UVM's Information Security Operations Team answers "Why?" Why?security


“To the Cloud!” Or not?

The Clouds are not all created equal. Be sure to research the terms of service, license agreement, usage agreement, copyright content ownership and everything else before signing up for a cloud service. Check to see if the University offers a service that will be of use before looking into an outside service. If you intend to use the cloud for University purposes, it is especially important to check with the appropriate data steward for prior approval and be sure it isn’t a use prohibited by University Policy(ies). Remember also that any cloud service that requires a purchase needs to be reviewed through Procurement. And all cloud services with “Information classified as critical or nonpublic (confidential, departmental, or internal) must not be stored on external services without a contract protecting the University’s interests, approved by the ISO.”

For free services, remember that nothing is free – there is a reason a company is offering a cloud service. Whether for personal or business use, look carefully at what the host provider may be getting in return for its monetary investment in this infrastructure. Is the business selling advertising, selling/using/sharing your information (UVM information?)  for other purposes, giving you a small portion of its feature set in the hopes that you will purchase the enhanced version? Be sure to do your research and reach out to the appropriate people if you have questions.

Data Stewards: Members of the University community who have the operational responsibility for particular collections of information such as student, employee, or alumni records (collection(s)).
Information Security Policy = http://www.uvm.edu/policies/cit/infosecurity.pdf
Information Security Procedures = http://www.uvm.edu/policies/cit/infosecurityprocedures.pdf
Procurement Policy = http://www.uvm.edu/policies/procure/procurement.pdf
Information Security Office = iso@uvm.edu

Using URL Shorteners

We’ve all seen URLs shortened by bit.ly and its cousins: Unwieldy juggernauts like http://www.megaconference.us/register.qxv?event=megacon%20xxviii&wonderment=true%20enough%20for%20mom&prepop=1&campaign=225817558&api_key=3e7a67b1f9c00d601dbe reduced to tidy morsels like http://blag.foo/5Vf2.

Who doesn’t enjoy that? It’s cleaner! Efficient! More user-friendly!

Information security pros, that’s who. Why? Because it’s opaque.

How did you know that clicking http://go.uvm.edu/9utlr (if that’s how you got here) was going to bring you someplace that’s safe to visit?

In our efforts to improve users’ online safety through education, we often preach “Know Where You’re Going” — in other words, find out where that link’s going to take you before clicking it. Use of these URL shorteners necessarily defeats this simple technique. Because of this, it’s hard to know whether http://blag.foo/5Vf2 points to the conference registration link you wanted or some scammer site claiming that you can log into the conference reg site with your UVM Webmail credentials. And even if the user is savvy enough to spot the fraud based upon the Address bar contents when their browser finally comes to rest (“Hey — that says megaconference.premline.ru…”), how many drive-by malware sites did they visit to get there?

It’s impossible to know from http://blag.foo/5Vf2.

Still: Cleaner! Efficient! More user-friendly!

Fortunately, the fantastic folks of ETS SAA have come up with an answer that reduces the risks somewhat: http://go.uvm.edu will happily shorten your links for you, and your users can breathe easier (especially once the information security people have made them hyperventilate over URL shorteners) because every http://go.uvm.edu URL can be traced back to a UVM NetID.

(Astute readers will, no doubt, point out that this doesn’t prevent a UVMmer from defrauding Internet users through a http://go.uvm.edu URL. And that’s a fair assessment. But information security is a game of reducing exposure to risks rather than eliminating them altogether. Sad, but true.)

THIS JUST IN (2 October, 2013): Adding a tilde (~) to the end of your shortened URL will cause the user to make a quick stop by a small page on go.uvm.edu which explains where they’ll be taken. This nicely addresses the apparent hypocrisy inherent in this article. Try it for yourself by visiting UVM’s IT security site using these two links:

So please feel free to Shorten the Internet! Just use http://go.uvm.edu when you do it! And if you have questions, please let us know.


Sam Hooker, for the Information Security Operations Team

“Why security?”

It’s the eleventh hour. You’ve been working on a project for months. Maybe it’s a grant application. It’s all coming together: people; facilities; legal; technology. Suddenly, someone steps in and says, “Wait a minute: Have you considered information security?”

Or maybe you have a favorite online service you’d really like to use to manage some aspect of your UVM life. You already know how to use it; you’ve already arranged your workflow around it; you need a little technical help to make it work just right. Then your tech-savvy helper says, “I think we should ask the information security people about this…”

UVM’s Information Security Office and Operations Team are charged with helping all university units protect the institution’s information. It’s our job to enable all our constituents to make informed decisions about technology products, services, and techniques by helping decision makers understand real risks to UVM. We’re not here to say, “No.” We’re here to ask, “How?” and then assist you in finding answers.

On this site, we hope to share our answers to the “whys”, and we’ll probably start with the ones we’re asked most often. There will almost certainly be other answers, some of them contrary, in many cases. We invite you to engage us directly by sending your comments to iso@uvm.edu.

Additionally, if there is a question you would like to see answered here, please email it to  iso@uvm.edu.



Sam Hooker, for the Information Security Operations Team

Skip to toolbar