Why Corporate Security Should Be Like Museums? Edus Are.

I was preparing a talk for the 2018 Educause Security Professionals Conference and was trying to think of ways to show how EDU networks are really microcosms of society. I wrote in an earlier blog that EDUs are small cities. I've said that our network security strategy is a blend of commercial and ISP requirements. It was wasn't until I ran into my friend, Christian Schreiber, who gave me the best analogy so far. As a CISO, I have to give a presentation to our Board of Visitors, our version of the corporate board of directors, every now and then. I like to use real world examples to explain our security strategy. Most board members come from the corporate world and want to know why we don't follow a corporate IT security strategy.

Well, Christian was working on a talk and he said EDUs are like a museum. At first, I thought he was going to tease us about being quaint, staid and stuffy. Rather than state the obvious :-), he pointed out the following:

1. Museums allows all sorts of individuals into their building.
2. Museums have high value assets and protect them with a variety of tools, technical expertise.
3. Key assets are highlighted to make them more accessible to the public.
4. Museums cover their interiors with a wide variety of tools.
5. Museums focus on detecting malicious operators who may be already inside the building.

 Christian went further and give some examples of museum defense in depth:

1. Museums have few access points but they allow free flowing access to anyone.
2. Museums erect additional barriers around high value assets.
3. Museums have pervasive monitoring tools: video cameras, motion detectors, laser detection systems, visitors logs.
4. Museums have numerous active response capabilities such as: uniformed guards, on-demand barriers, fire suppression systems, moving doors.
5. Museums have recovery systems such as insurance and tracking devices embedded in high value assets.
6. Museums assume there are hostiles inside their buildings.

As you can see, there are Continuous Monitoring, Zero Trust Network, network forensics components embedded in the bullet items above.  They allow visitors to bring their own devices, take pictures, buy souvenirs and wander freely within public spaces. They also have restricted areas that require additional authentication and authorization.

IoT, BYOD have been forcing orgs to reconsider how their network security should be implemented. The traditional border security model will fail in the new technology model unless they adapt to a mobile user environment. I used to say the device was the border. Nowadays, I believe there are 2 new borders that need to be considered:

1. User identity - users access their work/home assets from all over the internet. For example, EDUROAM allows members of one EDU connect to the internet using another EDU's net and the member's home institution credentials.
2. Data - If data becomes the new border then does it matter where it's stored? If its protection schemes focus on the data element itself, then I don't believe it matters.

Given these 2 new borders then the museum defense model makes a lot of sense. This doesn't mean that you should discard the older perimeter style defenses but it does mean the combination of these layers forms the basis of a reasonable, successful  museum defense.