Educause Security Discussion mailing list archives

Re: Policy around IP Phones, Skype, etc.

From: jkaftan <jkaftan () UTICA EDU>
Date: Mon, 27 Nov 2006 13:12:02 -0500





  _____

From: Steve Schuster [mailto:sjs74 () CORNELL EDU]
Sent: Thursday, October 26, 2006 12:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Policy around IP Phones, Skype, etc.



It seems like we've been asked more and more questions about this. We are
not taking any steps centrally to hunt down or restrict such usage but we
are rather discussing our security concerns with the local units and helping
them make or enforce local decisions. Below is a typical response:



____________________________________________

Dear XXX,



            Thanks for the mail and for your very good question concerning
using SKYPE at Cornell.



            Cornell currently has no university policy that prevents such
applications or services from running on our computers or within our
network. As a matter of fact, I wouldn't expect one to be developed as this
seems to be a little too narrow in focus to constitute a university policy.
I'd hate to see a situation where we would have to create a policy for every
service we want or don't want on our campus. So local units are are making
these types of decisions individually after determining business needs and
risk to the business and the data they are responsible for protecting.



            With all that said, however, let me give you my security
perspective on SKYPE. I'll break out my concerns into a few areas:

            1. Because SKYPE is set up to be a peer-to-peer application and
SKYPE's user agreement requires you to allow other calls to potentially be
routed through your computer (calls that you're not making or a part of)
this can be a large burden on our local networks and Cornell networks as a
whole. Additionally, because we do local billing for our network use this
might mean some very large monthly bills.

            2. Because calls can potentially be routed through you and due
to the increased visibility on the Internet this has a likelihood of
exposing your computer to hacking attempts or other such things.

            3. Risk of data loss. We have a responsibility to protect our
community's personal data from unauthorized access and take steps to remove
risk of such compromise. I think this is particularly true in a unit such as
yours where you deal with sensitive information, {student, staff, alumni}
data and other such information. I would hate to think about the situation
we might find ourselves in if the data your department processes were
exposed in an unauthorized manner. As a matter of fact, according to NYS law
we must notify if we have such a computer break in. We need to set some
sound practices on what applications are acceptable and unacceptable in our
work environment.



            Due to the concerns that I've outlined above I support not using
SKYPE within most places of our network. I think the ONLY places where SKYPE
might be viable for use are areas where we can guarantee there are no risks
to our sensitive data or risks to the availability of our computer resources
that could lead to interference with business. The only area that comes to
mind that meets this guideline is probably ResNet. So while there might not
be Cornell policy that restricts or forbids the use of SKYPE I do believe it
is in our best interest to tightly limit its use.



            There is a pretty good article that further discusses using
SKYPE in a work environment at
<http://www.computerworld.co.nz/news.nsf/news/1C31DD62E610104ACC2570B40016C9
85>
http://www.computerworld.co.nz/news.nsf/news/1C31DD62E610104ACC2570B40016C98
5



            This probably isn't the answer that you wanted or maybe expected
to hear so for that I'm sorry. If you would want to discuss this further I'd
be happy to.



_________________________________________________________



sjs



Steve Schuster

Director, IT Security Office

Cornell University

sjs74 () cornell edu











On Oct 25, 2006, at 12:55 PM, Sadler, Connie wrote:







Does anyone have thoughts - or an actual policy - regarding the use of IP
Phones or software such as Skype, etc. that they are willing to share?

Thanks!

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
IT Security Officer
Brown University Box 1885, Providence, RI 02912
 <mailto:Connie_Sadler () Brown edu> Connie_Sadler () Brown edu
Office: 401-863-7266
PGP Key:  <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB>
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB

Current thread:

Policy around IP Phones, Skype, etc. Sadler, Connie (Oct 25)
- <Possible follow-ups>
- Re: Policy around IP Phones, Skype, etc. Christopher E. Cramer (Oct 25)
- Re: Policy around IP Phones, Skype, etc. David Gillett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Cal Frye (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Bruce Barrett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. David Gillett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Jones, Dan (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Nick Lewis (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Steve Schuster (Oct 26)
- Re: Policy around IP Phones, Skype, etc. jkaftan (Nov 27)