Report of JTAP security Workshop 21-22 June 1999

Tom Franklin

Executive Summary

This report describes the work required within the higher education community in the areas of information security. There have been a number of prior reports which have looked at the technologies available and the user requirements. The function of the workshop was to identify the priorities for action by both the JISC and by higher education institutions (and further education colleges when the FEFCs become funding partners of JISC).

The workshop included representatives from higher education institutions, UCISA, JISC and industry.

The workshop highlighted the need for institutions to understand the business case for security before implementing any measures, and in particular using BS7799: Information Security Management as a means of determining the risks and measures needed.

The key recommendations are:

1.The most important single recommendation was that senior management need to understand how appropriate use of information security can aid the business processes within their institutions.

2.Senior management need to understand the responsibilities associated with ownership of information. These include privacy, accuracy and availability.

3.HEIs should use BS7799 as a means of understanding the security risks and threats in their business and the costs and benefits associated with addressing the main risks.

4.JISC should undertake a review of the key legislative and regulatory frameworks and provide advice to institutions on the measures that they need to have in place to meet them. This will include the Data Protection Act, the e-commerce bill.

5.JISC should undertake a study of the current situation prevailing within HEIs and over JANET so that the scale of the problem can be understood and to ensure that any solutions will meet the needs of institutions.

6.There is a need for JISC working with the institutions to determine the minimum levels of security which institutions must have in place order to be part of the community. This could form a baseline service level agreement.

7.There is a shortage of experience and expertise within the community which JISC can address by commissioning the production of guidelines, templates, examples best practice and training materials.

Attendees:

Brian Collins (BC)facilitator

Peter Birch (PB)Microsoftsecond day only

Andrew Cormack (AC)UKERNA (CERT)

David De Roure (DDR)University of Southamptonsecond day only

Tom Franklin (TF)JTAP Programme Manager

John Langman (JLa)microszience

John Leach (JL)Network Associates

Tish Roberts (TR)JTAP Programme Manager

Chris Rusbridge (CR)eLib Director

John Slater (JS)JISC and University of Kentfirst day only

John Smith (JSm)DTI

David Vinograd (DV)USICA and City University

Jane Williams (JW)JISC assist

Norman Wiseman (NW)JISC Head of Programmes

Ed Zedlewski (EZ)Athens

Working method

The first day consisted of a set of wide ranging discussions to air all the issues. Covering both business and technological issues. The second day reviewed the ground covered on the first and then considered the needs of the HE community and the work that institutions and the JISC need to be taking.

It looked at the business case around security, noting the costs both of implementing security and the potential costs of not doing so. It was noted that the latter includes, potentially, all of the following:

  • Financial loss
  • Loss of reputation
  • Denial of access to resource
  • Regulatory actions

Presentations

Institutional Context

The workshop started with John Slater setting the context in which JISC works, looking at the business which HEIs run, the environment and influences on it.

University are a mixture of business each with associated problem and security issues:-

  • Hotel and long term let, problem collecting debt/bills/rent
  • Research and consultancy , with some issues of Intellectual Property Rights (IPR), forthcoming legislation from EU will exacerbate problem (notably around the issue of "fair use")
  • Teaching, which will increasingly be selling a service with demand for pay-as–you-go systems perhaps relying on ecommerce
  • Employer, staff development and HRM
  • Medical Schools (and associated Teaching Hospitals), confidential information patient data
  • Charging for access to resources, possibly on a pay-as-you go basis.
  • Managing physical resources.

There have been changes in the type of traffic travelling over JANET with more financial data,

Commercial and confidential data and personal data (including medical data). This is not always recognised as confidential by those using it.

Other issues raised included:

  • Increase in incidents and seriousness of hacking
  • There are cultural problems, as there is seen to be a conflict between improved security and the still strong belief in free exchange of information ideas etc
  • HE is a peer based community, loyal to dept or faculty not necessarily the University as a whole, notions of company loyalty not applicable
  • Increase emphasis on accountability from funding bodies and government

Background of JISC and HE

Norman Wiseman then presented the Background relating to JISC and HE community

HE is a very large and varied user group with 1.5 million students and 200,000 and with FE joining this will increase numbers to 4.5 million

There are a variety of drivers for security. These include collaboration across sector, distance learning and remote access, sharing of information within an environment of trust.

With the size and variety of the community there are issues of scalability, Interoperability, appropriateness of any solution selected.

HE has some special requirements including mobility, the multiple role many individuals occupy (eg some staff are also students), non-monetary economics, small market niches, link to student support.

JISC will be implementing work in this field through a new committee on authentication and security with a budget of £2 million, rising to £5 million. Work of this committee will include Internet2, Athens, parts of the JISC development programme, including work with commercial partners. HE has potential as a pre-market test bed.

Other points/issued by group about nature of the HEI community

DV:

There is a wide range of groups/needs to support therefore any solutions cannot be too prescriptive.

Student Personal computers will become increasingly common. They have from the institutions point-of-view an uncontrollable software set-up. There are also legal issue related to HEIs monitoring or controlling access to the hard disc (eg. to ensure that software is licensed or content is legal or that systems do not contain viruses).

