federal law secret (cases) HIPPA FERPA University approach limited (cases) Email account content University arrangement touchy (cases) Financial information

Slide 12

What? Frameworks Public frameworks Web pages Library and Museum Catalogs Institutional vaults www.kuscholarworks.ku.edu Institution frameworks Administrative Systems Financial, Student Information, Human Resources, Parking, and so on. Scholarly Systems Course administration, library coordinated frameworks, email Research Systems

Slide 13

Data and Systems Policies University Data and Records Policies that identify with lawfully characterized classified information (e.g. HIPPA, GLB, and so on.) Policies that identify with access to classified information Authorization arrangements and techniques as they identify with characterizing access to grounds frameworks (the why of the who)

Slide 14

Public and Private Networks Federal law gives definitions to open and private systems Our institutional systems are for the most part thought to be private systems Public systems or normal transporters for the most part Charge an expense to their clients Are viewed as "open" systems since they provide(mostly pitch) administrations to any individual

Slide 15

The Campus Network as a Private Network It is imperative to advanced education establishments that our systems be characterized as private systems in connection to government law. This permits us to deal with the system and the protection of the clients and information. As government requires a greater amount of system administrators, it is vital that we know and comprehend the limits of our systems, i.e. What precisely would we say we are in charge of?

Slide 16

What are the system limits? Institutional Network Institutionally foundation possessed and keep running by Institution, either by Central IT Departmental Unit Cluster of Units in Buildings Institutionally claimed yet keep running by other element (outsourced) Corporation claimed framework either: oversaw by the organization oversaw by the private element For this situation contract dialect would be essential in portraying obligation Public Network Member of the University has an individual record on a system claimed and oversaw by a corporate substance (i.e. employees home record on nearby link supplier framework)

Slide 17

Network Policies and the Security Domain Institutional Network Policy Domain once in a while is restricted to halfway oversaw organize Domain ought to incorporate systems keep running by divisions A decent Network Policy ought to characterize the system limit which thus influences the meaning of the security area

Slide 18

Inside or Outside of the Security Domain ? At the point when will a security break influence the organization somehow? A component of three inquiries: Who? What? Information Systems How?

Slide 19

Example #1 Employee of establishment is at their private living arrangement on a nearby link organize looking the organization library index Are they in the Security Domain? Who? Yes (representative) What? No (open framework and information) How? No (private system) NO

Slide 20

Example #2 An understudy is in their private flat on a link arrange getting to their evaluations through the entrance and understudy data framework Are they in the Security Domain? Who? Yes (understudy) What? Yes (Confidential information and private framework) How? No (private system) Yes

Slide 21

Example #3 An associated organization representative is in their office on the foundation claimed and run arrange seeking the CNN Web website Are they in the Security Domain? Who? Yes (member representative) What? No (surveying open framework and information) How? Yes (foundation arrange) Yes

Slide 22

Example #4 Institutional representative at an off grounds area on a link system is hunting the Student Information System down data about an understudy Are they in the Security Domain? Who? Yes (worker) What? Yes (secret information and private framework) How? No (private system) Yes

Slide 23

Example #5 Institutional worker at an off grounds area on a link system is hunting the foundation site down data on a scholarly program Are they in the Security Domain? Who? Yes (representative) What? No (open information and framework) How? No (private system) Yes or No

Slide 24

Example #6 University IT representative at an EDUCAUSE Security Conference in Denver through the EDUCAUSEAir Wireless administration perusing an email around a worker teach issue. Is it true that they are in the Security Domain? Who? Yes (representative) What? Yes (private information and institutional framework) How? No (EDUCAUSE and lodging system) or Yes (if on VPN) Yes

Slide 25

Most of the time you are in the Security Domain, If you are on the (or an) institutional system If you are getting to private information or frameworks, Unless information as moved past the organization If you are acting in your part as a college worker or understudy representative But not on the off chance that you are an understudy

Slide 26

Thinking about Control and Responsibility When do we need control? At the point when conduct can influence us we require sanctions Who would we like to be in charge of? As few individuals as conceivable Particularly intrigued by NOT being in charge of understudies. In the event that inside the security area the foundation is influenced by the conduct and possibly in charge of the conduct.

Slide 27

Conclusion Defining a Security Domain for your organization is a basic stride in executing your Security Policy and the extent of different strategies Boundaries can be fluffy, however require definition with the goal that responsibility is as clear as it can be.

Slide 28

Questions?

Slide 29

Marilu Goodyear John Louis University of Kansas goodyear@ku.edu jlouis@ku.edu

Slide 30

KU Network Definitions The University arrange starts at the point where an end-client gadget (situated on University-possessed or rented property, or on KU Endowment property used by the University's Lawrence or Edwards grounds) accesses this framework and finishes at the point where the University organize connects to outer non-KU systems. End-client gadgets that in a roundabout way interface by means of an outsider broadcast communications supplier (an association made to the KU arrange through a home broadband or dial up association for instance) are not considered some portion of the University organize.

SPONSORS