An IT Architecture for Emory University
Adopted by CIRT
Security Domain Architecture
February 20, 2002
ITA Version 1.9.8
© 2000 Emory University
Page 1-1
1.
Executive Summary
Security involves a balance between protection and access. Emory needs to provide members
of its community with access to the resources that they need to perform their roles and
responsibilities. Emory also needs to allow access to certain resources by outside participants in
Emory projects and programs and by consumers of Emory-supplied systems, services, or data.
At the same time, Emory needs to protect its assets and restrict access to them according to its
policies, license agreements, and the requirements of granting and regulatory agencies.
The security architecture is intended to establish an environment that addresses Emory’s
security needs for the good of all of Emory. Based on Emory’s IT requirements and principles
that have been already established in previous architectural documents, the security
architecture seeks to be flexible enough to adapt to future requirements as needed, yet be able
to keep down support costs by taking advantage of standardization and economies of scale.
The principles, technologies, standards and configurations that it provides to do this seek to
foster harmony with other IT architecture decision areas (called “domains”).
Having an Emory-wide security architecture will provide a number of benefits to Emory as a
whole. It can promote information sharing, foster enhanced decision making and collaboration,
support the building of both internal and external relationships, and contribute to system and
service reliability, by:
·
Giving those responsible for data confidence that the data will only be accessible as
intended;
·
Allowing selected Emory, departmental, and school information resources to safely be made
available to the Emory community and the world;
·
Ensuring that changes are only made by those people and processes authorized to do so;
·
Supporting an environment where work flow and process automation can be implemented in
a manner that is reasonably free from abuse;
·
Allowing systems to be shared by the University and Healthcare.
In spite of these features, no environment can be risk free or perfectly secure, because people
can thwart security no matter how much money has been spent or how much technology has
been put in place. Thus organizations that are leading edge in security focus first on making
decisions needed to establish security policy before focusing on security technology.
One of the first policy decisions is to identify the resources that need protection (called “assets”)
and classify them to indicate how much protection they need. Once assets are identified and
classified, it is easier to develop policies and procedures and apply technology to protect them.
Then implementing security involves assessing risks and threats, addressing vulnerabilities of
assets as soon as they are discovered, and responding quickly to security violations.
The architecture envisions security services for the whole of Emory, such as common access
control and notification of the latest threats, vulnerabilities, and countermeasures. Since IT
resources are generally attached to a network, and attacks often come through the network, the
architecture also includes campus services to assess vulnerability of systems to network attack
and to detect and react to the onset of such attacks. Since attacks can come from both outside
and inside Emory, the architecture includes a layered scheme that can provide more restrictive
network access and stronger protection to portions of the campus network as needed.
 |
 |
 |