Security

Security Architecture Design Tips for Higher Education

Having a cohesive security architecture is vital to ensuring a holistic approach to cybersecurity.

Tom Jordan is a solutions architect at the University of Wisconsin–Madison.

There’s no doubt that higher education institutions face unique challenges in data security. Our IT environments often reflect the open and distributed nature of our institutions, demonstrating Conway’s Law that organizations tend to produce systems that reflect their own structure.

Even before the COVID-19 pandemic, the use of cloud computing and research collaboration presented myriad opportunities—and risks—for colleges and universities. When remote teaching and learning took hold, the threats expanded—all contributing to a complex IT environment that requires a strong and cohesive security architecture to protect.

Here are five key steps to designing your institution’s security architecture.

FIND OUT: The difference between security, privacy and confidentiality.

1. Understand Key Security Architecture Principles

Two key publications that have shaped our thinking around security architecture are 1975’s “Protection of information in computer systems” and ISO/IEC Technical Standard 19249:2017. These publications establish important design principles including:

Economy of mechanism: Security controls should be kept as simple and small as possible to limit complexity and resulting design and implementation errors.
Fail-safe defaults: Access decisions should be based on permission rather than exclusion. The default situation should result in a lack of access, and access control rules should be written to add access rather than block it.
Complete mediation: All objects within a system should be subject to access control rules in all phases of system operation, including initialization, recovery, shutdown and maintenance.
Open design: The architecture must not depend on the design being secret in order to maintain security.
Least privilege/separation of privilege: Permissions should be appropriately organized to allow only what’s necessary for a given situation, and to ensure that potentially dangerous sets of permissions can be isolated.

These design “guardrails” should be present in every technical control. Once these principles are well understood, you can approach the design in several steps.

Click the banner below for exclusive content about security in higher ed.

2. Classify and Categorize the University’s Systems

Next, classify and categorize the systems and data that your organization uses. This may be a broad analysis of all IT and data assets, or in the case of zero-trust architectures, it might be more narrowly focused on your institution’s “protect surface” of critical assets. In either case, the focus of this effort is to assign each system a classification (usually based on data sensitivity) and to categorize systems based on like attributes so you can assign common controls.

3. Conduct Comprehensive Threat Modeling

Threat modeling requires an organization to consider risks to data and IT assets in the context of its overall business and regulatory environment. In this phase, it helps to establish a repeatable process for assessing risk and identifying the highest-priority systems to review.

A repeatable risk assessment process such as the NIST Risk Management Framework, coupled with appropriate system classification and categorization, will help your institution identify and assign security controls consistently over time.

DISCOVER: Future-proofing higher education's infrastructure security strategy.

4. Select and Implement Security Controls

With your systems classified and risks assessed, you should have a good sense of your highest priorities for control selection. Security controls are safeguards that ensure that a particular security policy is enforced, or that violations are reported. Security controls may be technical, administrative or physical in nature and are often grouped into families. NIST Special Publication 800-53 identifies 18 discrete control families ranging from physical access to system and information integrity.

To successfully implement security controls, IT teams must translate those controls into technical configuration, administrative processes or physical controls. Thankfully, several resources can help with this. The U.S. Department of Defense publishes Security Technical Implementation Guides that provide step-by-step instructions for implementing control families on various platforms. Additionally, the Center for Internet Security offers baseline configurations for many systems. These benchmarks can be used both to configure a system initially and to monitor it over time for compliance with a given set of controls.

In this phase, it’s important to consider not just the controls but also the metrics needed to accurately assess the security architecture’s effectiveness. Measuring baseline compliance, patching cadence or vulnerability scan results over time can help you understand where your architecture is working effectively and where it needs attention.

EXPLORE: How to avoid security breaches within the IT department.

5. Monitor, Adapt and Continually Improve the Controls

Finally, an organization must monitor and evaluate the effectiveness of its security controls over time. NIST Special Publication 800-137 offers guidance that integrates security monitoring in the Risk Management Framework and provides technical, business and executive insight into security posture. It describes a family of information security continuous monitoring tools and their key requirements.

Integration both with help desk and inventory systems and with security information and event management and log aggregation tools is key. Tools that support the Security Content Automation Protocol can continually monitor SCAP-capable endpoints and alert if they deviate from an established baseline.

LuckyStep48/Getty Images