Previous |
Next |
October 26, 2007, 01:35 PM ET
Educause 2007: Can You Have Too Much Network Security?
If you want a hint of how serious the U.S. Air Force is about security, just consider its requirements for passwords: They are 15 characters, with at least two uppercase, two lowercase, two numbers, and two special symbols, and they cannot form any recognizable words or follow any keyboard patterns. Oh, yeah — and computer users must change them every couple of months.
Two technologists at the U.S. Air Force Academy used the Air Force password as an example of how burdensome security can be. Larry Bryant, the academy’s director of academic computing, and Richard Mock, its chief information officer, discussed “academic freedom versus network security” at Educause 2007. The main question of the session was “Can you have too much security?” The answer, it seems, is yes.
Mr. Bryant and Mr. Mock detailed some of the struggles they have encountered in running computing for a military entity. The military network is very restrictive: There is always a long approval process for loading new software, commercial e-mail and instant messaging are prohibited, and traffic from “bad actor” countries is blocked. Those limitations have created headaches for academics and students at the academy.
Mr. Bryant and Mr. Mock discussed how they have tried to set up an academy network that is separate from the military network. Granted, the Air Force Academy, as part of the military, is in a different position than most colleges. But Mr. Bryant and Mr. Mock left the audience with some advice about security — and how to know when security is getting in the way of the academic mission.
When the user pain exceeds security gain, think twice. “If you tighten things down to the point where users start to work around what you are doing, you’ve got a problem,” Mr. Bryant said. Communicate with users about why there is a real threat. Tell them about the risks of insecure networks and bad behavior. Incremental changes are easier to sell to users. If you can’t sell it, then drop it.Categories: Educause-2007, Leadership
Add Your Comment
Commenting is closed.