When the Bits Hit the Fan: Managing Data Security and Privacy Jim Dillon – University of Colorado Jaime Galiano–Georgia Institute of Technology Nancy Krogh – University of North Dakota Copyright Dillon, Galiano & Krogh - 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.
When the Bits Hit the Fan: Managing Data Security and Privacy Jim Dillon – University of Colorado Jaime Galiano–Georgia Institute of Technology Nancy Krogh.
Dec 22, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
When the Bits Hit the Fan: Managing Data Security and Privacy
Jim Dillon – University of Colorado
Jaime Galiano–Georgia Institute of Technology
Nancy Krogh – University of North DakotaCopyright Dillon, Galiano & Krogh - 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.
I. Birds-Eye View of the Issues and Challenges
Nancy Krogh
University Registrar
University of North Dakota
Copyright Nancy Krogh, 2004
Privacy and Security
• Prevention• Detection• Response
– Encompass all users– Extend across campus and to agencies outside of the
institution– Include all formats– Recognize this takes place in a climate of rising
expectations for privacy and service and increasing regulation to ensure both.
Effective Strategies Must Include:
• Comprehensive solutions
• Communication
• Identifying Risks
• Establishing priorities
• Making choices
Prevention Strategies
• Control of access to information• Education and training• Policies for security and appropriate use• Technical solutions• Social solutions• Effective communication among IT staff,
data stewards, senior administrators, and users.
Detection Strategies
• Establish priorities
• Include key players in decisions
• Not strictly an IT issue
• Look across media for data storage
• Include all users– And “shadow” users
Response
• Consider proactive response– Understand the risks to the community – Understand the concerns of the community– Develop plans for response before an incident– Respond to these concerns through
prevention and detection.
Response
• Understand range of consequences and ramifications clearly:
– Trivial– Consequential
Comprehensive Institutional Response
• Includes:– Education– Communication– Teamwork– Patience
• Leads to:– Appropriate risk analysis.– Effective decision-making and response
II. Policies, Strategies & Approaches
A Proactive Preventative Framework
Jaime Galiano
Project Director – OIT Policy & Strategy
Georgia Institute of Technology
[email protected] Jaime Galiano, 2004
Training – An ounce of prevention is worth a pound of cure!
• Address “low-hanging fruit”
• Protect the weakest link – the users!
• Communications, policy awareness, social issues, best practices
• Document security/harvesting
• “Shadow” data/systems
Document Security
• Another relatively “easy” target, by virtue of end-user unawareness
• Attacks can range from embedded “malware” to privacy breaches resulting from hidden document tags (comments, changes, etc.)
• Beware of unknown document attachments!
Data Classification & Protection
• Necessary to segment & safeguard information
• Striking a balance between security and usability/flexibility
• Consider data flow issues• Take into account both legal and
contractual requirements for data safeguards
Risk Assessment & Management
• Assess the level of risk posed by each identified issue
• Apply safeguards accordingly
• Proactive risk management– Avoid– Transfer– Accept & mitigate
Information Security & Data Access Control Implementation
• Need to have a lowest-common-denominator (LCD) security baseline
• Layered safeguards definition and application
• Allow for “compensating controls” during implementation
• Standards-based (e.g. ISO17799)
Data & Metadata Stewardship• Functional vs. technical focus
• Moving away from original “need-to-know for assigned duties” framework
• Metadata Imperative: improving the management and retrieval of information.
• Data Warehouse example
III. Control, Monitor, & Detect
Establishing a Basis for Sensitive Data Recognition and Control
Jim Dillon
IT Audit Manager
University of Colorado
Copyright Jim Dillon, 2004
Recognize the Data Resource
• Start with Data Classification & Risk Assessment– Reliance: Data as an ASSET, not Commodity– Regulations, Mandates – Competitive Advantage, New Competitors– Customer Satisfaction (Data Now, but
Privately!)
• Speak the Same Language! Sensitive = ?
Identify (Detect) the Data• Case Study – Audit of an Enterprise
System– Start with Enterprise Data Store– Track Potentially Sensitive Data as it Leaves
the System– Now Follow Through The Next Level – Don’t Stop, We’ve Just Begun …– Estimate Data Distribution
Identify the DataTier 1- Official Record
• Custom I/Fs (APIs)• Standard File Transfers
(FTP)• Batch Processes• Web/4GL I/Fs• Test Copies• Development Copies• Structured Queries,
Reporting Tools• Equipment Disposals
• Official Shadows – Data Warehouses
• Custom Applications (e.g. IDMS, SQL)
• Screen Scrapes, Snapshots
• Printed Output• Integration to other
Enterprise Systems• Backup, Transfer Media• Etc.
Identify the DataTier 2 – Custodians and Approved Shadows
• Data Custodians, Owners, Key Depts.– Admissions– Bursars– Registrars– Financial Aid– Controllers
• Administrative Depts.– Institutional Relations
• Campus IT Organizations– Academic– Administrative or Central
IT
• Regulatory Data Collection and Distribution– Sally Mae– SEVIS– State Agencies
Identify the Data Tier 3 – Tier n
• Flatfiles, Custom Applications (Shadows)• Excel or Word Files • Query or ODBC Connects• Printed Output• Access DBMS• Periodic Departmental Files• Rosters, Benefits, Grades, Award Lists• Departments, Organizations, Individuals• Mailing Lists, Class Lists, Eligibility, …
Identify the Data Ex: Pg. 1
AgingEnterprise
System
User/DeveloperTerminal Access
User Screen/DirectAccess, ProgrammedIDMS/SQL Queries
Approved End UserPC Based Term/
TelnetWeb I/Fs
CAMPUS ITData Processing
Batch AccessEasytrieve, SAS,
SQL, Sunset FTP,4GLs etc.
