Re: Policy around IP Phones, Skype, etc.

[Steve Schuster <sjs74 () CORNELL EDU>]

It seems like we've been asked more and more questions about this.
We are not taking any steps centrally to hunt down or restrict such
usage but we are rather discussing our security concerns with the
local units and helping them make or enforce local decisions.  Below
is a typical response:

____________________________________________
Dear XXX,

        Thanks for the mail and for your very good question concerning using
SKYPE at Cornell.

        Cornell currently has no university policy that prevents such
applications or services from running on our computers or within our
network.  As a matter of fact, I wouldn't expect one to be developed
as this seems to be a little too narrow in focus to constitute a
university policy.  I'd hate to see a situation where we would have
to create a policy for every service we want or don't want on our
campus.  So local units are are making these types of decisions
individually after determining business needs and risk to the
business and the data they are responsible for protecting.

        With all that said, however, let me give you my security perspective
on SKYPE.  I'll break out my concerns into a few areas:
        1.  Because SKYPE is set up to be a peer-to-peer application and
SKYPE's user agreement requires you to allow other calls to
potentially be routed through your computer (calls that you're not
making or a part of) this can be a large burden on our local networks
and Cornell networks as a whole.  Additionally, because we do local
billing for our network use this might mean some very large monthly
bills.
        2.  Because calls can potentially be routed through you and due to
the increased visibility on the Internet this has a likelihood of
exposing your computer to hacking attempts or other such things.
        3.  Risk of data loss.  We have a responsibility to protect our
community's personal data from unauthorized access and take steps to
remove risk of such compromise.  I think this is particularly true in
a unit such as yours where you deal with sensitive information,
{student, staff, alumni} data and other such information.  I would
hate to think about the situation we might find ourselves in if the
data your department processes were exposed in an unauthorized
manner.  As a matter of fact, according to NYS law we must notify if
we have such a computer break in.  We need to set some sound
practices on what applications are acceptable and unacceptable in our
work environment.

        Due to the concerns that I've outlined above I support not using
SKYPE within most places of our network.  I think the ONLY places
where SKYPE might be viable for use are areas where we can guarantee
there are no risks to our sensitive data or risks to the availability
of our computer resources that could lead to interference with
business.  The only area that comes to mind that meets this guideline
is probably ResNet.  So while there might not be Cornell policy that
restricts or forbids the use of SKYPE I do believe it is in our best
interest to tightly limit its use.

        There is a pretty good article that further discusses using SKYPE in
a work environment at http://www.computerworld.co.nz/news.nsf/news/
1C31DD62E610104ACC2570B40016C985

        This probably isn't the answer that you wanted or maybe expected to
hear so for that I'm sorry.  If you would want to discuss this
further I'd be happy to.

_________________________________________________________

sjs

Steve Schuster
Director, IT Security Office
Cornell University
sjs74 () cornell edu




On Oct 25, 2006, at 12:55 PM, Sadler, Connie wrote:

> Does anyone have thoughts - or an actual policy - regarding the use
> of IP Phones or software such as Skype, etc. that they are willing
> to share?
>
> Thanks!
>
> Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
> IT Security Officer
> Brown University Box 1885, Providence, RI 02912
> Connie_Sadler () Brown edu
> Office: 401-863-7266
> PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
> PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB