Data and service security
1 / 13

Data and Service Security - PowerPoint PPT Presentation

  • Uploaded on

Data and Service Security. A.S.Trew , G. Poxon & S.McGeever. Mobile Data Security. In 2010 Records Management published a policy on sensitive data necessary response to the Data Protection Act the Colleges thought this inadequate because: of the gap between policy and practice

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Data and Service Security' - nita

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Data and service security

Data and Service Security

A.S.Trew, G. Poxon & S.McGeever

Mobile data security
Mobile Data Security

  • In 2010 Records Management published a policy on sensitive data

    • necessary response to the Data Protection Act

  • the Colleges thought this inadequate because:

    • of the gap between policy and practice

    • Support and guidance were seen as piecemeal and un-coordinated

  • MVM and CSE surveyed staff and PG students to determine:

    • were sensitive data being transferred electronically?

      • here, “sensitive” does not simply refer to Personal Data, but exam papers, proposals etc.

    • if so, was this being done in a secure manner?

    • and what type of person was most at risk?

  • yes, we have problems

    • 79.5% use data outside the University network … of these, ~50% use sensitive data in this way

  • most sensitive data are not controlled under the Data Protection Act

  • exposure risk is strongly correlated with staff role

  • individuals have a responsibility to ensure that they take all reasonable precautions to secure sensitive data

  • … but this cannot be relied upon as the only defence

    • eg. 38% use their smartphone for University business, 35% of these do not even use a PIN

The challenge
the challenge

  • … is to address these in a way which is consistent with academic practice

    • though we all have to work within the law

      • do you routinely forward University email to, say, gmail? If so, you could be breaking the Data Protection Act

  • in a company it would be (relatively) easy to impose a common way of working to minimise the threat

  • but we require different ways of working in different areas and easy collaboration with externals

    • and have a mindset which prioritises this over all other considerations

    • the problem is probably worst within CSE

      • we combine technical demands with “self-will”

    • … leading to an attitude amongst many key staff which ignores the problem

The remedy
the remedy?

  • MVM will alert staff with targetted emails

    • ie different emails for Professors, PGR …

  • we believe that this is not sufficient in CSE, we will:

    • have a co-ordinated, consistent roll-out of existing guidance to School IT teams, IS, School management …

    • encourage College to appoint a senior academic to lead compliance activity

    • report gaps and remedies to Records Management and ISG

Data and service security







Use Cases &
















Mobile data security actions
Mobile Data Security - actions

  • actions:

    • CCPAG has created a basic set of guidelines and use cases appropriate for CSE

    • Email has gone out from HoC/HoS’s requiring staff to comply with guidelines

      • ICO increasingly looking at documented evidence of staff engagement should a breach occur

  • but, we must keep people’s attention, identify / support new use cases, report incidents and change mindset.

  • address these by :

    • Sending annual reminders to all staff

    • Incorporate security into induction process and provide (on-line) training

    • Work with IS, MVM, HSS and Data Practitioners to identify gaps in documentation, develop/identify further use cases, share best practice

    • Provide central mechanism for transparent feedback / reporting of incidents

  • success metrics:

    • Re-run questionnaire in a few years time

    • CCPAG judgement (i.e. is it our impression that compliance is better? Has mindset changed?)

    • Records Management judgement

    • Have there been any incidents?


  • focus to date has been on mobile data & clients (e.g., laptops, smartphones)

    • where active management and monitoring is least likely

  • … but recent compromises mainly concentrated on servers & services, also largely unmanaged

    • again, active management & monitoring rare

  • even expertly managed servers and services, however, can be compromised

    • combinations of old and new attacks make guaranteed prevention impossible

  • …also widespread use of third party services (e.g. Dropbox)

    • no management or monitoring available

The problem
… the problem


  • four known break-ins within CSE in the last 18 months:

    • P&A: unpatched web services led to 34 unmanaged services compromised, machines used to relay spam

    • Informatics: weak password led to staff and student ssh services compromised, loss of service

    • Biology: unpatched web service attacked, servers used to sell Viagra; automated attack led to compromised service, usernames/passwords stolen => reputational damage

    • ICMS: unpatched, unmanaged web service compromised …

    • Engineering: main web server hacked to sell Viagra

  • … but it is embarrassing to acknowledge such events, so we do not know the extent of break-ins, nor learn from experience

  • also reluctance to acknowledge the problem because of its scale … do we have the time, skills, and resolution to fix?

The response
… the response

  • the University decides to strengthen its 2009 ‘Information Security Policy’

    • the section describing the responsibilities of the Support Groups and Colleges/Schools updated to pass responsibility clearly to Hos’s

      • You are response for any loss of sensitive data from your School

      • You are responsible for the integrity of any services provided by your School

  • Brian Gilmore becomes Chief Information Technology Security Officer (CITSO)

    • the focal point for the provision of advice, and collector of security incidents across the institution

      • His stated approach is to provide policies, but not how they should be implemented

      • … this gives us the freedom to tailor approaches to meet local needs

What do we do
what do we do?

  • three approaches to minimising risks:

    • Extend centrally managed services to cover more of the use cases that are clearly required for academic success (e.g., where external collaborations drive technical requirements)

    • ensure owners of centrally unmanaged services/machines are aware of the risks and adopt these

    • provide training and education for the (decreasing?) remainder of unmanaged usage

  • caveats:

    • even well-resourced Schools cannot guarantee protection (prevention, detection and recovery feedback loop essential)

    • price of world-class, research-focussed University = growing lag between individuals’ adoption and UoE-scale managed services

    • onus on academics to justify refusing extended managed services where these are proven fit for purpose.

Layered security
Layered security

Highly sensitive data

Mildly sensitive data

(most) research data

Immediate recommendations
immediate recommendations

  • identify a security representative per School

    • to provide technical support to HoS to enable them to meet their obligations under the Information Security Policy

  • inform all staff of their responsibilities to keep data and services secure

    • potential of disciplinary action in cases of gross misconduct

  • audit School IT activities to identify all services and key data sets

    • categorise risks

    • propose moving to managed (School or IS) services where possible

    • … where not possible take explicit steps to implement best practice

    • review, share, feedback … use CCPAG as clearing house

O utstanding issues
outstanding issues

  • How do we:

    • accommodate academic needs with limited effort

    • implement the security policy

      • cf. Informatics experience

    • identify Security Reps/Enforcers with the knowledge and seniority to fulfil their role

      • cf. ISG practices