Published in the Proceedings of the Tenth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises WET ICE 2001, IEEE Computer Society. Issues in Securing Web-accessible Information Systems Janet Lavery and Cornelia Boldyreff Department of Computer Science University of Durham Science Laboratories, South Road Durham, DH1 3LE, U.K. Janet.Lavery@durham.ac.uk Cornelia.Boldyreff@durham.ac.uk Abstract Within Higher Education, concerns are growing with regard the gap between what university central services traditionally provide and what the academic departments within the institution need. The Institutionally Secure Integrated Data Environment (INSIDE) project is a JCIEL (JISC Committee for Integrated Environments for Learners) funded collaborative project between the Universities of St Andrew and Durham that proposes to address the above concerns by investigating the issues surrounding the development and delivery of “joined up systems for institutions”. The INSIDE project intends to work utilising both universities’ existing information bases to develop a model of distributed functionality. The intention is to solve the problems at a high enough level of abstraction to provide a generic solution applicable to other Higher Education institutions. The model must address security implications of “joined up systems for institutions” balancing an institution’s need for effective data security with universities' culture of open access to information. An effective security strategy should address both the technical and social issues raised by web accessible information systems. It must give recognition to the human and organisational aspects of security and the need to educate users in secure working practices. 1. Background: INSIDE Project Domain Within Higher Education (HE), concerns are growing with regard to the gap between what university central services traditionally provide and what the academic departments currently need. Members of the administrative staff and academic community (staff and students) of institutions are finding the performance of routine tasks difficult due to the nature of their institution’s current systems. These systems, usually comprised of multiple unconnected data repositories, require a user to expend extensive effort to accomplish what should be simple tasks. Users are often prevented from carrying out work by inappropriate access control mechanisms and the lack of appropriate client software. Additional difficulties occur as a result of the numerous ad hoc record systems developed at the departmental level that replicate processing being done centrally, but that are not co-ordinated with each other or central services. For example, at the University of Durham, the centralised Admissions department controls student records on a Unix system known as Banner2000 1 . However, some departments keep their own version of student records stored locally and manipulated using local software such as Administration and Running Continuous Assessment with Deadlines and Extensions (Arcade) a software that records attendance and awarded marks [6]. While student records from Banner2000 are used initially to populate Arcade; correction to the student records made in Arcade are not automatically reflected in Banner2000. Instead discrepancy reports are generated by the academic department and sent to the centralised Admissions department. Central services then uses the discrepancy reports to update the student records in Banner2000. The Institutionally Secure Integrated Data Environment (INSIDE) project is a JISC 2 Committee for Integrated Environments for Learners (JCIEL) funded collaborative project between the Universities of St Andrew and Durham that is currently addressing the above problems. The project specifically addresses the issues surrounding the development and delivery of “joined up systems for institutions”. The Universities of Durham and St Andrews are presently responding to the need for user-centric information systems, accessible campus-wide. The INSIDE project is part of that response. It is intended that the project will not “throw technology” at the problem. Instead the project is working with the existing information base to develop a model of distributed functionality to deliver the information services that users in HE need securely. 1 Banner2000 ©Copyright Unisys, 1999 2 Joint Information Systems Committee