Re: "Porn-surfing hits taxpayer IDs"

[Graham Toal <gtoal () UTPA EDU>]

> One idea we're thinking about doing for this type of data is 
> setting up a terminal server farm where we know what's on the 
> systems.  Anyone gone down that route of emulating mainframe 
> computing again?

That was phase 3 of a 4-step security plan I had for the
University here a couple of years ago.  The other three
steps have been implemented, but that one was more or less
forgotten.  It's both expensive, and didn't get any management
buy-in, which is a shame because I think it is the right
thing to do.  I just hadn't decided at the time if something
like a Citrix server was the way to go or whether we could
have gotten away with a cheaper separation of environments
by using vmware on the desktop.

Mind you, in the two years since I first suggested that, my
thinking has verged towards the more radical, on separation of
management services vs email, browsing etc... I'm beginning
to think we should air-gap all our systems that hold
sensitive data.  And I don't mean a virtual air-gap using
VLANs, I mean a whole second set of switches and wiring, and
no connections at all to the outside world, ie no dialup
servers, no VPNs, no application proxies, etc.

Fortunately for everyone else, I'm no longer the person who
makes those decisions ;-)

G