As the CISO of the largest research university in Virginia, I wrote in an earlier blog that EDUs aren’t that different from the corporate world. We have 3 main business processes: Administrative, Academic/Instructional, Research. Our network security strategy is a blend of commercial and ISP requirements. The Administrative process handles all of the IT functions that support the business of running the university – HR, Payroll, Purchasing, Legal, Controllers, Bursars, etc. Here, the traditional “corporate” style security model is used. The Academic/Instructional process supports the business of teaching classes and is heavily BYOD. The Research process is a hybrid of the previous two processes. A university campus is a small town with its own law enforcement, housing, dining, cultural, athletic, power plant with each of these services using the internet to do business.
The New Internet – Internet 3.0
Here’s the evolution of the client-server model:
• Internet 1.0 – static servers (mainframes); static endpoints such as hardwire terminal (IBM 3270) style connections to mainframe.
• Internet 2.0 - static servers (mainframe, minicomputers); mobile endpoints (desktops, laptops)
• Internet 3.0 – mobile servers (mainframe, desktop, containers, serverless applications); mobile clients (smartphones, tablets, IoT, laptops)
Current security architectures are stuck between Internet 1.0 and Internet 2.0. We must adapt and use newer security architectures to address Internet 3.0.
What do hackers do once they get inside your network? There are many variants but they collapse to three basic goals:
1. Data theft or disclosure aka data breaches
2. Data destruction aka deletion or ransomware
3. Attack other sites using your network assets. Maintain control of these assets.
A successful defense strategy must address these attack goals.
The Museum Security Architecture
Christian Schreiber gave me the best analogy for internet security architectures that I’ve heard so far. He said EDUs are like a museum with the following properties:
1. Museums have high value assets.
2. Key assets are highlighted to make them more accessible to the public.
3. Museums protect their interiors with a wide variety of tools, techniques and expertise.
4. Museums focus on detecting malicious operators who are already inside the building.
Christian went further and give some examples of museum defense in depth:
1. Museums have few access points but they allow free flowing access to anyone.
2. Museums erect additional barriers around high value assets.
3. Museums have pervasive monitoring tools: video cameras, motion detectors, laser detection systems, visitor logs.
4. Museums have numerous active response capabilities such as: uniformed guards, on-demand barriers, fire suppression systems, moving doors.
5. Museums have recovery systems such as insurance and tracking devices embedded in high value assets.
6. Museums assume there are hostiles inside their buildings.
These characteristics describe how we should defend in the Internet 3.0 world. There are Continuous Monitoring, Zero Trust Network, network forensics components embedded in the museum security model as shown in Table 1. IoT and BYOD are forcing organizations to replace the traditional border security model of “keep the bad guys out with firewalls”. This model fails in the Internet 3.0 environment because the “border” has disappeared. The new borders are:
1. User identity - users access their work/ home assets from anywhere over the internet using their identity credentials from their home institutions. For example, EDUROAM allows visitors to connect to the internet at another institution using their home institution credentials. We see a similar trend with applications accepting Google or Facebook credentials for login and authorization purposes.
2. Data - Data becomes the new border and may not be inside the organization.
Zero Network Characteristics
Network and user traffic patterns have changed dramatically in the past 20 years. Internet 3.0 dissolves the traditional network border and forces defenders to use a new set of assumptions. Gilman & Barth’s book, “Zero Trust Networks” describes these new assumptions. I’ve added a few extra ones to their original list. The new assumptions are:
1. The network is always assumed to be hostile.
2. Treat all hosts as internet-facing devices.
3. Assume the hostiles are already inside your network.
4. Network segmentation is not sufficient for deciding trust in a network.
5. Every device, user and network flow is authenticated and authorized.
6. Policies must be dynamic and calculated from as many sources of data as possible.
7. Data and a user’s identity are the new borders. High-risk data must be secured regardless of location. User identities must be confirmed.
8. New technologies such as containers, serverless apps, cloud computing and storage are the new disruptors of traditional security architectures.
9. Mobile users, mobile devices, mobile data, mobile storage force this change.
Internet 3.0’s mobility and security requirements can be addressed by using the Museum model. New server and endpoint mobility uses this model with its core concepts to provide access to high-risk assets with continuous monitoring and local protection mechanisms.. This approach creates an architecture that can handle data, application, server and storage mobility.