Episode 131
Listen to this episode on
Episode Transcript
Narrator 00:01
This is CyberSound. Your simplified and fundamentals focused source for all things cybersecurity.
Jason Pufahl 00:08
Welcome to CyberSound. I’m your host, Jason Pufahl, joined – I always like to say joined in studio when we’re doing these remote ones. But joined in studio by Steve Maresca.
Steve Maresca 00:18
Hey there.
Jason Pufahl 00:19
And Eric Baumgart from Columbia, the Director of IT, Columbia University. Eric, thanks for joining.
Eric Baumgart 00:24
Yep, so it’s actually Director of Cybersecurity.
Jason Pufahl 00:28
Well, that’s good because, you know, we’re talking about security related things and kind of leading off, because we know so Steve and I, we were, we both have higher ed backgrounds. We know that maybe the challenges and the benefits of shadow IT, but from a security standpoint, it definitely represents institutional risk. And wanted to dive in a little bit to kind of how, you know, frankly, how is, how is Columbia set up from an IT support standpoint, and then talking a little bit about, really, how that distribution, you know, potentially impacts some of the security decisions that you make.
Eric Baumgart 01:06
Yeah, so, I mean, you know, like a lot of other universities, we we have a large number of departments as well as affiliate schools. And you know, in some cases, they manage themselves. In some cases, we work with them and we help support them and their departments. So they have, you know, they might have an IT guy or a couple of people that kind of supports their IT. But from a cyber risk and cybersecurity perspective, we try to provide as much of that as we possibly can through, you know, our internal processes, you know, monitoring and all of that. And in some cases, you know, they have departments that have a security version that kind of monitors that. So, like you said, you’re you, you’ve been in the ed background. It’s, it’s an interesting space, and so, you know, it presents its own challenges. Just, you know, trying to, you know, address and deal and support, you know, the students and the faculty and the university to, you know, make sure that they have what they need. But we’re working in a secure space as best we can.
Steve Maresca 02:22
So out of curiosity, what would you articulate is more of a centralized service and what, what are the distribution of duties? And I know it’s very varied, but you know, if you could sort of summarize for a current picture,
Eric Baumgart 02:36
Yeah. So, you know, for some departments, you know, we, we cover everything. So we do the full SOC services. We do, you know, scanning for vulnerabilities. We provide all of that, 24/7, so it’s almost a short, it’s, it’s almost like we’re an MSSP for them, you know, some of them do their own stuff. But we also have tools that we we manage that, you know, we own, but we give them licenses for so they may not want to go out and purchase an EDR solution, so they might leverage what we have. So we, we do provide some of that, but we run it in a multi tenant environment, and then we allow them, they have access. Their IT folks have access. But if something does pop up, or we do get an alert, we will follow up with them and be like, Hey, did you see this? Are you addressing it?
Jason Pufahl 03:35
Do you centralize identity so active directory for the campus or something similar? Or is that distributed?
Eric Baumgart 03:42
No, all of the Active Directory stuff is mainly centralized. You know, each department kind of has their own stuff so it but it is just on top of what we already have. So the university does have a central managed identity system, but in some cases, like law or business, they might have additional for their own building. They might have because in some cases, we do have departments that are running on the Azure Stack, and so they have licenses, and they might be running stuff through intra they might have their own email, but a lot of that stuff is just additional on top of what we already have, on top of our own Lion Mail, on top of our own systems that we currently have.
Steve Maresca 04:33
So in an expanded kind of question down that road, where have you built deliberate enclaves like some of the higher ed that we work with, will do so for DOD contracts, sponsored program requirements, for grants, sometimes that’s a very intentional decision in order to comply. Where’s that boundary line for you?
Eric Baumgart 04:58
So we do have some enclaves that are managed because those enclaves, because of the contracts, whether we’re supporting local, state government, federal contracts, you know, whatever it might be, we do have enclaves that are within the environment, but they’re segregated into a higher tier area, and those have their own set of requirements that, you know, we we monitor and we manage those enclaves and access to those enclaves. So whether it’s like high performance computing environments or, you know, secure data areas, those areas are intentionally managed in a specific way, just to ensure that, you know, we’ve got the proper access as as well as the proper security controls to comply with those requirements as well.
Steve Maresca 05:52
Yeah, that makes sense in terms of the, let’s call it the softer side of it, the governance aspects of it, very much a shared responsibility model, very much a requirement to socialize those expectations. How are you achieving that type of balancing of roles, cross department?
