NET+ Security and Identity Portfolio: Trends, New Services, and a Preview of 2016
This has been an exciting and productive year for me at Internet2. I have had the opportunity to speak with numerous campuses infosec staff, IT staff, and CISOs to hear how they are using NET+ services and to better understand their potential concerns about cloud security. There were several aspects of how NET+ handled security that campuses seem pleased with, and also, areas of improvement that have been identified. Here is an update about the NET+ Security and Identity Portfolio, community trends, new services added in 2015, and what to expect next year.
Trends in the community
Over the last year, my colleagues and I have talked to more than a few campuses about their cloud plans. In the past, the discussions were about how to plan and when the “cloud” would be coming for their campus. We seem to have surpassed that tipping point of when the “cloud” would get to a campus, but are now more concerned about managing, awareness, and securing cloud services on campuses. More campuses are connecting with me about the security aspects and about meeting higher security standards with cloud services.
Activities and new services added this year
In the last year, the community finished service validation and added two key services, DocuSign and LastPass to the NET+ catalog. So far in the NET+ Early Adopter phase over 5 campuses have signed up for NET+ DocuSign and 2 campuses for NET+ LastPass. We also added a whopping 45 new campus subscribers to the InCommon Duo Security agreement. We’ve talked with many potential service providers suggested by the community and that have shown interest in the NET+ program. I’ve presented at several different events about NET+ security and the Security and Identity portfolio along with a development workshop at the Internet2 Technical Exchange.
What to expect in the next year
In 2016, campuses can expect more in NET+ security regarding documentation on how security is handled in the NET+ program, as well as information security procedures for campuses to use during NET+ service validation, and communications regarding the security provisions of existing NET+ service providers. Adobe Esign, CloudLock, Skyhigh, and Akamai are all slated to be added to the NET+ Security and Identity portfolio early in 2016 with active service validations underway. A NET+ agreement with Duo Security will be completed and ready for campus sign-ups shooting for 1 million deployed users of Duo in higher education.
One thing that I am excited to work on next year is understanding and detailing how NET+ services can be used to meet higher security requirements on campuses. Many campuses have high security requirements in some areas and are spending significant resources on implementing solutions to meet the various requirements including security requirements. Something I’ve become aware of is that many campuses do not know that AWS or Azure, or other potential NET+ services, can be used as part of their high security environments and save them significant resources over doing it by themselves. We’ll blog more about that in the near future, but this is somewhere a campus can potentially get better security at lower cost.
Another campus time saving activity I’m going to continue to explore is to see if there is enough interest in shared information security assessments. Jon Allen, CISO at Baylor, suggested this idea we’ve been gauging interest with other community members about it. Few cloud services will make it to be a NET+ service, but campuses still have the same security requirements for cloud services on their campuses. Shared campus information security assessments have the opportunity to save campuses some time allowing them to evaluate the security of cloud services more efficiently.
Information security is only gaining in importance for campuses and executive management on campuses. Internet2 and NET+ are well positioned to facilitate this with the community with others like Educause and REN-ISAC.
I look forward to a busy 2016 and want to thank the community for embracing this portfolio and working together to ensuring cloud services meet campus information security requirements. As a community, we can share effective practices, collaborate with potential service providers on information security, and improve the state of information security on campuses.