Internet2

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

News

Security Scene: Implementing an Internet2 Network Security Program

Posted on May 17, 2017 by Paul Howell
Tags: End-to-End Trust and Security, Frontpage News, Internet2 Network, Recent Posts, Security

Security Scene: Part 1

This is the first in a series of articles that will explore the experiences and benefits of implementing a security program for the Internet2 Network. The creation of the Chief Cyberinfrastructure Security Officer role at Internet2 grew out of an increasing concern on the part of leadership that research and education (R&E) networks may become more attractive to potential attackers. My first assignment as CCSO was to determine the security posture of the network (i.e., Advanced Layer 1, Layer 2 and Layer 3 Services) by identifying significant risks and proposing solutions to mitigate each risk. The findings were then presented to Internet2 leadership so that risk management decisions could be made and next steps planned. In the nearly twenty years that the Internet2 Network has been in operation, this was the first time a baseline security risk assessment had been performed. It was clear that a proactive security program was needed that would appropriately protect the network from attack.

Introduction

This is the first in a series of articles that will explore the experiences and benefits of implementing a security program for the Internet2 Network. The creation of the Chief Cyberinfrastructure Security Officer role at Internet2 grew out of an increasing concern on the part of leadership that research and education (R&E) networks may become more attractive to potential attackers. My first assignment as CCSO was to determine the security posture of the network (i.e., Advanced Layer 1, Layer 2 and Layer 3 Services) by identifying significant risks and proposing solutions to mitigate each risk. The findings were then presented to Internet2 leadership so that risk management decisions could be made and next steps planned. In the nearly twenty years that the Internet2 Network has been in operation, this was the first time a baseline security risk assessment had been performed. It was clear that a proactive security program was needed that would appropriately protect the network from attack.

Network security graphic Inaugural Security Program

Traditionally, information security programs have emphasized “layers of security,” where no single risk mitigation strategy is trusted to mitigate all risk. Instead, a series of planned, inter-related, and stacked programs provide layers of security that, in total, lower the risk to an enterprise.

Over the past 15 years, leading campuses have invested heavily in security programs to reduce their “attack surfaces” by building layered programs that strengthen their security perimeters. In the best instances, they have effectively moved the points of “easiest attack” outside campus enterprises to other entities. In contrast, R&E networks historically have stated that they present a low security risk to the data they carry, and that their role in moving data instead of storing data presents reduced risk. However, as the strength of campus security programs continually increases, R&E networks such as the Internet2 Network may come to be viewed by potential attackers as an easier target.

In recognition of the importance of our R&E ecosystem and the associated role of the Internet2 Network, we initiated a security risk assessment to factually determine the current security posture of the network and where necessary begin the process of layering additional security controls on top of existing practices. In theory, adding formality to the existing security controls, building a deliberate set of controls and layers to the security perimeter, and becoming more proactive in monitoring for potential attacks will increase the overall security of not only Internet2 but also the community it serves.

Like most initial benchmarking efforts, the Internet2 security assessment identified several informal practices that could be formalized, areas where additional layers of security could be added, and areas where proactive investment could benefit the community at large. A risk assessment treatment plan was completed that guided our efforts in implementing improved security solutions within the network. To date, Internet2 has added more layers of security with deliberate controls, and with the proactive support from the community, reduced its overall risk profile and improved the security of our R&E ecosystem.

Future articles will dive deeper into the various layers of security and discuss their benefits to the security posture of the Internet2 Network.