Eric Baumgart 06:16
Not sure. I’m not sure you’d say it’s softer, but it does have its own nuances to it. So we do have an audit department, and we work with our audit department very, very closely. My background is not education. I spent 20 years in the military, and then I’ve been working DIB and other areas prior to coming here. So I’m used to more, heavier controlled environments. Here it’s, you know, just education in general. I don’t really see the same level of auditable compliances that you see other places where you have heavy PCI, heavy HIPAA, heavy, you know, CMC, you know, all the NIST stuff and HIPAA, high tech, high trust SOCs, all of them. It’s, it’s not, as you know, cut and dry in the education space. So, you know, we try to leverage what we have, but we’ve made our environment in a way that those areas are very segregated and separated from the rest of the common activity going on in the network. So if we’ve got HIPAA that is all secured in its own environment around the medical center. So they have their specific requirements, they have their specific tools. They are essentially on an island with a very tight rope bridge to us that is very heavily monitored because they are part of a ecosystem of not only our medical center, but other medical centers here in the New York area. So they work collaboratively for them now, even with PCI. Yes, we have PCI, but it actually never touches our network. So it in itself is another auditable area, but we don’t actually directly engage with it, so we try to work off of the CMMI model, and try to base a lot of our audits off of that. So our audit department, they do work hand in hand with the department heads every time you know it’s time for your audit. And so, you know, we provide services that we have outlined. And then, so when you know libraries or business school, they get audited. You know, they have what they are responsible for. We have what we’re responsible for. And then we go through that audit quite regularly. It’s almost a continuous thing. And then, even when we’re doing our own audit, the larger audit where we’re doing, you know, having a third party vendor pen test us, and doing all of that, and, you know, evaluate our controls, it’s it’s a lot of work, but, you know, we we try to set the expectation and work with these departments in a way that, you know, this is a lot of what we’re doing is a positive thing, because, you know, we’re responsible for ensuring, you know, the safety of the students, the faculty, the data, as best we can. And so when we’re working with these departments, you know, that’s a lot of the message that we’re trying to convey is, you know, we’re here to help as much as we can. And the audit gives us an idea of how controls are laid out. And. If we’re missing an area or, you know, something that we can improve on, and then we try to work with those departments to say, “Hey guys, this is something, you know, this is a, you know, might be a heavier control than you’re used to, that your students are used to, your faculty is used to, but it has a positive benefit. And you know, we need to get your buy in in order to do this.”
Jason Pufahl 10:22
Right. And buy in, I think, is when you talk about the softer side, that’s part of it, right?
Eric Baumgart 10:28
Yeah, absolutely, yeah.
Jason Pufahl 10:30
And that’s, you know, that’s where in higher ed, often the challenge is, is establishing all the governance discussions and frameworks. But then, to your point, Eric, right, convincing people that what you’re doing is a good idea, not and frankly, not compelling them, which I think is probably more the background you’re used to.
Steve Maresca 10:47
Yeah, it’s the building of consensus and then sustainment of that activity that I mostly was into there.
Steve Maresca 10:50
But let’s spend a moment on the technical controls, if that’s okay, because candidly, Eric, a lot of most colleges and universities still struggle with what I perceive to hearing here you’ve already tackled, in some respects. Network segmentation, identity boundaries, basic monitoring, in some capacities, just having the fidelity to ensure you can say who did what andwhen. So from a practical sense, what have you found to be most effective in establishing those boundaries? In general.
Jason Pufahl 10:50
And frankly, that’s harder work than implementing a lot of the technical controls.
Eric Baumgart 11:30
Humanizing it, it’s the end of the day. You know, we’re, we’re here to help and, you know, to make sure that students aren’t getting scammed, professors and faculty aren’t getting they’re getting scammed, and that they’re, you know, the the endowments that they’re being given isn’t being stolen by a threat actor. And so a lot of people in this is the biggest thing I’ve found, is that they just don’t understand what cybersecurity is. We we live in it every day. We’re constantly working against these threat actors every day. But a lot of the people that these students, these faculty, they are technical experts in their field of whatever it may be, but they don’t understand that. You know, they think at the end of the day I’ve closed my laptop, I’ve turned off my phone. I don’t have to worry about it. I’m good to go. That’s not actually the case. It is a 24/7 365, battlefield that never stops, and trying to work with them, educate them in that so that they understand better, and that the community understands better. Not only what cybersecurity is, what and why we put these controls in place, but also what we’re here doing to try to help them. And a lot of times it’s, you know, being coming from military and dibs space, it is a completely different aspect, where I’m walking around with a big stick. Half the time here I’m walking around with a plate of cookies, trying to be like, Hey guys, and, you know, trying to have a conversation with them, understand what they’re at, trying to explain where we’re coming from, and work to try to come to a happy medium. Because we might be like, hey, we want to implement this, and they might push back and say no, and it’s like, okay, so how can we make a happy medium where we can try to get a majority of what we’re after, but also not be a hindrance to you guys and that, and that’s been the biggest thing is, is trying to build those bridges.
