[unisog] IDS vs. Privacy

Richard Gadsden gadsden at musc.edu
Tue Feb 3 15:12:10 GMT 2004

On Mon, 2 Feb 2004, E. Larry Lidz wrote:

> [snip]
> The new management believes that people having access raw
> packets is an unacceptable risk. They felt that technologies that
> summarize information (Cisco Flows from a router/switch, mirroring
> traffic to an IDS system that has no ability to sniff, etc.) about the
> traffic is acceptable, however.

We addressed the privacy issue up front, in our institution's computer use
policy, before we implemented any network-level IDS functions at our
institution. Specifically, we got our faculty senate, student govt, and
finally our board of trustees, to approve the following terms in our
institution's computer use policy:

 "the University reserves the right to monitor user activities on all 
University computer systems, and to monitor communications utilizing the 
University network, to ensure compliance with University policy, and with 
federal, state and local law. Monitoring shall be performed only by 
individuals who are specifically authorized, and only the minimum data 
necessary to meet institutional requirements shall be collected. Data 
collected through monitoring shall be made accessible only to authorized 
individuals, who are responsible for maintaining its confidentiality."

This seems to be working for us. The "minimum necessary" clause makes it
clear to our IDS staffers that they are not authorized to collect data
willy nilly, and the overall language provides assurances to our network
users that our IDS staffers will conduct themselves in a manner that is
respectful of the users' privacy concerns.

We do take the "minimum necessary" clause seriously. We avoid capturing
packet content in situations where flow data will suffice. At the same
time, our policy does authorize us to capture and inspect packet content
in our IDS, whenever and wherever we really need to.

> They would like to know: has anyone been in a similar situation? If so,
> were you able to bring back your IDS? What arguments were compelling to
> management? Are other institutions similarly concerned about the privacy
> issues involved? Why or why not?
> Any other advice?

The new management's concerns about privacy can't just be dismissed,
because they really are legitimate concerns. The privacy concerns must be
balanced against the risks of not operating a network-level IDS.

The right balance is going to be different from one institution to the
next. In terms of making a successful argument to management in favor of
running (or continuing to run) a network-level IDS, what we have done 
at our institution is:

(a) educate management on the threats that a network-level IDS can
address, i.e. make sure they understand the relevance of the IDS to the
institution's overall risk exposure; and

(b) incorporate language in a high level (and hard to change) policy that
authorizes network monitoring where needed, but reassures network users
that appropriate restrictions and safeguards to protect their privacy are
being followed.

 --- o ---
 Richard Gadsden
 Director of Computer and Network Security
 Medical University of South Carolina

More information about the unisog mailing list