Data centers of universities and IT departments of smaller higher education institutions provide dozens of IT services such as email, web hosting, e-learning, and file storage. The number of server machines and appliances that need to be operated often reach three-digit numbers depending on the number of services, users, and high-availability setups. Many services can be used via the Internet to improve usability. As one of the consequences, many servers are subject to Internet-based attacks. Typically, security mechanisms such as firewalls and intrusion prevention systems are used to counter these attacks. However, in practice still a lot of server machines get compromised, e.g., due to vulnerabilities in server software that is not patched fast enough, or due to improper configuration of the software running on these machines. In an ideal world, there would be enough IT personnel to operate all these IT services, and each IT administrator would also be an IT security specialist who knows exactly how to make his or her own servers almost perfectly secure. In reality, however, often a very small IT staff needs to run more servers than can easily be handled, and IT services such as groupware or e-learning systems have become extremely complex regarding their core functionality. Consequently, administrators only have diminishing resources, i.e., time and know-how, to properly secure their IT services. Specialization then typically leads to the foundation of dedicated security teams, such as CERTs (computer emergency response teams) and CSIRTs (computer security incident response teams). While those security teams consist of security experts, their primary problem is a lack of in-depth-knowledge about all those IT services and their specific configuration. In order to facilitate the security team’s efficient handling of, for example, security incidents in an e-learning service, knowledge transfer from the e-learning administrator to the security team about the specific setup must be fostered, and accurate knowledge must be available on-demand, for example, if a security incident happens while the service administrator is on holidays. In theory, each IT service should be properly documented along with all of its operational and security-specific properties, and this documentation should always be kept up-to-date. In reality, most IT administrators have no time to write documentation, dislike this task, and often do not even know what should be documented in a service-specific “IT security concept”. Therefore, many security incidents are handled in a patch-on-demand manner: Once a service has been compromised by an attacker, it is set up again, e.g., from a clean backup, and minimum configuration changes are applied to prevent the same type of attack from being successful again. While this approach is somewhat pragmatic, it obviously cannot be considered as a good and sustainable solution. We present a template-based approach towards the documentation and management of IT security concepts tailored to the demands of real-world IT service operation in higher education institutions. Our documentation template is intended to be filled in easily, provides a uniform document structure across many types of IT services, encourages IT administrators to think about IT security target-oriented, and supplies security teams with the information they require for security incident handling. Its contents are based on security standards and good practices, such as ISO/IEC 27001, ITIL v3, and the “IT base protection catalogues” by the German Federal Office for Information Security. We are working on a web-based management frontend that makes it easy to initially write, update, access, and utilize the security concept documents, which are stored in a repository that also serves as a foundation for an inter-organizational exchange of IT security concepts.
Read full abstract