balancing risk and opportunity for an institutional groups ... · •process and tools •examples...
TRANSCRIPT
Balancing Risk and Opportunity for an Institutional Groups Service
Michael BroganUW-IT, Identity & Access Management
4/19/2011
Presentation Roadmap• The problem
• UW Groups Service background
• Goals for data classification and access work
• Responsible parties
• Process and tools
• Examples and outcomes
• Reflections
2 4/19/2011
The Problem• UW Groups Service has been used to create
many thousands of groups
• Groups sourced from institutional systems with varying levels of sensitivity
• Initial provisioning based on light interaction with data source owners
• How should groups data be classified?
• What access controls should be applied?
3 4/19/2011
Groups Service Architecture
4 4/19/2011
Structure of a GroupProperty Value
Group ID uw_major_amath_pathway-00_2010spr
Display name APPLIED MATHEMATICS Majors, Spring 2010
Description This group is updated nightly from the Student Database. It is available for appropriate business purposes …
Contact
Administrators
Member managers
Subgroup creators
Membership viewers uw_employeeu_groups_major_read-access
Members 67 UW NetIDs representing students in this major
5 4/19/2011
Uses of Groups• Two primary uses
– Communications
– Access control
• Specific examples
– Calendaring
– Controlling access to file shares, web apps
– Asserting memberships to Shib service providers
6 4/19/2011
Groups Namespace
Groups that people and apps create and manage
• UW NetID-based home groups (u_netid)
• Organizational home groups (uw_org-name)
7 4/19/2011
Groups NamespaceGroups created and managed by Groups Service
• Budget-based org groups (uw_org_budget_*)
• Affiliation groups (uw_affiliation_*)
• eduPerson groups (uw_employee, uw_faculty, uw_staff, uw_student, uw_affiliate)
• Course groups (course_*)
• Major groups (uw_major_*)
8 4/19/2011
Institutional Groups• Groups provisioned from institutional systems
of record by UW-IT automated processes
• Managed with institutional standards for data quality in mind
• They have no administrators and can only be managed by Groups Service infrastructure
• The focus of our data classification and access control work
9 4/19/2011
Institutional Groups
UW currently has 53,420 of these
• 86% course groups
• 12% student major groups
• 2% everything else
10 4/19/2011
Security Tradeoffs• Each group is an asset that needs to be
classified and protected appropriately
• Selecting access controls involves tradeoffs between protection and usability
• Too permissive, security of data is at risk
• Too tight, unnecessary expense and interference with business process
11 4/19/2011
Goals• Data classification for institutional groups
• Evaluate current access controls
• Update controls as needed to obtain an appropriate balance between minimizing risk and leveraging opportunities
• Publish tools and procedures for other UW group owners
12 4/19/2011
Who’s Responsible?• Organizational security policy makes Data
Custodians responsible for institutional data
• The Data Management Committee defined the UW Data Map with seven subject areas
• Subject areas have multiple business domains, each with a designated Data Custodian
13 4/19/2011
UW Data Map
14 4/19/2011
Classification and Access Process• Map institutional groups to Data Custodians
• Engage with Data Custodians and initiate collaboration
• Complete classification of their groups
• Evaluate current group access controls
• Update controls as appropriate
15 4/19/2011
Mapping to Data Custodians
Subject Area (Data Custodian) Related Groups
Academic(University Registrar)
uw_student, uw_affiliation_undergraduate, uw_affiliation_graduate,uw_affiliation_extension-student, uw_affiliation_applicant,course_*, uw_major_*, uw_curriculum_*
Advancement(AVP Advancement Services, Development & Alumni Relations)
uw_affiliation_alumni,uw_affiliation_alumni-association-members, uw_affiliation_development-affiliate
Human Resources(AVP HR Administration, AVP Academic Personnel)
uw_employee, uw_faculty, uw_staff, uw_affiliation_student-employee, uw_affiliation_affiliate-employeeBudget-based org groups for faculty, staff, student employees (pilot, n = 1063)
16 4/19/2011
Initial Engagement• Documented our processes
• Created a draft mapping of groups to subject areas and business domains
• Created a draft classification of groups
• Created a Data Custodian presentation
• Invited Data Custodians to collaborate
• Gave presentation, reviewed process, listened, answered LOTS of questions
17 4/19/2011
Data Classification• The UW has a data classification scheme
documented (APS 2.10)
• The current classification is focused on confidentiality (no integrity or availability)
