Salsa meeting 22-Apr-08
Spring Internet2 Member Meeting
*Attending*
Chris Misra, U. Mass (chair)
Rodney Petersen, Educause
Joe St. Sauver, Internet2/U. Oregon
Deke Kassabian, U. Penn
Jim Pepin, Clemson
Doug Pearson, REN-ISAC/Indiana U.
Mark Poepping, CMU
Kevin Miller, Duke
Ken Klingenstein, Internet2
Renee Frost, Internet2
Steve Olshansky, Internet2 (scribe)
**Discussion**
- CyberSecurity Summit
How to sustain the effort between meetings?
Suggestions and thoughts to Rodney…
- REN-ISAC update
Making progress on work with ANL - federated data sharing
- Salsa-DR
Energy gathering around national-scale testing of emergency plans and procedures. Planning to organize an effort in September 08 - testing emergency notification systems. There was discussion about partnering with Educause on this, to sponsor the effort and increase visibility.
Plan is to write an article in the Chronicle about this prior to the event (authors TBD).
- Joe gave a preview of his CyberSecurity presentation upcoming at the I2MM
- Deke discussed security tools which compromise privacy of users they are supposed to be protecting. Examples include "LoJack for laptops" which is branching into asset inventory which includes software asset reporting. These also have keylogger functionality built-in… Another example is certain agent-based approaches to NAC which installs its agent on every host attempting to access the network, including guests. The agent is able to report start/stop of processes, file open/close, and which applications are running…
Spyware legislation runs up against the issue of clearly defining spyware so as to exclude software which is actually useful in managing networks.
Is there a role Salsa could/should take in this area - in helping to better inform the discussion? Where is the line between an organization's rights and obligations to protect the network, and the users rights to privacy and freedom? Would a white paper defining taxonomy and scope of the problem be a useful contribution?
Are solutions being proposed to protect sensitive data similar to those being proposed for managing networks - e.g. NAC?
- ISOC Trust and Identity in the Internet
related to the 2-port Internet discussions, and opening firewall ports based upon users authenticating…
The higher-ed community is particularly not able to live within the restrictions posed by only 2 ports.
ISOC is spinning up an effort in this area, and vendors will be participating.
Is this an issue that should rise to the level of a thematic purpose for Salsa? A single security approach does not fit all in the current architecture and use profiles of academic networking. In particular, perimeter defense is not viable…
Default-deny for the entire perimeter is not the right way to go, as it inhibits the core mission of R&E. Firewalls should be positioned as close as possible to the assets in need of protection, rather than at the border. Using trust and identity to negotiate security posture seems to be a viable approach.
What form ought our efforts take? A workshop? Identify and include key vendors? Coordinate with ISOC - in what ways?
Reducing friction encountered by your users is the ultimate benefit of this effort. Many of them are using various levels of work-arounds, and in some cases these may not be apparent to central IT, but this can have significant effects on their productivity.
Architectural approach is a likely short term theme, protocol approach would be a likely longer term theme…