ICYMI: Recap of Recent NET+ Security and Identity Portfolio Development Workshop
One of the best parts of the Internet2 Technology Exchange in Cleveland was the robust discussions and spirited interactions with fellow speakers and attendees during presentations and in the hallways. Attendees were enthusiastic about the opportunity to connect with their peers and focused on improving the state of higher education IT. This engagement and dedication was clear in the security related sessions I attended.
At the end of a busy week, the community held a post-conference workshop to focus on the NET+ Security and Identity Portfolio, which was well attended with 10-15 campuses represented. If you were unable to attend the workshop, here is a recap of discussions.
Top Campus Cloud Security Concerns
As an opening icebreaker, participants were grouped and asked to list their top cloud security concerns. As we continued though the workshop, I referenced and helped to address these main concerns and how the community has either addressed them already or could consider developing certain NET+ program resources and activities in order to do so. The top concerns noted (in alphabetical order):
- Availability of cloud services
- Data breach / incident / liability
- Data classification for data being stored in cloud services
- Federation integration
- Privacy of user data and usage of service
- Transparency of operations and security
There were a few common themes that reappeared throughout the workshop and continued to come up in discussions with attendees: documentation, communication, and enhance coordination with partners (EDUCAUSE and REN-ISAC).
As part of the community NET+ service validation process, a cloud security assessment is included. Campuses expressed interest in understanding the process that was undertaken during service validation so they can use that as part of their due diligence to assess the risk for a potential cloud service. This documentation could then be communicated with campuses interested in a particular service.
There were minimal security improvements suggested around setting the standard for security controls that are required for service providers, but additional clarification around incident response, privacy, and logging was discussed.
What I did hear loud and clear during the workshop and other discussions at the event is that additional documentation and communications are needed in order to ensure clear and consistent understanding of cloud service security and avoid duplicating effort across campuses.
We had a jam-packed session and the discussion regarding how NET+ incorporates security and the Security and Identity Portfolio could have continued into another day. Stay tuned for future blog posts, documentation, and communications further addressing the issues discussed at the workshop.
Access presentations from the workshop.
If you have any questions about the workshop, NET+ security, or the NET+ Security and Identity portfolio, please contact Nick Lewis.