Educause Security Discussion mailing list archives
Re: Policy around IP Phones, Skype, etc.
From: jkaftan <jkaftan () UTICA EDU>
Date: Mon, 27 Nov 2006 13:12:02 -0500
_____ From: Steve Schuster [mailto:sjs74 () CORNELL EDU] Sent: Thursday, October 26, 2006 12:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Policy around IP Phones, Skype, etc. It seems like we've been asked more and more questions about this. We are not taking any steps centrally to hunt down or restrict such usage but we are rather discussing our security concerns with the local units and helping them make or enforce local decisions. Below is a typical response: ____________________________________________ Dear XXX, Thanks for the mail and for your very good question concerning using SKYPE at Cornell. Cornell currently has no university policy that prevents such applications or services from running on our computers or within our network. As a matter of fact, I wouldn't expect one to be developed as this seems to be a little too narrow in focus to constitute a university policy. I'd hate to see a situation where we would have to create a policy for every service we want or don't want on our campus. So local units are are making these types of decisions individually after determining business needs and risk to the business and the data they are responsible for protecting. With all that said, however, let me give you my security perspective on SKYPE. I'll break out my concerns into a few areas: 1. Because SKYPE is set up to be a peer-to-peer application and SKYPE's user agreement requires you to allow other calls to potentially be routed through your computer (calls that you're not making or a part of) this can be a large burden on our local networks and Cornell networks as a whole. Additionally, because we do local billing for our network use this might mean some very large monthly bills. 2. Because calls can potentially be routed through you and due to the increased visibility on the Internet this has a likelihood of exposing your computer to hacking attempts or other such things. 3. Risk of data loss. We have a responsibility to protect our community's personal data from unauthorized access and take steps to remove risk of such compromise. I think this is particularly true in a unit such as yours where you deal with sensitive information, {student, staff, alumni} data and other such information. I would hate to think about the situation we might find ourselves in if the data your department processes were exposed in an unauthorized manner. As a matter of fact, according to NYS law we must notify if we have such a computer break in. We need to set some sound practices on what applications are acceptable and unacceptable in our work environment. Due to the concerns that I've outlined above I support not using SKYPE within most places of our network. I think the ONLY places where SKYPE might be viable for use are areas where we can guarantee there are no risks to our sensitive data or risks to the availability of our computer resources that could lead to interference with business. The only area that comes to mind that meets this guideline is probably ResNet. So while there might not be Cornell policy that restricts or forbids the use of SKYPE I do believe it is in our best interest to tightly limit its use. There is a pretty good article that further discusses using SKYPE in a work environment at <http://www.computerworld.co.nz/news.nsf/news/1C31DD62E610104ACC2570B40016C9 85> http://www.computerworld.co.nz/news.nsf/news/1C31DD62E610104ACC2570B40016C98 5 This probably isn't the answer that you wanted or maybe expected to hear so for that I'm sorry. If you would want to discuss this further I'd be happy to. _________________________________________________________ sjs Steve Schuster Director, IT Security Office Cornell University sjs74 () cornell edu On Oct 25, 2006, at 12:55 PM, Sadler, Connie wrote: Does anyone have thoughts - or an actual policy - regarding the use of IP Phones or software such as Skype, etc. that they are willing to share? Thanks! Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown University Box 1885, Providence, RI 02912 <mailto:Connie_Sadler () Brown edu> Connie_Sadler () Brown edu Office: 401-863-7266 PGP Key: <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB
Current thread:
- Policy around IP Phones, Skype, etc. Sadler, Connie (Oct 25)
- <Possible follow-ups>
- Re: Policy around IP Phones, Skype, etc. Christopher E. Cramer (Oct 25)
- Re: Policy around IP Phones, Skype, etc. David Gillett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Cal Frye (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Bruce Barrett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. David Gillett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Jones, Dan (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Nick Lewis (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Steve Schuster (Oct 26)
- Re: Policy around IP Phones, Skype, etc. jkaftan (Nov 27)