Security Architecture

Session Details, Presentations and Notes

Indiana University

From Jim Phelps' blog...

Completed a 10 year Strategic Plan which worked because they connected money to it.  You couldn't get funding unless you showed how your project connected to one of the 71 strategic initiatives.  Completed a 10 year tactical Telecom Plan.  Instead of replacing 1/4 of the switches every year for four years, they want to replace all switches in one year so they can take advantage of new features.

802.11X access solution based on MAC addresses or logins.  Getting to automated, policy-based network access.  What is the value of this and what have people done in this area?  What are the policy zones?  This can flip it over so that we are both protecting our network from devices as well as protecting devices from our network.

This group could develop some design templates that schools could use in discussions with vendors.

UW-Madison - Stefan Wahe

Should there even be a Security Architecture?  Shouldn't security be embedded in all of the groups and users?  When Stefan started in 2001, he always was asked, "Why" about security items.  Why do I need to use a firewall?  Why should I have logging turned on?  Set a set of principles:
• Security is Everyone's Responsibility
• Security is Part of the Development Life Cycle
• Security is Asset Management (classifying the information)
• Security is a Common Understanding
We have a five step process for doing a risk assessment.  First we agree to the assessment scope, then conduct the assessment, develop a draft report, communicate the findings then re-assess as needed.

Risk = (Impact X Likelihood) / (Mitigation Controls)

Impact is related to costs.  How do you monetize reputation?  You can ask how would you spend to prevent this from happening.  This is a Risk Prioritization process.

How do you balance the security principles against the development principles (scalability et al).

Penn State - Steve Kellogg