Educause Security Discussion mailing list archives

Re: How to Protect Campus Sensitive Servers

From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Thu, 4 Feb 2010 09:42:37 -0500

The first question I always have is, how do you know which data you
should be protecting? Have you completed a formal inventory? If you
have, you should have accurate lists of everything that's been
categorized as "Confidential." 

Without the inventory you could spend a lot of money protecting servers
that don't pose high risks, and also leave unprotected confidential data
that you are unaware of.

There are now automated tools available that search for confidential
data (IE: SSNs, credit cards). The other method would be manual
inventories, but that requires you review every file on every
server/desktop manually (actually open and read each document), and who
has time for that?

 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of schilling
Sent: Thursday, February 04, 2010 9:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] How to Protect Campus Sensitive Servers

Hi All,

Our university are trying to protect some sensitive servers like
database, financial, admission etc. The rising request of these server
access is from people who use laptops. In order to give people the
access, we create a VPN group for this special interest group and give
access to only certain people who need the access, then put the VPN
address pool range in the iptables/ipf of corresponding servers.  Now
people is complaining that too many VPN groups and it's hard to
remember which one to use, meanwhile, each small server group is
trying to ask for a VPN group. It looks like we might have one VPN
group for each server.

We propose a one central Information Technology Services(ITS) VPN
profile which could have access to all the resources, all employee in
ITS will have access to this VPN group.  Then In all the servers, host
based user/group authentication/authorization will decide whether a
user can login or what to do.

We thought about the per user/group ACL from VPN servers, but not sure
about the management nightmare to maintain the per user/group ACL.

I would like to know what alternatives we have for this kind of
situation.

Thanks.

Shiling Ding
850-645-6810
Information Technology Services
Florida State University

Current thread:

How to Protect Campus Sensitive Servers schilling (Feb 04)
- <Possible follow-ups>
- Re: How to Protect Campus Sensitive Servers Pete Hickey (Feb 04)
- Re: How to Protect Campus Sensitive Servers Sam Stelfox (Feb 04)
- Re: How to Protect Campus Sensitive Servers Sarazen, Daniel (Feb 04)
- Re: How to Protect Campus Sensitive Servers Julian Y. Koh (Feb 04)
- Re: How to Protect Campus Sensitive Servers Valdis Kletnieks (Feb 04)
- Re: How to Protect Campus Sensitive Servers Di Fabio, Andrea (Feb 04)
- Re: How to Protect Campus Sensitive Servers schilling (Feb 04)
- Re: How to Protect Campus Sensitive Servers schilling (Feb 04)
- Re: How to Protect Campus Sensitive Servers Julian Y. Koh (Feb 04)
- Re: How to Protect Campus Sensitive Servers Richard Hopkins (Feb 05)
- Re: How to Protect Campus Sensitive Servers Christian Hroux (Feb 08)