This blog post is one of a series of posts designed to "continue the conversation" after the 2016 EDUCAUSE Security Professionals Conference, held April 18–20 in Seattle, Washington.
This year's conference, "Data, Intelligence, Risk, and Value: Security and Privacy in Higher Ed," included a number of formal and informal networking events, from organized birds-of-a-feather sessions to the famous "hallway track," where members can chat informally with their peers about information security issues.
A traditional networking event at the conference is lunchtime roundtable discussions. At the roundtable, participants can network with those who share similar interests or responsibilities and discuss topics of particular interest. One conference attendee hosts each roundtable and facilitates the discussion. Roundtable topics are preannounced in the conference program and this year included items such as attracting and retaining staff, using endpoint security, protecting research data, and learning about IT risk registers. This blog post summarizes the "Internet2 NET+ Program" roundtable discussion.
The Internet2 NET+ program offers a different approach to creating solutions at scale, providing a portfolio of cloud offerings tailored to research and education. It helps institutions accelerate the adoption of cloud solutions, equipping and mobilizing more quickly the very users who are advancing scholarship and science.
Six people joined me for the lunchtime conversation; professional roles represented included CISOs and other information security professionals. The conversation centered on the following themes:
- Campuses are rapidly changing in the area of IT funding. Cloud usage has benefited from campuses trying to identify efficiencies for consolidating locally run systems into cloud services.
- Campuses are experiencing significant pressures regarding saving money and cutting budgets to meet funding constraints, which is very difficult to do in a decentralized environment.
- It is also difficult for campuses to identify cloud and IT spend.
We transitioned into discussing how the NET+ program works, including campuses performing the NET+ security assessments. How NET+ handles security assessments coordinating the service validation on campuses seems reasonable, but many campus cloud services are not going through NET+. Departmental applications are solving niche needs and are not going to go through NET+. We're trying to address this issue with updates to the NET+ program, but we will not be able to address all of campuses' cloud needs. I mentioned the shared assessments working group effort starting up.
We then discussed how to integrate cloud services into campus infrastructures, including how to get the logging data from a cloud system into a campus SIEM. One person at the table was working on a RFP for SIEM tools and said it was difficult to get providers to understand that one institution comprises multiple schools, colleges, and health care. We discussed how the NET+ Splunk program could help, but it doesn't have all of the required functionality (i.e., the Splunk Enterprise Security app). The NET+ Splunk program is working on updates to address the requirements and adding in premium apps including Enterprise Security.
There was a request to add more service providers to the NET+ program. I noted that we are always looking for additional security and identity service providers and asked for suggestions. An attendee asked about vulnerability management tools for the whole life cycle and coverage of the campus, to which I replied that we have spoken with Qualys and Tenable. Tenable has a campus sponsor, but it has been difficult engage Tenable.
The conversation was active and engaging, and I hope you will join us next year!
To continue the conversation on the cloud and cloud security, join the EDUCAUSE Cloud Computing Constituent Group discussion list.
The 2017 EDUCAUSE Security Professionals conference will be held May 1–3, 2017, in Denver, Colorado. The call for proposals for the 2017 conference will be released this fall. If you have ideas for lunchtime roundtable topics at the 2017 conference, please e-mail firstname.lastname@example.org.
Nick Lewis is the NET+ program manager for security and identity at Internet2.
© 2016 Nick Lewis. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.