I attended the fourth meeting of the JANET Stakeholder Panel last week. This meeting looked at security issues but also reported back on the impact of the two previous meetings. It is pleasing to see that the Panel is delivering results and influencing JANET’s direction and credit must be given to Tim Marshall, CEO of JANET (UK) for setting it up.
The first meeting set the terms of reference for the Panel. The second was on business and community engagement and, as I blogged at the time, highlighted the lack of clarity in the sector about the sort of activities that are permitted under JANET’s connection policies. JANET have re-examined their Acceptable Use and Connection Policies and will be formally consulting on them later this year. A number of institutions have already picked up on the likely changes and are looking to see whether they can stop paying for a commercial network connection and route traffic generated by BCE activities through JANET. Hopefully a clarification of the policies will lead to savings in some institutions. The third meeting was on JANET’s Service Level Agreement and there have been a number of changes made to the SLA as a result (reflecting the higher level of service JANET was already delivering in several areas).
So what are the challenges around network security for JANET? Well certainly the need to provide a service to a broad range of customers with different security needs is one. Further education colleges and schools have to consider more security aspects as they have a responsibility for child protection. But these institutions often do not have the resources to manage their networks effectively and securely. The JANET CSIRT (Computer Security Incident Response Team) delivers a sterling service to all of JANET’s customers and to the smaller colleges and schools in particular but there was a concern that they were perpetually fighting fires and were unable to take more of a proactive role in educating those responsible for networks in the smaller institutions. There was a consensus that a more proactive role for CSIRT would have benefits across the sector and the meeting sought to identify ways to lighten CSIRT’s load in order to allow them to be more proactive.
The JANET network carries a vast range of traffic. One of the requirements discussed was the need to protect traffic with higher level of confidentiality. Such traffic could include that destined for shared or outsources administrative computing services but could also include the transfer of patient data between institutions and their teaching hospitals. This is something that the Public Sector Network is looking to address and it is hoped that JANET’s work with the PSN will identify an effective solution.
At an institutional level it is a difficult balancing act: too much security and users will find ways to bypass it, too little places your institution at risk. At a national level, the challenge is that much greater. JANET clearly has a challenge in meeting a wide range of needs. However, the meeting was constructive and I hope that it will provide JANET with a number of ideas to meet those challenges.