When the Bits Hit the Fan: Managing Data Security and Privacy Jim Dillon – University of Colorado Jaime Galiano–Georgia Institute of Technology Nancy Krogh.

When the Bits Hit the Fan: Managing Data Security and Privacy

Jim Dillon – University of Colorado

Jaime Galiano–Georgia Institute of Technology

Nancy Krogh – University of North DakotaCopyright Dillon, Galiano & Krogh - 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

I. Birds-Eye View of the Issues and Challenges

Nancy Krogh

University Registrar

University of North Dakota

Nancy.Krogh@mail.und.nodak.edu

Copyright Nancy Krogh, 2004

Privacy and Security

• Prevention• Detection• Response

– Encompass all users– Extend across campus and to agencies outside of the

institution– Include all formats– Recognize this takes place in a climate of rising

expectations for privacy and service and increasing regulation to ensure both.

Effective Strategies Must Include:

• Comprehensive solutions

• Communication

• Identifying Risks

• Establishing priorities

• Making choices

Prevention Strategies

• Control of access to information• Education and training• Policies for security and appropriate use• Technical solutions• Social solutions• Effective communication among IT staff,

data stewards, senior administrators, and users.

Detection Strategies

• Establish priorities

• Include key players in decisions

• Not strictly an IT issue

• Look across media for data storage

• Include all users– And “shadow” users

Response

• Consider proactive response– Understand the risks to the community – Understand the concerns of the community– Develop plans for response before an incident– Respond to these concerns through

prevention and detection.

Response

• Understand range of consequences and ramifications clearly:

– Trivial– Consequential

Comprehensive Institutional Response

• Includes:– Education– Communication– Teamwork– Patience

• Leads to:– Appropriate risk analysis.– Effective decision-making and response

II. Policies, Strategies & Approaches

A Proactive Preventative Framework

Jaime Galiano

Project Director – OIT Policy & Strategy

Georgia Institute of Technology

Jaime.Galiano@oit.gatech.eduCopyright Jaime Galiano, 2004

Training – An ounce of prevention is worth a pound of cure!

• Address “low-hanging fruit”

• Protect the weakest link – the users!

• Communications, policy awareness, social issues, best practices

• Document security/harvesting

• “Shadow” data/systems

Document Security

• Another relatively “easy” target, by virtue of end-user unawareness

• Attacks can range from embedded “malware” to privacy breaches resulting from hidden document tags (comments, changes, etc.)

• Beware of unknown document attachments!

Data Classification & Protection

• Necessary to segment & safeguard information

• Striking a balance between security and usability/flexibility

• Consider data flow issues• Take into account both legal and

contractual requirements for data safeguards

Risk Assessment & Management

• Assess the level of risk posed by each identified issue

• Apply safeguards accordingly

• Proactive risk management– Avoid– Transfer– Accept & mitigate

Information Security & Data Access Control Implementation

• Need to have a lowest-common-denominator (LCD) security baseline

• Layered safeguards definition and application

• Allow for “compensating controls” during implementation

• Standards-based (e.g. ISO17799)

Data & Metadata Stewardship• Functional vs. technical focus

• Moving away from original “need-to-know for assigned duties” framework

• Metadata Imperative: improving the management and retrieval of information.

• Data Warehouse example

III. Control, Monitor, & Detect

Establishing a Basis for Sensitive Data Recognition and Control

Jim Dillon

IT Audit Manager

University of Colorado

jim.dillon@cusys.edu

Copyright Jim Dillon, 2004

Recognize the Data Resource

• Start with Data Classification & Risk Assessment– Reliance: Data as an ASSET, not Commodity– Regulations, Mandates – Competitive Advantage, New Competitors– Customer Satisfaction (Data Now, but

Privately!)

• Speak the Same Language! Sensitive = ?

Identify (Detect) the Data• Case Study – Audit of an Enterprise

System– Start with Enterprise Data Store– Track Potentially Sensitive Data as it Leaves

the System– Now Follow Through The Next Level – Don’t Stop, We’ve Just Begun …– Estimate Data Distribution

Identify the DataTier 1- Official Record

• Custom I/Fs (APIs)• Standard File Transfers

(FTP)• Batch Processes• Web/4GL I/Fs• Test Copies• Development Copies• Structured Queries,

Reporting Tools• Equipment Disposals

• Official Shadows – Data Warehouses

• Custom Applications (e.g. IDMS, SQL)

• Screen Scrapes, Snapshots

• Printed Output• Integration to other

Enterprise Systems• Backup, Transfer Media• Etc.

Identify the DataTier 2 – Custodians and Approved Shadows

• Data Custodians, Owners, Key Depts.– Admissions– Bursars– Registrars– Financial Aid– Controllers

• Administrative Depts.– Institutional Relations

• Campus IT Organizations– Academic– Administrative or Central

IT

• Regulatory Data Collection and Distribution– Sally Mae– SEVIS– State Agencies

Identify the Data Tier 3 – Tier n

• Flatfiles, Custom Applications (Shadows)• Excel or Word Files • Query or ODBC Connects• Printed Output• Access DBMS• Periodic Departmental Files• Rosters, Benefits, Grades, Award Lists• Departments, Organizations, Individuals• Mailing Lists, Class Lists, Eligibility, …

Identify the Data Ex: Pg. 1

AgingEnterprise

System

User/DeveloperTerminal Access

User Screen/DirectAccess, ProgrammedIDMS/SQL Queries

Approved End UserPC Based Term/

TelnetWeb I/Fs

CAMPUS ITData Processing

Batch AccessEasytrieve, SAS,

SQL, Sunset FTP,4GLs etc.