Steve Maresca 13:48
So, so how are you doing so beyond the plate of cookies approach, which I think is a great way of describing it, are you establishing procurement boundaries to funnel it back towards you, I imagine, to some degree, Right? But how are you soliciting in a more outreach oriented manner?
Eric Baumgart 14:06
So some cases, it’s easy when something happens and it has the direct impact, those are the easy cases. When when you’ve got the cases where it’s not so direct and they’re not being impacted, that’s where you know we’re we’re looking at the control, but before we even go engage with the department or anybody, we’re sitting down as a team and talking about the control. We’re talking about how to implement the control, as well as the impact that control would have. And so before we even go in and have a conversation, we try to sit through every scenario. And trust me, we’ve got guys that have been here for 50 years that have implemented stuff. Stuff that has been long deprecated. So their mindset is a little bit different. They, you know, their their peace, love and happiness, and everybody’s got going around the flower attitude sometimes. And so when we go and have these conversations, a lot of times, it’s like, yeah, it’s great. We would love to do that. Sometimes it’s about budget. The department’s not budgeted for it. They did, it was an unplanned and many of these departments might have less than 1000 machines. They might have just a couple 100. So a lot of times we have tools that, you know, we as a department, purchase and so we, you know, we purchase 13,000 licenses. Well, I don’t have 13,000 devices that I need to put it on. So when we do that, we’re taking into consideration there’s other departments that we’re going to assist with. So there is that chargeback. When we go to them and like, okay, guys, yeah, I get it. It’s January. Fiscal Year doesn’t start till July for the education system. So it’s an unplanned capital so what we’ll do is we’ll, we’ll give you guys six months worth of license, because we’re already paying for it.
Jason Pufahl 16:19
Front load it.
Eric Baumgart 16:20
And then, you know, when it comes time for next year, you add it to your budget, we can tell you that we’re going to charge you with $30 for the EDR solution, and that’s at cost. So where it’s not like we’re making anything off of it, we’re just trying to cover the the licenses, they’re happy, because they’re getting better coverage, they can plan ahead for the cost, and we can tell them upfront exactly what it’s going to cost. So it does help to have a lot of information ahead of time when we go in and talk to these guys.
Jason Pufahl 16:54
So you just talked about purchasing software. How about the issue with those freemium services, or in some cases, I guess, what appear to be really free people going out, acquiring their own licenses, citing their own privacy statements, EULAs, all of that budgets have an influence over those decisions. For sure, good marketing sometimes, you know, entices people to get take advantage of these services. How do you manage that? I mean, it’s a growing problem.
Eric Baumgart 17:28
So, yeah, we kind of had one of those here recently. And no particular, it just happened to be that Dell and CrowdStrike had come up with a deal where a company buys a Dell laptop it comes loaded with CrowdStrike. Well, that’s great for Dell and CrowdStrike, yep. But at the end of the day, they’re like, Oh, well, yeah, you know, we’re gonna give you that first year. You gotta. It’s gonna be free, it’s gonna be part of the bundle. But by the time you get to the end, it’s like, okay, yeah, but when that first year is over, what is that going to cost me? Because now I have to think about that, because by the time the user gets again, they’re going to be, Oh, I love it. It was great. It really protected me all this kinds of stuff. It’s like, Who’s going to pay for it? And we actually had to go round and round with Dell and CrowdStrike, because different departments were buying these laptops, and it’s like no, no when, when that time is up, it’s dead. There is no if ands or but, so we actually have to sit down with the vendor and says, no, no matter what happens, I don’t care if you know department x, if engineering department or art department, or whoever purchased these, we are not responsible for this. We are not responsible for it. You will terminate them. And it’s a great thing that Dell is doing this with CrowdStrike The problem is, is it puts central IT into a position where now these departments are going, “Oh, but I have this and Dell, or CrowdStrike’s coming to us saying, “well, here, here, you now have to pay this PO.” It’s like no.
Jason Pufahl 19:20
And for that year, you may not have integrated into your SOC, so you don’t actually have visibility. You know, there’s downstream impact beyond just the 30 bucks it might cost to renew that.
Steve Maresca 19:29
Yeah, yep. So aside from the purely budgetary and systems integration side of it, as well as keeping people away from surprises, data governance, data management in general with services of that variety is sort of the Wild West in most of academia. Back to your humanizing and socializing aspect of it. Have you been able to redirect people to awareness of what they need to do when they’re using a free service? Do you have detection in place to find such things?
Eric Baumgart 20:02
A little bit. It’s, it’s, it’s, it’s gonna be a problem that’s never gonna go away.
Steve Maresca 20:07
And it’s eternal.
