Well, Christian was working on a talk and he said EDUs are like a museum. At first, I thought he was going to tease us about being quaint, staid and stuffy. Rather than state the obvious :-), he pointed out the following:
- Museums allows all sorts of individuals into their building.
- Museums have high value assets and protect them with a variety of tools, technical expertise.
- Key assets are highlighted to make them more accessible to the public.
- Museums cover their interiors with a wide variety of tools.
- Museums focus on detecting malicious operators who may be already inside the building.
- Museums have few access points but they allow free flowing access to anyone.
- Museums erect additional barriers around high value assets.
- Museums have pervasive monitoring tools: video cameras, motion detectors, laser detection systems, visitors logs.
- Museums have numerous active response capabilities such as: uniformed guards, on-demand barriers, fire suppression systems, moving doors.
- Museums have recovery systems such as insurance and tracking devices embedded in high value assets.
- Museums assume there are hostiles inside their buildings.
IoT, BYOD have been forcing orgs to reconsider how their network security should be implemented. The traditional border security model will fail in the new technology model unless they adapt to a mobile user environment. I used to say the device was the border. Nowadays, I believe there are 2 new borders that need to be considered:
- User identity - users access their work/home assets from all over the internet. For example, EDUROAM allows members of one EDU connect to the internet using another EDU's net and the member's home institution credentials.
- Data - If data becomes the new border then does it matter where it's stored? If its protection schemes focus on the data element itself, then I don't believe it matters.