Ongoing projects
IT Security is en vogue and the net is vast and infinite. For further reading on the topic we recommend the following websites:
A Public Key Infrastructure (PKI) is a platform for the central administration of digital certificates.
Personal digital certificates will be used at ETH Zurich for the following purposes:
- Digitally signed emails
- Encryption of emails
- 2-factor authentication
Other possible applications, such as digitally signing documents or transactions, are also conceivable.
Following a needs analysis on the use of digital certificates at ETH Zurich, this initiative will evaluate and introduce a suitable management solution.
At the moment, ITS manges digital identities and access rights with a self-developed solution that has grown over the years. This solution no longer meets all legal conditions and operational requirements, however.
In 2014, ITS was commissioned to introduce an IAM system. The project is currently being implemented and will significantly increase maturity in relation to the management of digital identities and access rights.
Logging in exclusively with user ID and password does not provide sufficient security when it comes to accessing sensitive information or performing sensitive transactions.
Good practice for such cases is the use of 2-factor authentication, which requires the entry of a further attribute in addition to user ID and password, such as a random number generated by a smartphone app.
At the moment, ITS has no comprehensive solution for 2-factor authentication. The aim of this initiative is to create a platform for 2-factor authentication that is available for all applications, services and systems.
Systems of all kinds are integrated into ETH Zurich's network. These include desktops, laptops and tablets, smartphones, IoT components and servers.
They are partly managed by ITS or other IT support groups, or they are the direct responsibility of the user: some of the devices are privately owned.
Many of these systems are professionally managed and well secured. Others are not up to date with regard to security patches or virus protection or are not sufficiently secured technically.
Inadequately secured systems pose a risk, as attackers could use them to enter the ETH Zurich network and use different hacking techniques to obtain the necessary information and access for their attack.
The aim of this initiative is to evaluate and implement a solution that can check the security status of systems and provide protection mechanisms that mitigate risks due to inadequate security.
Links
Blog by Bruce Schneier
Bruce Schneier is a widely respected security expert; he discusses high-level security issues in his blog.
external page Schneier on Security
Cybercrime
The department of the Zurich Cantonal Police provides additional security in virtual space through prevention and suppression.
external page Cybercrime Portal of the Cantonal Police Zurich
European Union Agency for Network and Information Security
The external page European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe.
Reporting and Analysis Centre for Information Assurance (MELANI)
The external page MELANI website is aimed at private computer and Internet users as well as small and medium-sized enterprises (SMEs) in Switzerland.
"Security, Moore's law, and the anomaly of cheap complexity"
external page Thomas Dullien about the causes of IT security issues