CR: Increasingly franchised HE courses are being delivered to student abroad

JS: Funding bodies expecting more accountability, which JISC can use for leverage on HEIs.

Overview of the Leach Reports

John Leach: gave an overview of his reports.

He said that he thought what he had written at the end of 1997 was still applicable today, and that the methodology based on analysing business requirements was the correct approach.

The study covered the user requirements for information security.

The task for JISC

  • promote a strategic approach
  • maintain business focus (i.e. not technology led)
  • institutions must identify their key business goals
  • Security must be seen to bring value/benefit to those business goals if it is to be accorded any priority.

Business Goals

  • financial accountability
  • reduce operating cost
  • prevent unlawful use of resources
  • good standards of control

Recommendations

  • adopt business risk management
  • produce a baseline security for devolved IT
  • develop a structured approach to network access
  • harmonise local access
  • harmonise national access
  • use secure internet protocols

Way Forward

  • The way forward is NOT Public Key Infrastructure / Certificate Authorities, smartcards etc. until these meet business goals.
  • revisit business goals
  • identify how information strategy can benefit the HEI
  • Link key security goals to business goals

ATHENS

Ed Zedlewski gave a presentation on ATHENS: How it functions, advantages over previous methods, user group profile, current level of usage throughout HEI, the current levels of security provided etc.

  • The independent consultants believed the levels of security on ATHENS was very low .
  • The administrators of the ATHENS (i.e. help desk, librarians etc) good target audience for awareness raising around issues of security
  • Some of the JISC representatives felt good starting point that was already regarded as beneficial by HEI community. Slow change culture need to work with/develop recognised system/solution.
  • Questionnaire to community of perceived benefit/advantages of using ATHENS
  • Banks will insist/impose a minimum level of network security before it will support any e-commerce system

Discussion

DV:

  • There is a need to prevent duplication of effort in HEIs in the area of security.
  • UKERNA should produce national solution with individual HEI's able to opt out

CR:

  • HEIs are very long lived institutions. While there is a rapid turnover in current information there is also a need for long term access by others - who need to know the authenticity of the material they are studying.
  • Originality of documents is an issue, there is a need for time stamp type system
  • Need to do some research into e-commerce in HE. One barrier to use of e-commerce in HE is the nature of budgets/accounts as these are often held by others on behave of people (eg interlibrary loans).

JSm:

  • need a minimum set of security requirement in a business format
  • BS7799 like methodologies
  • HE may want to link to the Government Secure Internet (GSI), but will need to meet the minimum requirement to do this.

JLa:

  • vital to maintain trustworthiness
  • there a need to manage Authenticity – access tokens may be a solution
  • the security system employed will need to invisible/transparent to the end user
  • Interoperability and scalability are vital feature of any system developed

BC:

  • Identify key business processes then fit security around them.
  • There is needed for a Administrative Efficiency Exercise that would include security and reward/penalise institution on a similar basis to the RAE
  • There is already considerable amounts of information/guidelines/how to books (i.e. DTI guide line for Information Security) which can be used and pointed to (see eg

NW:

  • Security should be transparent to the user.

CR:

  • HE need methods of securely accessing third party information eg. from rights holder who make their content available
  • Resource will be available via low (per transaction) cost and/or e-commerce based solutions.
  • Athens could be regarded as a prototype – a better specification can be drawn up using the experience gained from Athens once the business needs have been identified

JLa:

  • Baseline missing, what are the current legal and regulatory issues and what will be impacting on JANET/JISC in the near future.

JSm

  • legislation coming down from DTI regarding electronic cash will be reflecting the current paper based regulations.

DV:

  • Wanted the security of his network tested (i.e. attack teams)
  • base lining of current levels of security on all of the HEI's internal networks

Other reflections raised in the group:

  • There are wide differences in technical maturity within HE community (and the community will be even more diverse when FE joins), so which level should a technical solution be aimed at top 25% or middle 50%?
  • One of the prime benefits of security would be to maintain HEI trustworthiness; and thus have information providers continuing to work with us.
  • Trust service can be brought in from eg. post office, BT etc, but a minimum level of security would be demanded, which is currently unachievable on JANET.
  • The extent of leakage is currently unknown.

Areas identified for action

Area

/

Identified as a Priority

Management

  • Configuration management / change control

  • Promote the use of BS7799 as a means of determining the business risks and threats and the appropriate actions to be taken.
/ JS, BC
  • Promote an understanding of the responsibilities consequent on the ownership of information
/ JLa, JS, AC, EZ
  • Introduce contracts and service level agreements for institutions as part of their responsibilities to allow access to JANET

  • Help define the duties and rights associated with access to electronic information

  • Develop codes of conduct

  • Institutions need to develop policies and procedures for content management. This would include issues such as privacy, access to information not related to the users work, authority to put data on web sites etc.
/ BC
  • Ensuring that management allocate sufficient priority to resourcing staff to develop and meet the institutions security policy

  • Having policies and procedures to ensure that users know in what capacity they are accessing data. This is particularly important for people who have multiple roles within an institution (eg staff who are also students or academics with administrative responsibilities).

