As the CISO of the most important research university in Virginia, I wrote in an earlier blog that EDUs aren’t that different from the company world. We’ve 3 main business processes: Administrative, Academic/Instructional, Research. Our network security strategy may be a blend of economic and ISP requirements. The executive process handles all of the IT functions that support the business of running the university – HR, Payroll, Purchasing, Legal, Controllers, Bursars, etc. Here, the normal “corporate” style security model is employed. The Academic/Instructional process supports the business of teaching classes and is heavily BYOD. The Research process may be a hybrid of the previous two processes. A university campus may be a village with its own enforcement, housing, dining, and a cultural, athletic, power station with each of those services using the web to try to business.
The New Internet – Internet 3.0
Here’s the evolution of the client-server model:
• Internet 1.0 – static servers (mainframes); static endpoints like hardwire terminal (IBM 3270) style connections to mainframe.
• Internet 2.0 - static servers (mainframe, minicomputers); mobile endpoints (desktops, laptops)
• Internet 3.0 – mobile servers (mainframe, desktop, containers, serverless applications); mobile clients (smartphones, tablets, IoT, laptops)
Current security architectures are stuck between Internet 1.0 and Internet 2.0. We must adapt and use newer security architectures to deal with Internet 3.0.
What do hackers do once they get inside your network? There are many variants but they collapse to 3 basic goals:
1. Data theft or disclosure aka data breaches
2. Data destruction aka deletion or ransomware
3. Attack other sites using your network assets. Maintain control of those assets.
A successful defense strategy must address these attack goals.
The Museum Security Architecture
Christian Schreiber gave me the simplest analogy for internet security architectures that I’ve heard thus far. He said EDUs is sort of a museum with the subsequent properties:
1. Museums have high-value assets.
2. Key assets are highlighted to form them more accessible to the general public.
3. Museums protect their interiors with a good sort of tools, techniques, and expertise.
4. Museums specialize in detecting malicious operators who are already inside the building.
Christian went further and provides some samples of museum defense in depth:
1. Museums have few access points but they permit free-flowing access to anyone.