Eric Baumgart 20:09
Right, and some of it is because some of these departments manage themselves. So sometimes we detect stuff on the network just through our our monitoring, and then we follow up with the departments and, but sometimes not and so, but that’s a problem inherent in the system. It’s, you know, when you’re getting into that shadow IT, whether it’s shadow, IT as a software, whether it’s a hardware, or whether it’s even an entire department that was supposed to go away, it was still existed five years later. It’s an ongoing problem, and you could do network monitoring, asset management, if you have the overhead of the budget for it, most universities don’t just because head count, just because of budget constraints. You know, despite what the world might think, we don’t have endless amounts of money, and our budgets are actually very, very thin. We do everything we can to make it work and build alerting and in and around it. But sometimes stuff gets reported to us, and more often than not, that’s how we find stuff, you know, especially when the especially the shadow stuff.
Steve Maresca 21:36
So in sort of a using your statement about ongoing realities and eternal problems of that sort. What are the largest challenges on the horizon that are not currently solved for you?
Eric Baumgart 21:49
Largest challenges. I think, just the overall complexity of the university, just in the fact that we have many, many, many departments, and and working with those departments, and there’s no singular tool set across the board, and you know, when we we don’t essentially manage the entire University, and there are some departments that, for good reasons, we don’t because we don’t want to get into that, but there’s other departments that, you know, we we absolutely could work with them and provide services and stuff, but, you know, they’ve chosen to do it on their own. But I think this is a problem within the education system. I’ve talked to some that kind of have this siloing of departments across the board that is a big challenge as well as, you know, Shadow IT. You know, we we discover servers and we discover Exchange servers and file servers and NAS all the time, or lab devices that get added that, you know, the IT guy goes and puts it in, but he might not go through central it to make sure that it gets, you know, note noted on there that this belongs to them and all of that. So, you know, the shadow IT itself is is a big problem, just because, you know, we’re trying to make it as easy as possible for students and faculty to be able to do what they need to do. And so we rely on those workflows, and you know, in some cases, those control methods to try to have people, you know, go and let us know that this is being done. But that’s not always the case, but we do what we can to, you know, really try to keep an eye out for it and then go and address it when it does pop up.
Steve Maresca 23:59
Sure.
Jason Pufahl 24:00
Steve and I know we could talk University, it all of the, all the great things and challenges for a long time. But, you know, I think for me, it’s been a handful of years now since I’ve since I’ve been out. So it’s interesting to hear that, you know, many of those same challenges are the same. I mean, I think your approach, though, to securing at least, certainly your regulated data sounds great, and, you know, obviously that’s got to be a priority, and then you’re addressing all the others in a collaborative manner is, is kind of, you know, kind of the way I think most, most colleges and universities approach you.
Steve Maresca 24:40
Typically, yeah for your point earlier, it brings everything back to people.
Jason Pufahl 24:44
It does.
Jason Pufahl 24:45
Yeah, and cookies.
Steve Maresca 24:45
Everything technology changes. It’s people in process.
Steve Maresca 24:45
And cookies.
Eric Baumgart 24:48
Yeah, and cookies.
Jason Pufahl 24:49
And cookies.
Eric Baumgart 24:51
I mean, it’s like, you know, like one of the big, other big areas is IP, when you have intellectual property that people are creating on a day to day. Is this, they don’t always necessarily think about ensuring it’s secure, because we find stuff on GitHub all the time, and, you know, it gets reported to us, and we go investigate it, and most of the time it’s student projects that are up on GitHub. It’s got all sorts of information, and it’s like, for them, this stuff is very important, so ensuring that you know you’re managing your intellectual property, and I think students aren’t always thinking about that, just because they’re not in that mindset yet where, like, business people are and companies are so that is that, you know, even for faculty, it’s like IP is a huge, huge component. And I think that’s a challenge that we constantly face in the, you know, educational spaces. How, you know, how do we convey that in a way that students who are focused on education, and then, you know, focus on the next step of their life, which is getting out and grinding. It’s always a big challenge.
Jason Pufahl 26:08
Yeah, well, we have a lot of we do a lot of work with colleges and universities. We’ve got a lot a lot of higher ed listeners, so they’ll either be relieved that you struggle with some of the same things that they do, maybe disheartened to know that it’s probably everywhere, but regardless, I’m sure they’ll find the conversation interesting, and if we get any questions, which we often do, we’ll forward them your way, and maybe we’ll have some ongoing questions and conversations around this stuff. So.
Eric Baumgart 26:38
Absolutely cool.
Jason Pufahl 26:39
Well, hey, Eric, I appreciate you joining, sharing a little bit about kind of how you’re how you’re built, and how you’re tackling some of these problems.
Eric Baumgart 26:46
Thank you guys. I appreciate it.
Jason Pufahl 26:47
All right.
Steve Maresca 26:48
Likewise.
Narrator 26:49
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.