  • Monitoring and auditing the practice within institution to determine how well practice accords with the policies.
/ DDR
  • data protection

  • purchasing

Technology

  • Provide a national resource to undertake mail filtering, and assist HEIs with implementing their own. This would scan emails for viruses, illegal content etc.
/ DV
  • Implement a national hierarchy of Public Key Infrastructure (PKI) and Certificate Authorities (CA ) for the academic community

  • extending Athens to improve the security it offers and make it address other areas where authentication is needed.

  • e-commerce and micropayments

  • Implement a national firewall on JANET, and assist institutions in the development of their own firewalls; both at the "front door" of the institution and on secure areas within it.

  • Provide an infrastructure for encryption within and beyond HE

  • Assist institutions with the detection of intruders

  • authentication tokens such as smart cards which can be used as part of an authentication (and payment) system

  • Determine a common method for electronic signatures recognised nationally and internationally

  • JISC should work with HEIs and commercial bodies to ensure that solutions are work together in order to minimise the number of systems required.

  • JISC should evaluate security technologies and systems for the benefit of HE

Needs

  • Educate senior management in how security helps business processes
/ BC, CR, JL, DDR, JS, AC, JW, EZ, NW
  • Determine the benefits of the current Athens authentication system and build on these to make it more secure and address other forms of security; and in particular aim to enable Athens to be used as single sign-on system within HE
/ NW, CR
  • Security in the continuity audit

  • get security on the senior management agenda

  • review legislative and regulatory framework. There are a number of areas which institutions need to know about. This include the e-commerce bill, Data protection act, regulations covering monitoring of students PCs when connected to the network, email scanning for viruses or illegal material, abuse of the AUP etc.
/ PB, DV, JW, JLa
  • Investigate the current situation to form a baseline for any further activity
/ JL, TR, JLa, EZ
  • change the culture and behaviour of users throughout HE, to take security issues more seriously

Awareness and guidance

  • Report on best practice both within and beyond UK HE
/ NW, JW
  • Support change management within HEIs

  • Provide pump priming money for institutions to develop or implement security strategies and deploy technologies to demonstrate the need and potential to the community.

  • Develop templates and profiles which can be used by HEIs when developing their own policies and procedures, to simplify the process.
/ TR, JL, AC, PB, DDR
  • interim solutions as starter evolutionary development

  • Make CVCP aware of the issue

  • There is currently a skills shortage in the area of information security and therefore JISC should fund the development of courses in the field (cf. Netskills)
/ DDR TR
  • Provide sign posts to information already available, eg a bibliography on the JISC web pages.

Policies and procedures

  • Use BS7799 as a means of determining the business risks and threats and the appropriate actions to be taken. (see management)

  • Data protection

  • framework for HEI (HEFCs)
/ CR
  • Review the JANET Acceptable Usage Policy (AUP) to ensure that it meets information security needs.

  • creation of a minimum standard for HEIs connected to JANET. To ensure that HEIs cannot endanger the information at other sites, all sites will need to achieve a basic standard.

  • Ensure that there are mechanisms available which all for the identification of the end user

  • information strategies should include information security needs.

  • information security strategies need to be developed by the JISC, funding councils and the HEIs

  • review legislative etc. framework (see needs)

  • Any security strategy needs to take account of international delivery; both in terms of access to resources overseas and enabling access (and payment) by students and others overseas.

  • Develop a national services to support HEIs in the development and implementation of information security strategies and policies.

References

British Standards Institution (1998). BS7799: Part 2:1998 Information Security Management: Specification for Information Security Management Systems ISBN 0 580 28995 8

Working Paper on: Secure Internet issues for the HE Community, Tim Chown, David De Roure, Julian Field, Mark ThompsonEdited by: Jon Read, University of Southampton, June 1999, JTAP-032,

Experience with the Use of a Multi-purpose Smart Card, Dr. Laurie Burbridge, University of Exeter, March 1998, JTAP-019,

Findings from the first stage of the Study into the Requirements for Authentication, Authorisation and Privacy in Higher Education, John Leach, Trusted Information Systems, February 1998, JTAP-015,

Recommended Security Solutions Results of the Study into the Requirements for Authentication, Authorisation and Privacy in Higher Education, John Leach, Trusted Information Systems, February 1998, JTAP-016,

Recommended Actions for JISC Results of the Study into the Requirements for Authentication, Authorisation and Privacy in Higher Education, John Leach, Trusted Information Systems, February 1998, JTAP-017,

Technologies to Support Authentication in Higher Education, Andrew Young* Peter Kirstein+ Alan Ibbetson‡, * University of Salford + University College London ‡ University of Kent at Canterbury, August 1996, JTAP-011,

Implementation of JANET Authentication and Encryption Services, Andrew Young, University of Salford, January 1997, JTAP-07,

Web Security, Andrew Cormack, University of Wales, Cardiff, January 1997, JTAP-06,