SEPTEMBER 17, 1998-vol30n4: Title

VOLUME 30, NUMBER 4 THURSDAY, SEPTEMBER 17, 1998

UB makes critical investment in electronic security

By ELLEN GOLDBAUM
News Services Editor

The university just spent $1 million to make its campus computer network as secure as is technically possible. It was a big expense, paid in part by student technology fees, and one that only a few other universities have made. But, administrators note, it's a step that all universities will have to take eventually.

"We are providing the best security that current technology can provide," said Hinrich Martens, associate vice president for computing and information technology. He noted that the exponential growth in computer use by students for coursework, registration, payments and access to grades and other personal information has made increasing electronic security critical for universities. At the same time, the multiple platforms, applications and vendors in a university environment make the process of implementing a security policy extremely complex, particularly since different security applications cannot "talk" to one another.

The approach UB has chosen is called "distributed computing environment," or DCE. Widely used in the financial and high-tech sectors, it provides the best-known approach to date to facilitate access to information for a large community. DCE functions like a series of gates to various parts of the network. To open a particular gate, a user must go through two identification processes: authentication and authorization. The first allows the system to verify the user's identity, based on his or her password. The second allows the system to determine to which resources a user is privileged to have access. Both processes are instantaneous as soon as a user logs on.

Services at UB that rely on DCE for authentication include SOAR, dial-up Internet access, e-mail, public workstations and Usenet news and UNIX.

"In most universities, students, faculty and staff are burdened with remembering, and keeping secure, many different usernames and passwords to access their electronic resources," said Daniel D. Arrasjid, UNIX system administrator at UB. "While other institutions struggle to integrate disparate security and directory services, UB can concentrate on providing new and expanded services by building on a solid security infrastructure."

DCE protects an individual's information through a complicated encryption process. "We've gone to great lengths to ensure that private materials for our students are just that: private," said Rick Lesniak, director of academic services.

Whenever students, faculty or staff forget their password, they must obtain a new one, which requires an in-person visit to the computing center on campus. The DCE environment is only as secure as an individual's password. All members of the UB community are reminded to keep their passwords private and to change them periodically. To do so, log onto UNIX and use the "passwd" command or visit the CIT homepage at <http://www.cit.buffalo.edu>.

Cyberspace has rules of conduct

UB administrators note that problems with electronic mail and other online services are not limited to those resulting from deliberate attempts to misappropriate information. As more and more people become proficient online (450,000 mail messages are sent from and received by UB per day!), the chances for inappropriate use multiply.

Sometimes, it's a matter of not knowing the "rules" of conduct in cyberspace. To disseminate information on "responsible use" and to reprimand individuals who use electronic resources inappropriately, UB has assigned a full-time computer disciplinary officer. "Many universities don't have anyone enforcing the rules," said Harvey Axlerod, whose job it is to respond to complaints. "Our first approach is to educate people about how to be responsible in their use of the Internet."

Issues that typically come up run the gamut from off-topic contributions to specific newsgroups to complaints of "mail bombs" (where someone deliberately deluges a mailbox with incoming messages). Sometimes, Axlerod explained, people truly don't understand what's acceptable and what's not on the Net. "We try to get them to realize that when you go out to the Web, the whole world watches," he said.

When a complaint about an individual is substantiated, the reaction from UB is swift. "We immediately deactivate their account," said Axlerod. -E.G.