The 12th Annual EDUCAUSE Security Professionals Conference 2014, drew from two audiences this week in St. Louis. Over 400 security staff, IT staff, privacy officers, and others from the higher education community with an interest in security and privacy were there in force—and a multitude of security personnel who participated online in the virtual conference. The conference theme “Mind Tricks and Other Strategies For Information Security” was catchy although I must admit that I never really understood the reference. What was abundantly clear, however, was a nod to George Lucas and his classic “Star Wars”—definitely a suitable analogy considering the Evil Empire of cyber criminals keeps growing every year.
Broken into the six “good” episodes of Star Wars—unlike the prequel episode VII that is currently being panned—they looked like this:
- Episode One: Use the Force (Awareness and Training)
- Episode Two: These Are Not the Data You Are Looking For (Privacy)
- Episode Three: Jedi Training (Career Development)
- Episode Four: Imperial Directives (Governance, Risk and Compliance)
- Episode Five: Republic Technologies (Technical)
- Episode Six: Empire Technologies (Technical)
Despite the humorous titles, the sessions themselves were quite serious, and educational.
EDUCAUSE Security and Privacy
Harriett Pearson, a partner with law firm Hogan Lovells’ global Privacy, Information Management & Data Security practice group, spoke at the first General Session on “Building the Team to Tackle Data Privacy, Cybersecurity and the Law”. She has two decades worth of global business and legal experience, including twelve years as the first Chief Privacy Officer for IBM Corporation. She focused on the balancing act needed to weigh the significant legal and reputational risks associated with the loss or misuse of data and the equally important need to avoid overzealous security practices that can trample reasonable privacy interests.
Her overview of the risks out there was familiar but it was the legal aspects of privacy risks that were fascinating.
EDUCAUSE InfoSec Failures
The second General Session featured Charlie Miller who spoke on “Failures of the InfoSec Community”. This got my attention if only because there have been so many failures in the face of a tidal wave of security issues, that I was interested in which ones he would focus on. Charlie is an engineer on the platform services team at Twitter who appeared unphased by the fact that 465 million shares of the social media company were unlocked on Tuesday. Perhaps that is because he is still uncertain as to where he can bank his money safely given the growth in cybercrime.
Mr. Miller also spent five years as a Global Network Exploitation Analyst for the NSA (National Security Agency for those of us who have been living under a rock). My first reaction was that he has a lot of explaining to do…but evidentially during this time, he not only identified weaknesses and vulnerabilities in their computer networks but executed numerous successful computer network exploitations against foreign targets. And, no, he did not meet Edward Snowden while he was there.
He began the talk by contrasting the different kinds of attacks and targets, from typical enterprise to nation/state-level attackers and targets. Then he got into how the difficulty in measuring the security of products leads to the current state of software security woes—specifically that there isn’t a uniform, all-encompassing measurement. He got into how the information security industry has largely failed by permitting zero-day sales and stunt hacking, and selling ineffective boxed solutions.
EDUCAUSE Security Roundtable
There were numerous roundtables that provided fascinating insights into everything from data-loss prevention, ubiquitous “Big Data”, how your university can be a “target” in the making, to some great advice on networking and finding IT security jobs (always a big attraction). My only issue with so many concurrent sessions is they are concurrent. So I wasn’t able to hear nearly everything I would have liked. “Who Knows More, Lord Vader or the NSA?” sounded particularly intriguing, but I suspected that it had to be at least a tie so I was too disappointed to have missed it.
If you are still at the EDUCAUSE Security Professionals Conference, we can meet privately at the Corporate Display of LANDESK, our latest ITSM partner, during the exhibit hours on Wednesday May 7th from 2:30 to 3:15 PM. We can provided private demonstrations of AIMS 9.5’s identity management, user provisioning, password management, and service catalog —as well as our newly released Single Sign-On (SSO) solution.
For those of you who missed the event and worried about the Darkside, schedule a private demonstration and may the force be with you.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.