Printed Reports
Developers,DBAs,
Production BatchProcessing
Batched FTP File Transfers
Flatfile 1 Flatfile 2 Flatfile 3
Printed Output
Printed Output
Data CustodianDepartmentsand Services
Data Warehouse
Other ERP,Integration
FTP Services
Custom Sys(Lookup,
AuthN)(Query,WEB I/F)
Student Access
Gvt. FTP I/F
FTP
VariousExternalAgenciesSally Mae
Banking/Finetc.
ERP WebServers
IDMS/SQL System
DRAFT: Logical ERP DATA Flow
TestCopy
6-7 Servers+- 25 Text/Excel FilesCustodian Systems,
DB (6 Users +Admins)
3-4 ServersCustodian SystemCustodian SystemData Requests, ExportsDept. Custom Programs200-N Requests annuallyfor text/Excel data.
???
Campus IT ApplicationCampus IT Application 2Directory Creation, UpdateMailing Svcs - Mailings, bulletinsLookup ServicesCampus IT Application - Student ServicesDept. ApplicationDept. Application 2Vendor Application SupportVendor Application SupportVendor Application Support DBStudent Support ApplicationTicketing, Sales, Outward/Public Facing ApplicationsLAB Support ApplicationsCenter/Instittute Support App,DB
SEE PAGE 2
Academic Dept.Academic Dept. 2Academic Dpt. 3Academic Dpt. N
Continuing EdAdministrative Svcs.
Housingetc.
Systems of Record, Green text = Tier 1Owners/Service Providers, Blue text = Tier 2End User Organizations, Red text = Tier 3/n
End User Lookup Data,Limited Data Sets,High Access Levels
Soon to be ProcessedThrough FTP Batch
GREEN : System of Record
BLUE : Authorized Sub-System
RED : End-User Orgs
Identify the DataEx:– Pg. 2 Academic Dept. 1
Academic Dept. 2
Continuing Ed
SERVICES
Housing
AdministrativeSupport
Center/Institute
Services DB - Oracle, 30-40 Users
ERPApplication Access
SQL, IDMS/Query(Direct Query orProgrammed)
Information Warehouse
Flat Files, Spreadsheets(Official Custodian or
Recognized Source, FTP,etc.)
Flat Files Other(Not Tier 1 or Tier 2 source)
- User 1 - Orientation (Orientation - 8000 records)- User 2 - Dean's Office- User 3 - Scholarship Selection- User 4 - Dean's List- User 5 - Mailing Lists, Graduation Invitations.- User 6 - Program Review and Iinvitations- User 7 - Dept. Graduation- User 8 - Newsletter, Announcements- User 9 - Alumni
DatabaseAdministrative ProgramAdministrative Program 2Marketing Data (Resource accessto file share, most dept. users,informal)
ERP Data SetsAggregate Data, 10 Dept. Users
Academic System (Dpt. Users)Access DB (Multiple orgs, Depts.)
System Under Development2 Additional SystemsDynamic Data Link
Admin/Student Svcs Apps, DB5 or 6 Staff
Reservation Sys (> 100 for all)Student Admin DatabaseVendor App. DatabaseDatabaseStudent Service
Systems of Record, Green text = Tier 1Owners/Service Providers, Blue text = Tier 2End User Organizations, Red text = Tier 3/n
Plus Example Individual DataFile Requests
User Organizations(7 of 3000+)
User Systems(and example file requests)
Data Source
?
GREEN : System of Record
BLUE : Authorized Sub-System
RED : End-User Orgs
Identify the Data
• Case Conclusion– 73-77% Administrative Staff, Have Sensitive
Data or Can Obtain Sensitive Data– Assuming Rosters for Academic Staff, 85% or
More Have Data
Signs of Trouble(Sensitive Data Bloat)
• Significant Numbers/Types of Interfaces• Increasing Shadow Systems• Heavy Customization• Web Mining/Hacking Results ( GOOGLE “final grades site:YourU.edu filetype:xls”)
– Johnny (http://johnny.ihackstuff.com/)– SiteDigger (FoundStone) and Athena
• False Data Seeds (Monitor Returns)• Lack of Active Policy• Traffic Analysis, Flowscan Reports, Variances
Control Environment
• Controls: Those Things You Do That Ensure Good Things Happen and Bad Things Don’t
• Environment: The Relative Cultural Strength or Weakness of Controls Throughout All Areas of Your
Institution – “Institutional Will”
Control Environment
• Active Testing (Defined Roles, Audits, etc.)
• Clearly Assigned Data Responsibilities, Affirmation– Owners, Custodians, Users
• Training, To What Staff Level?
• Standards, Policies, Expectations, Clearly Defined Job Responsibilities
Control Environment – Cont…
• Robust AuthN/AuthZ Controls• Active Monitoring (Evidence!)
– Ongoing Data Requirements Gathering– Hot Lines, Feedback Channels
• Identifiable Compliance Effort, Observable Penalties• Patching, Virus Control, Spyware Control
Control, Monitor, and DetectConclusions
• To Manage Your Sensitive Data and Minimize Unwanted, Unaffordable Data Problems– You Must Know WHAT Data to Control– You Must Identify and Assess Data Risks and
Usage– You Must Monitor for Signs of Trouble– You Must Establish a Healthy Control
Environment, or “Institutional Will”
Response - So what do you do IF after all this…you’re still “hit”?
• Incident Response Procedures• Multi-disciplinary, collaborative group on a
“rapid response” team• Educause ‘03 Presentation: “Damage Control: What to
do when your security incident hits the 6 o’clock news” (http://www.educause.edu/LibraryDetailPage/666&ID=EDU0307)
• GIT Incident Response Collaborative Model (http://www.audit.gatech.edu/IAcollabrative2.pdf)
Related Documents
