Presentation on theme: "Data and Service Security A.S.Trew, G. Poxon & S.McGeever."— Presentation transcript:
Data and Service Security A.S.Trew, G. Poxon & S.McGeever
Mobile Data Security In 2010 Records Management published a policy on sensitive data – necessary response to the Data Protection Act the Colleges thought this inadequate because: – of the gap between policy and practice – Support and guidance were seen as piecemeal and un-coordinated MVM and CSE surveyed staff and PG students to determine: – were sensitive data being transferred electronically? here, sensitive does not simply refer to Personal Data, but exam papers, proposals etc. – if so, was this being done in a secure manner? – and what type of person was most at risk? yes, we have problems – 79.5% use data outside the University network … of these, ~50% use sensitive data in this way most sensitive data are not controlled under the Data Protection Act exposure risk is strongly correlated with staff role individuals have a responsibility to ensure that they take all reasonable precautions to secure sensitive data … but this cannot be relied upon as the only defence – eg. 38% use their smartphone for University business, 35% of these do not even use a PIN
the challenge … is to address these in a way which is consistent with academic practice – though we all have to work within the law do you routinely forward University to, say, gmail? If so, you could be breaking the Data Protection Act in a company it would be (relatively) easy to impose a common way of working to minimise the threat but we require different ways of working in different areas and easy collaboration with externals – and have a mindset which prioritises this over all other considerations – the problem is probably worst within CSE we combine technical demands with self-will – … leading to an attitude amongst many key staff which ignores the problem
the remedy? MVM will alert staff with targetted s – ie different s for Professors, PGR … we believe that this is not sufficient in CSE, we will: – have a co-ordinated, consistent roll-out of existing guidance to School IT teams, IS, School management … – encourage College to appoint a senior academic to lead compliance activity – report gaps and remedies to Records Management and ISG
RMISG CCPAG Schoo l IT School IT College ISG Academic Staff Use Cases & Recommendations Monitor Specific Help General Help Schoo l IT School IT
Mobile Data Security - actions actions: CCPAG has created a basic set of guidelines and use cases appropriate for CSE has gone out from HoC/HoSs requiring staff to comply with guidelines ICO increasingly looking at documented evidence of staff engagement should a breach occur but, we must keep peoples attention, identify / support new use cases, report incidents and change mindset. address these by : - Sending annual reminders to all staff - Incorporate security into induction process and provide (on-line) training - Work with IS, MVM, HSS and Data Practitioners to identify gaps in documentation, develop/identify further use cases, share best practice - Provide central mechanism for transparent feedback / reporting of incidents success metrics: - Re-run questionnaire in a few years time - CCPAG judgement (i.e. is it our impression that compliance is better? Has mindset changed?) - Records Management judgement - Have there been any incidents?
Services focus to date has been on mobile data & clients (e.g., laptops, smartphones) – where active management and monitoring is least likely … but recent compromises mainly concentrated on servers & services, also largely unmanaged – again, active management & monitoring rare even expertly managed servers and services, however, can be compromised – combinations of old and new attacks make guaranteed prevention impossible …also widespread use of third party services (e.g. Dropbox) – no management or monitoring available
… the problem four known break-ins within CSE in the last 18 months: – P&A: unpatched web services led to 34 unmanaged services compromised, machines used to relay spam – Informatics: weak password led to staff and student ssh services compromised, loss of service – Biology: unpatched web service attacked, servers used to sell Viagra; automated attack led to compromised service, usernames/passwords stolen => reputational damage – ICMS: unpatched, unmanaged web service compromised … – Engineering: main web server hacked to sell Viagra … but it is embarrassing to acknowledge such events, so we do not know the extent of break-ins, nor learn from experience also reluctance to acknowledge the problem because of its scale … do we have the time, skills, and resolution to fix? five
… the response the University decides to strengthen its 2009 Information Security Policy – the section describing the responsibilities of the Support Groups and Colleges/Schools updated to pass responsibility clearly to Hoss You are response for any loss of sensitive data from your School You are responsible for the integrity of any services provided by your School Brian Gilmore becomes Chief Information Technology Security Officer (CITSO) – the focal point for the provision of advice, and collector of security incidents across the institution His stated approach is to provide policies, but not how they should be implemented … this gives us the freedom to tailor approaches to meet local needs
what do we do? three approaches to minimising risks: – Extend centrally managed services to cover more of the use cases that are clearly required for academic success (e.g., where external collaborations drive technical requirements) – ensure owners of centrally unmanaged services/machines are aware of the risks and adopt these – provide training and education for the (decreasing?) remainder of unmanaged usage caveats: – even well-resourced Schools cannot guarantee protection (prevention, detection and recovery feedback loop essential) – price of world-class, research-focussed University = growing lag between individuals adoption and UoE-scale managed services – onus on academics to justify refusing extended managed services where these are proven fit for purpose.
Layered security (most) research data Mildly sensitive data Highly sensitive data
immediate recommendations identify a security representative per School – to provide technical support to HoS to enable them to meet their obligations under the Information Security Policy inform all staff of their responsibilities to keep data and services secure – potential of disciplinary action in cases of gross misconduct audit School IT activities to identify all services and key data sets – categorise risks – propose moving to managed (School or IS) services where possible – … where not possible take explicit steps to implement best practice – review, share, feedback … use CCPAG as clearing house
outstanding issues How do we: – accommodate academic needs with limited effort – implement the security policy cf. Informatics experience – identify Security Reps/Enforcers with the knowledge and seniority to fulfil their role cf. ISG practices – …