Printed Reports

Developers,DBAs,

Production BatchProcessing

Batched FTP File Transfers

Flatfile 1 Flatfile 2 Flatfile 3

Printed Output

Printed Output

Data CustodianDepartmentsand Services

Data Warehouse

Other ERP,Integration

FTP Services

Custom Sys(Lookup,

AuthN)(Query,WEB I/F)

Student Access

Gvt. FTP I/F

FTP

VariousExternalAgenciesSally Mae

Banking/Finetc.

ERP WebServers

IDMS/SQL System

DRAFT: Logical ERP DATA Flow

TestCopy

6-7 Servers+- 25 Text/Excel FilesCustodian Systems,

DB (6 Users +Admins)

3-4 ServersCustodian SystemCustodian SystemData Requests, ExportsDept. Custom Programs200-N Requests annuallyfor text/Excel data.

???

Campus IT ApplicationCampus IT Application 2Directory Creation, UpdateMailing Svcs - Mailings, bulletinsLookup ServicesCampus IT Application - Student ServicesDept. ApplicationDept. Application 2Vendor Application SupportVendor Application SupportVendor Application Support DBStudent Support ApplicationTicketing, Sales, Outward/Public Facing ApplicationsLAB Support ApplicationsCenter/Instittute Support App,DB

SEE PAGE 2

Academic Dept.Academic Dept. 2Academic Dpt. 3Academic Dpt. N

Continuing EdAdministrative Svcs.

Housingetc.

Systems of Record, Green text = Tier 1Owners/Service Providers, Blue text = Tier 2End User Organizations, Red text = Tier 3/n

End User Lookup Data,Limited Data Sets,High Access Levels

Soon to be ProcessedThrough FTP Batch

GREEN : System of Record

BLUE : Authorized Sub-System

RED : End-User Orgs

Identify the DataEx:– Pg. 2 Academic Dept. 1

Academic Dept. 2

Continuing Ed

SERVICES

Housing

AdministrativeSupport

Center/Institute

Services DB - Oracle, 30-40 Users

ERPApplication Access

SQL, IDMS/Query(Direct Query orProgrammed)

Information Warehouse

Flat Files, Spreadsheets(Official Custodian or

Recognized Source, FTP,etc.)

Flat Files Other(Not Tier 1 or Tier 2 source)

- User 1 - Orientation (Orientation - 8000 records)- User 2 - Dean's Office- User 3 - Scholarship Selection- User 4 - Dean's List- User 5 - Mailing Lists, Graduation Invitations.- User 6 - Program Review and Iinvitations- User 7 - Dept. Graduation- User 8 - Newsletter, Announcements- User 9 - Alumni

DatabaseAdministrative ProgramAdministrative Program 2Marketing Data (Resource accessto file share, most dept. users,informal)

ERP Data SetsAggregate Data, 10 Dept. Users

Academic System (Dpt. Users)Access DB (Multiple orgs, Depts.)

System Under Development2 Additional SystemsDynamic Data Link

Admin/Student Svcs Apps, DB5 or 6 Staff

Reservation Sys (> 100 for all)Student Admin DatabaseVendor App. DatabaseDatabaseStudent Service

Systems of Record, Green text = Tier 1Owners/Service Providers, Blue text = Tier 2End User Organizations, Red text = Tier 3/n

Plus Example Individual DataFile Requests

User Organizations(7 of 3000+)

User Systems(and example file requests)

Data Source

?

GREEN : System of Record

BLUE : Authorized Sub-System

RED : End-User Orgs

Identify the Data

• Case Conclusion– 73-77% Administrative Staff, Have Sensitive

Data or Can Obtain Sensitive Data– Assuming Rosters for Academic Staff, 85% or

More Have Data

Signs of Trouble(Sensitive Data Bloat)

• Significant Numbers/Types of Interfaces• Increasing Shadow Systems• Heavy Customization• Web Mining/Hacking Results ( GOOGLE “final grades site:YourU.edu filetype:xls”)

– Johnny (http://johnny.ihackstuff.com/)– SiteDigger (FoundStone) and Athena

• False Data Seeds (Monitor Returns)• Lack of Active Policy• Traffic Analysis, Flowscan Reports, Variances

Control Environment

• Controls: Those Things You Do That Ensure Good Things Happen and Bad Things Don’t

• Environment: The Relative Cultural Strength or Weakness of Controls Throughout All Areas of Your

Institution – “Institutional Will”

Control Environment

• Active Testing (Defined Roles, Audits, etc.)

• Clearly Assigned Data Responsibilities, Affirmation– Owners, Custodians, Users

• Training, To What Staff Level?

• Standards, Policies, Expectations, Clearly Defined Job Responsibilities

Control Environment – Cont…

• Robust AuthN/AuthZ Controls• Active Monitoring (Evidence!)

– Ongoing Data Requirements Gathering– Hot Lines, Feedback Channels

• Identifiable Compliance Effort, Observable Penalties• Patching, Virus Control, Spyware Control

Control, Monitor, and DetectConclusions

• To Manage Your Sensitive Data and Minimize Unwanted, Unaffordable Data Problems– You Must Know WHAT Data to Control– You Must Identify and Assess Data Risks and

Usage– You Must Monitor for Signs of Trouble– You Must Establish a Healthy Control

Environment, or “Institutional Will”

Response - So what do you do IF after all this…you’re still “hit”?

• Incident Response Procedures• Multi-disciplinary, collaborative group on a

“rapid response” team• Educause ‘03 Presentation: “Damage Control:  What to

do when your security incident hits the 6 o’clock news” (http://www.educause.edu/LibraryDetailPage/666&ID=EDU0307)

• GIT Incident Response Collaborative Model (http://www.audit.gatech.edu/IAcollabrative2.pdf)