Security is a word that brings up many different images depending on your experience, profession or industry. At a University, not only is the context different than at a bank, but it is different depending on what you are trying to secure. I do not believe that providing security for an organization is a cookbook operation, you will need to understand the needs of the department, the sensitivity of the data, the rules covering the entity and the risks that they are willing to assume. I also do not believe that perfect security is possible in the real world (unless the computer is in the box, with a wiped hard drive and no BIOS installed.)
Often when you look at the security model that a corporation uses, it resembles the banking model for money storage before the ATM – big thick walls (firewalls) with guards with guns and dogs trying to keep the money (data) from getting out. The perimeter was well defined and secured.
The problem with using this model to secure data in an open environment is that most data at a University is meant to be shared, and unstructured collaboration is not an option, it is a requirement.
This does not mean that there is not some data that needs to be protected, but those requirements apply to specific applications and not to everything. We have adopted what I refer to as the ISP model of security. We have a very robust network and the assumption is that any machines on that network can be hostile. Our security software (non-commercial) is designed to look for compromised machines using network behavior analysis and remove them from the network. Detection takes about five minutes from the time bad behavior starts. All of our “crown jewels” are in an Enterprise Zone, which has additional security, including thick walls. This zone contains less than 1000 machines of the approximately 60,000 to 80,000 machines on campus.
This program has been in use for almost ten years now, and from my observations, the concept of a strong perimiter is fading from the security model. Move security as close to the data as possible, since the bad guys may be operating from the machine on the desk next to yours. One size does not fit all!