Reducing the Surface Area of Cyber Risk: IU's IT-28 Initiative
A Q&A with Brad Wheeler and Paul Howell
How can higher education institutions reduce their exposure to cyber risks? Speaking with CT from the Internet2 Global Summit in Washington, DC, Brad Wheeler, VP for IT and CIO at Indiana University and Paul Howell, Internet2's Chief Cyber Infrastructure Security Officer, examine IU's cyber risk mitigation policy.
"What we needed was a policy framework that balanced the creative, individual activities that make universities remarkable places, while mitigating against the risks of a changed and increasingly dangerous world." — Brad Wheeler
Mary Grush: What is IU's Cyber Risk Mitigation Policy?
Brad Wheeler: Universities long ago put policies in place so that individual actions wouldn't create financial risks. Financial controls mitigate those risks, yet, for many years, just about anyone could take an individual action to connect a server to the campus network and create very substantial institutional risks — cyber risks. IU's Cyber Risk Mitigation Policy created an actionable framework for the entire university to address the very real institutional risks in an increasingly connected world.
Grush: What prompted IU to begin work on this policy?
Wheeler: I think the trigger event for us at Indiana University was back in January of 2013. We saw the New York Times was hacked, plus the Wall Street Journal, and the Washington Post — that range of outlets. And pretty shortly after that, it was made public what a lot of people had known more privately — that a good bit of this was highly organized criminal action, and fundamentally the game had changed, from what we had all been doing for a number of years. At IU, we took it that we had to start dealing with cyber risk the same way we deal with financial risk.
The university, like most universities, had a mature set of policies and an approach to manage individual actions and institutional risks around finance. For example, you just wouldn't let any particular departmental assistant decide to start taking credit cards using an iPad swipe, in the name of the university. We wouldn't allow that to happen. But, because of the nature of universities, we had long enabled just about anyone to plug a server into the wall. And individual actions manufacture pretty substantial institutional cyber risk.
What we needed was a policy framework that balanced the creative, individual activities that make universities remarkable places, while mitigating against the risks of a changed and increasingly dangerous world. That's how we set out in creating IT-28, by looking at what we had learned worked well for mitigating financial risks, and putting policies in place that could work across the university for mitigating cyber risk.
I think that it is important to note that this wasn't any "give the order to consolidate all the servers" or some such thing… but the policy did assert that part of the fundamental approach was to reduce the surface area of risk to the university.
Grush: What is the surface area of risk to the university, and how does the policy work to reduce it?
Wheeler: I've illustrated that sometimes by holding up a basketball, and holding up a tennis ball. What we'd like to do is reduce the number of things that create risk. The principal means of doing that are (1) using shared services, and (2) using secure facilities.
But beyond that, departments and schools can assert other ways. For example, if a department needed to have a lab that has lots of servers, or a physicist needed to have some big equipment locally in the lab, these things are entirely permissible and consistent with the policy. The department just has to demonstrate that they are mitigating the very real risks that equipment can create.
Grush: Is it true that this summer, IU will have more than 88 percent of known servers in secure data centers? Is that margin — the remaining 12 percent or so — really small enough to close off the security risk adequately? What percent would be?
Wheeler: Well, it's a dramatic change. And with this first round of IT-28 implementation we'll hit almost 90 percent. It's not possible to get to 100 percent, because you have some lab equipment that the server must be co-located by, or for some specialty reasons you just can't get to 100 percent. But 90 percent is a pretty high degree of making use of secure facilities.
What's also quite interesting is that most institutions have no idea of what the real surface area of the risk is. We thought we knew, a couple of years ago. But through the IT-28 self review process, we identified 1,578 more servers than we thought were out there. [The overall total of servers in secure facilities has reached 4,572 so far.]
Grush: Especially given all those servers out there, how does central IT work with the schools and departments? And is there any degree of enforcement or compelling reasons for them to comply or take this really seriously?
Wheeler: A school does a self-review, working with our team, and then ultimately the dean and I jointly sign off on a cyber risk mitigation plan for that school. All the units will have been signed off (by deans, directors of admissions, and so forth) by this summer. And it's not just a policy that people can ignore; it has real teeth in it.
It also creates a couple of very healthy dialogues at the university. First, as one of the school IT leaders said, it's created a common vocabulary amongst school-level and department-level IT directors, about how to think about managing and mitigating risk, helping them to be able to have that conversation with the university.
Second, there is a really healthy tradeoff that actually puts a cost on the risk that's being created. For many schools and departments, it was often difficult to express to senior management that they needed more effort around cyber security. For example, let's say I was a professor of computer science, and I say that I have to run all my own servers for reasons that have merit. The dean can say "okay, but we have to put security professionals around that — this can't be done with graduate students or post docs." So, we may have to cut a graduate assistant or some other funding to pay for it, or alternatively, maybe consider using virtualized servers instead. Because this kind of dialogue puts a real cost on the risk, the professor and the dean can have a rational discussion about it.
Those kinds of conversations have been very, very important to evolving a culture across the university to take cyber risks as seriously as we take financial risks.
Grush: Paul, I'd like to know what's needed to help the broader higher education community become more involved in these kinds of conversations. Does Internet2 have a role to encourage the community generally to come together on cyber risk mitigation?
Paul Howell: I think the short answer is "yes". But I don't mean to suggest that Internet2 alone has a role to play in an isolated fashion. Security is a team sport. There may be people who play different roles, but at the end of the day, it's a team sport.
Leadership at universities have to be engaged in this discussion, otherwise there really won't be the kind of progress made that Brad is discussing here. For example, Brad's presentation this week at the Internet2 Global Summit, in front of university presidents and CIOs, vice presidents of research and others — really the best thinkers in higher education — goes a long way to describing a path. It's not necessarily the same path for every university, but nevertheless it says there is a path. You can adjust it to how it can fit your culture or institution, but there is a path forward.
Managing risk is something that every institution has to do. It really boils down to this: If you don't do it, you're just going to end up on the front pages of the newspapers. So, there are very compelling reasons to take the steps toward managing cyber risk.
[Editor's note: Brad Wheeler and Kim Milford presented IU's cyber risk mitigation policy, IT-28, this week at the Internet2 Global Summit. A recording will be available in a few days on the Internet2 Web site.]