By Urpo Kaila
Information security is, by definition, or at least by my definition, about protecting our assets against risks.
In order to do this, we must know our assets. For National Research and Education Networks (NREN), this is often quite straightforward. NREN assets are the network, the network infrastructure with its configurations, the above-the-network services, the flow of network traffic, and the trust we need to earn from our stakeholders each day.
There are numerous frameworks for information security to help us protect the confidentiality, integrity and availability of our assets. We have defined a lightweight security framework called SCI (Security for Collaborating Infrastructures) which has been endorsed by GÉANT. For operational and technical security controls there are also many valuable and well-known security measures, such as access controls, encryption, vulnerability management, system hardenings, incident management and intrusion prevention, just to mention a few.
But based on my long professional experience in information security, I do see a gap in the third fundamental cornerstone for information security, especially regarding NRENs as well as their constituents. When I visit my colleagues at home and abroad, I typically recognise a solid pattern of operational and technical security, a comprehensive set of security policies and guidelines, and a reassuring momentum of skills and experience. But when it comes to risk management it is quite common to hear comments such as ‘It is on our to-do list, but…’.
My purpose for this blog is to identify why it seems to be so difficult to implement proper risk management at NRENs and suggest how we could fill this gap.
The basic principles of risk management are in theory very simple. According to the ISO standard 3100:2018 risk management is ‘coordinated activities to direct and control an organisation with regard to risk’ which, by the definition of the same standard is ‘effect of uncertainty on objectives’. Sounds good, doesn’t it? But how to do it in practice? I think that the most common reason why it feels overwhelming to start a risk assessment is the misunderstanding that one must create an all-inclusive list of all possible risk sources, events, outcomes and likelihoods. That is not true, that would be unrealistic!
Instead of trying to identify all possible and impossible risks, we should focus on the risks which might prevent our NREN from achieving its objectives. I also advise to have a realistic scope and to use down-to-earth risk management templates with examples, such as we created in WISE. For a practical and realistic scope, I suggest to start by identifying the ten biggest risks. Finally, the biggest issue in the risk management at NRENs, as far I am aware of, is over-focusing on technical threats and forgetting our real business risks.
At the 8th GÉANT SIG- ISM meeting in Zagreb, kindly hosted by CARNet, we had a very good discussion about risk management, where I claimed that all NRENs should at least identify their ten most important business risks. My colleagues concurred that most NRENs face the very same kind of risks.
People often have unrealistic expectations on how risk management works. An education in engineering might teach us to value objective facts and sneer at subjective judgements – which is indeed a very sound approach in this field! The problem is that we are living in a world with incomplete and unreliable information on business risks as we have limited resources and time to sort all the facts. This can lead to confusion, frustration and inaction. For strategic business decision-making we must unfortunately manage with limited and unreliable information, although most NRENs would prefer to rely on facts only. That doesn’t mean that we are in a zero-knowledge situation, as we do have considerable experience and are knowledgeable of our recurring risk scenarios. We must make educated guesses, but we can learn and improve our assessments over the years.
At NRENs we also have extensive experience and an intuitive understanding about the definition of normal circumstances and a risk event. Availability metrics and follow up on “your number nines“ is for example a very sound and widely used approach for risk management at NRENs. For NRENs the business risks can be even more indirect and hard to define in comparison to the risks faced by commercial ISPs and carriers, as it is less feasible for the NREN’s to use cash flow and churn rate as metrics.
The primary task for any NREN is to provide reliable connectivity to its constituents, any direct anomalies on availability related to this fundamental service should be identified as the major business risk. We also face a set of indirect threats to providing expected connectivity, such as issues with funding, possible delays caused by problems in provisioning. Another type of profound business risks can be caused by integrity and confidentiality issues in our capability to provide a service. Such risks could be a compromise of our network infrastructure through cyber-attacks or data leaks from our above-the-network services. The latter one could trigger hefty fines according to GDPR (EU General Data Protection Regulation). As a third major category of business risks for NREN I see a combination of business, political and technology (at macro-level) risks which might threaten the very essence of our NREN and making us superfluous in one way or another.
Using this semi-fuzzy method based on all the facts, all the experience and understanding I currently have at hand, here’s my very first tentative outline of the NREN top ten business risks categories:
- Unannounced or recurring service breaks lasting over 5 minutes
- Lack of funding for a major network upgrade project
- Serious legal issues related to provisioning
- Compromise of network infrastructure
- Serious leak of personal or confidential data caused by insecure services provided by the NREN
- Other major unexpected financial liabilities
- Inability to provide required services and technologies
- Political risk to undermining the role of the NREN
- Information warfare related risks
- Superseded by commercial ISPs
This is an initial list. I think we should try to elaborate it further by collecting and analysing relevant metrics and by carrying out some fact-based research. This could perhaps be a future activity and deliverable for the GÉANT SIG-ISM, which perhaps could produce and share a more mature version of the top ten NREN risks and related risk assessment tool/ template adapted for NRENs? Perhaps we could also write a more fact-based article about the topic. I am inviting anybody with a background in NRENs and security research to write such an article with me. Acknowledgments: I would like to thank my colleagues in European NRENs for the excellent comments on the NREN Top 10 Business risks. Special thanks to James Davis from Jisc, Alf Moens from SURFnet and Rolf Sture Normann from Uninett
Urpo is a seasoned Head of Security at CSC – IT Center for Science Ltd., which operates Funet, the Finnish NREN. Urpo is also the Security Officer for EUDAT, the Information Security Risk Manager for EOSC and steering committee member of GÉANT SIG- ISM and WISE
This article was originally published on GÉANT’s CONNECT ONLINE blog.