Data and service security
Sponsored Links
This presentation is the property of its rightful owner.
1 / 13

Data and Service Security PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on
  • Presentation posted in: General

Data and Service Security. A.S.Trew , G. Poxon & S.McGeever. Mobile Data Security. In 2010 Records Management published a policy on sensitive data necessary response to the Data Protection Act the Colleges thought this inadequate because: of the gap between policy and practice

Download Presentation

Data and Service Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Data and Service Security

A.S.Trew, G. Poxon & S.McGeever


Mobile Data Security

  • In 2010 Records Management published a policy on sensitive data

    • necessary response to the Data Protection Act

  • the Colleges thought this inadequate because:

    • of the gap between policy and practice

    • Support and guidance were seen as piecemeal and un-coordinated

  • MVM and CSE surveyed staff and PG students to determine:

    • were sensitive data being transferred electronically?

      • here, “sensitive” does not simply refer to Personal Data, but exam papers, proposals etc.

    • if so, was this being done in a secure manner?

    • and what type of person was most at risk?

  • yes, we have problems

    • 79.5% use data outside the University network … of these, ~50% use sensitive data in this way

  • most sensitive data are not controlled under the Data Protection Act

  • exposure risk is strongly correlated with staff role

  • individuals have a responsibility to ensure that they take all reasonable precautions to secure sensitive data

  • … but this cannot be relied upon as the only defence

    • eg. 38% use their smartphone for University business, 35% of these do not even use a PIN


the challenge

  • … is to address these in a way which is consistent with academic practice

    • though we all have to work within the law

      • do you routinely forward University email to, say, gmail? If so, you could be breaking the Data Protection Act

  • in a company it would be (relatively) easy to impose a common way of working to minimise the threat

  • but we require different ways of working in different areas and easy collaboration with externals

    • and have a mindset which prioritises this over all other considerations

    • the problem is probably worst within CSE

      • we combine technical demands with “self-will”

    • … leading to an attitude amongst many key staff which ignores the problem


the remedy?

  • MVM will alert staff with targetted emails

    • ie different emails for Professors, PGR …

  • we believe that this is not sufficient in CSE, we will:

    • have a co-ordinated, consistent roll-out of existing guidance to School IT teams, IS, School management …

    • encourage College to appoint a senior academic to lead compliance activity

    • report gaps and remedies to Records Management and ISG


School

IT

School

IT

RM

ISG

Use Cases &

Recommendations

CCPAG

School

IT

School

IT

ISG

College

Monitor

General

Help

Specific

Help

Academic

Staff


Mobile Data Security - actions

  • actions:

    • CCPAG has created a basic set of guidelines and use cases appropriate for CSE

    • Email has gone out from HoC/HoS’s requiring staff to comply with guidelines

      • ICO increasingly looking at documented evidence of staff engagement should a breach occur

  • but, we must keep people’s attention, identify / support new use cases, report incidents and change mindset.

  • address these by :

    • Sending annual reminders to all staff

    • Incorporate security into induction process and provide (on-line) training

    • Work with IS, MVM, HSS and Data Practitioners to identify gaps in documentation, develop/identify further use cases, share best practice

    • Provide central mechanism for transparent feedback / reporting of incidents

  • success metrics:

    • Re-run questionnaire in a few years time

    • CCPAG judgement (i.e. is it our impression that compliance is better? Has mindset changed?)

    • Records Management judgement

    • Have there been any incidents?


Services

  • focus to date has been on mobile data & clients (e.g., laptops, smartphones)

    • where active management and monitoring is least likely

  • … but recent compromises mainly concentrated on servers & services, also largely unmanaged

    • again, active management & monitoring rare

  • even expertly managed servers and services, however, can be compromised

    • combinations of old and new attacks make guaranteed prevention impossible

  • …also widespread use of third party services (e.g. Dropbox)

    • no management or monitoring available


… the problem

five

  • four known break-ins within CSE in the last 18 months:

    • P&A: unpatched web services led to 34 unmanaged services compromised, machines used to relay spam

    • Informatics: weak password led to staff and student ssh services compromised, loss of service

    • Biology: unpatched web service attacked, servers used to sell Viagra; automated attack led to compromised service, usernames/passwords stolen => reputational damage

    • ICMS: unpatched, unmanaged web service compromised …

    • Engineering: main web server hacked to sell Viagra

  • … but it is embarrassing to acknowledge such events, so we do not know the extent of break-ins, nor learn from experience

  • also reluctance to acknowledge the problem because of its scale … do we have the time, skills, and resolution to fix?


… the response

  • the University decides to strengthen its 2009 ‘Information Security Policy’

    • the section describing the responsibilities of the Support Groups and Colleges/Schools updated to pass responsibility clearly to Hos’s

      • You are response for any loss of sensitive data from your School

      • You are responsible for the integrity of any services provided by your School

  • Brian Gilmore becomes Chief Information Technology Security Officer (CITSO)

    • the focal point for the provision of advice, and collector of security incidents across the institution

      • His stated approach is to provide policies, but not how they should be implemented

      • … this gives us the freedom to tailor approaches to meet local needs


what do we do?

  • three approaches to minimising risks:

    • Extend centrally managed services to cover more of the use cases that are clearly required for academic success (e.g., where external collaborations drive technical requirements)

    • ensure owners of centrally unmanaged services/machines are aware of the risks and adopt these

    • provide training and education for the (decreasing?) remainder of unmanaged usage

  • caveats:

    • even well-resourced Schools cannot guarantee protection (prevention, detection and recovery feedback loop essential)

    • price of world-class, research-focussed University = growing lag between individuals’ adoption and UoE-scale managed services

    • onus on academics to justify refusing extended managed services where these are proven fit for purpose.


Layered security

Highly sensitive data

Mildly sensitive data

(most) research data


immediate recommendations

  • identify a security representative per School

    • to provide technical support to HoS to enable them to meet their obligations under the Information Security Policy

  • inform all staff of their responsibilities to keep data and services secure

    • potential of disciplinary action in cases of gross misconduct

  • audit School IT activities to identify all services and key data sets

    • categorise risks

    • propose moving to managed (School or IS) services where possible

    • … where not possible take explicit steps to implement best practice

    • review, share, feedback … use CCPAG as clearing house


outstanding issues

  • How do we:

    • accommodate academic needs with limited effort

    • implement the security policy

      • cf. Informatics experience

    • identify Security Reps/Enforcers with the knowledge and seniority to fulfil their role

      • cf. ISG practices


  • Login