The information security models at higher education verge from those at corporations, says Dennis Devlin.The Jericho Forum promotes migration from a closed security model that uses hardened perimeters at the borders of an enterprise to a more open security model that promotes interoperability and free exchange of information.
A more open security model has always been a requirement for higher education.
I was working at Harvard University in 1988 when the Morris worm was released into the ARPANET. At that time, there were approximately 88,000 internetworked computers in the entire world, and there were no real security demarcations that separated them. Internetworking changed that day. Many of the security technologies and architectures we use today were developed as a result, as well as computer emergency response protocols and teams like CERT at Carnegie Mellon University.
One year later, in 1989, the ARPANET became the internet, and throughout the 1990s the business community began to truly realize its potential for expanding markets and cutting out the middleman. Information security evolved in the direction of “deny by default and allow by exception,” which has also been sometimes described as “what is not required is forbidden.”
This model worked very well until the World Wide Web and B2B came along. Suddenly there were new requirements for ports and services which could no longer be blocked at the borders. Suddenly every workstation, application, process and employee in the enterprise became potentially exposed to hostility. Suddenly anything that could once be blocked could be tunneled through a port that could not be blocked. The model changed. Jericho is an acknowledgement of that new reality.
Colleges and universities on the other hand, have always had to favor openness and interoperability. It is very difficult, if not impossible, to both promote exploration and deny by default at the same time.
Many, if not most colleges and universities, therefore, took a different approach to information security. Their primary focus is on hardening endpoints and protecting information, not on restricting networks.
Every intelligent device that connects to the network needs to be current with patches, malicious code protected, firewalled, registered and strongly authenticated. And every piece of sensitive or regulated information needs to be recognized and managed with appropriate standards of care during its entire lifecycle. Multiple, uncontrolled copies of sensitive information for convenience is no longer acceptable.
The challenge of this approach is that it requires a combination of technical solutions, policy, education and the active participation of every member of the academic community. However, the benefit of this approach is that it acknowledges reality, does not assume protection from any particular context, and is thus transferable to all situations.
Internet-based learning, teaching and scholarship is not limited to classrooms and laboratories anymore. It also occurs in wireless hotspots, internet cafés, hotels and hostels, off-campus residences, and any other places where creative or critical thinking can occur. We would do the academic community a real disservice to believe otherwise. Protection needs to be as proximal to the digital assets being protected as much as possible. Information security has thus become a critical literacy for anyone who uses the internet as an educational resource.
Interestingly, this approach closely parallels many of the guiding principles that the Jericho Forum promotes for business. Higher education has just been doing it this way a bit longer.
Dennis Devlin is chief information security officer at Brandeis University.
For web-exclusive features related to the education vertical, please visit our website: www.scmagazineus.com.