• Categories are Public, Restricted, Confidential
• APS 2.10 provides definitions and some examples to aid implementers
18 4/19/2011
Data Classification• NIST 800-122 “Guide to Protecting the
Confidentiality of Personally Identifiable Information” used as supplement
• Discusses factors that should be considered when classifying and protecting PII
– Identifiability — Context of use
– Quantity of PII — Obligation to protect
– Data sensitivity — Access to, location of PII
19 4/19/2011
Example ClassificationsGroup Factors Impact (I/UW) Classification
uw_affiliation_alumni • Direct identifier• Large no. records (160K)• Low data element sensitivity• UW graduates• No compliance obligation
Low/Low Public
uw_major_*(n = 6166)
• Direct identifier• Low no. records/group• Low data element sensitivity• Students in a major• FERPA - directory info
Low/Mod Restricted
course_*(n = 46,171)
• Direct identifier• Low no. records/group• Low data element sensitivity• Students in a course• FERPA - not directory info
Mod/Mod Confidential
20 4/19/2011
Access Control Evaluation• Used a risk-based approach:
– Write risk statements (bad things to avoid)
– Write opportunity statements (benefits to accrue)
– Estimate likelihood and impacts under assumptions of no controls and current controls
– Evaluate current balance of risk vs. opportunity
• Propose new controls as appropriate, rescore likelihood and impact
21 4/19/2011
UW ERM Toolkit• Describes a UW standard Enterprise Risk
Management process
• Provides guidance on writing risk statements
• Provides definitions and scales for:
– Likelihood
– Positive impact
– Negative impact
• We adopted this for our Groups work
22 4/19/2011
LikelihoodScore Meaning
0 – Does not apply Risk or opportunity does not apply in current analysis
1 – Rare Not expected to occur in the next 5 years
2 – Unlikely Could occur at some time in the next five years
3 – Possible Might occur in the next 1-5 years
4 – Likely Will probably occur at least once per year
5 – Almost certain Expected to occur more than once per year
23 4/19/2011
Positive ImpactScore Meaning
0 – Does not apply Impact does not apply in current analysis
1 – Insignificant Little or no impact on the achievement of objectives or capability
2 – Minor Low opportunity. May improve the achievement of some objectives or capability.
3 – Moderate Moderate opportunity. Will improve the achievement of some objectives or capability.
4 – Major Significant opportunity. Major improvement to the achievement of objectives or capability.
5 – Outstanding Outstanding opportunity. Significantly enhance capability and achievement of objectives.
24 4/19/2011
Negative ImpactScore Injury
FinancialLoss
AssetLoss
ServiceInterruption
Reputation& Image
PerformanceLoss
0Doesn’t apply
n/a n/a n/a n/a n/a n/a
1Insignificant
No injuries < $5M or < 1% of
GOF/DOF
Little or no impact on
assets
< 1/2 day Unsubstantiated, low impact, low profile or no news items
< 5% variation to KPI
2Minor
First aid $5M-$20M or< 2% of
GOF/DOF
Minor loss or damage to
assets
1/2 day - 1 day Substantiated, low impact, low news profile
5-10% variation to KPI
3Serious
Medical treatment
$20M-$50M< 6% of
GOF/DOF
Major damage to assets
1 day - 1 wk Substantiated, public embarrassment, moderate
impact, moderate news profile
10-25% variation to KPI
4Disastrous
Death or extensive
injury
$50M-$150Mor < 18% ofGOF/DOF
Significant loss of assets
1 wk - 1 month Substantiated, public embarrassment, high impact, high news profile, 3rd party
actions
25-50% variation to KPI
5Catastrophic
Multiple deaths or
severe permanentdisabilities
> $150M or> 18% ofGOF/DOF
Complete loss of assets
> 1 month Substantiated, public embarrassment, very high
multiple impacts, high widespread news profile, 3rd
party actions
> 50% variation to KPI
25 4/19/2011
Writing Risk Statements• Avoid getting into details of threat modeling
and technical vulnerability assessment
• Focus on high-level statements of harm
• Use language Data Custodians will relate to
• Keep the list short
• Invite suggestions from Data Custodians
26 4/19/2011
Risk Statements• Compliance fines, penalties, and settlements; increased
oversight or audit burden
• Physical harassment, injury, or death; resulting lawsuits
• Loss of donor funds
• Loss of strategic partnerships
• Burdening faculty, staff, and students with unnecessary or inappropriate email
• Confidential UW information stolen via successful phishing attacks
27 4/19/2011
Opportunity Statements• Reduce costs incurred from duplicative group creation and management
processes across the institution
• Improve quality and reliability of groups by leveraging institutional systems of record for memberships
• Improve effectiveness of groups for access control through automated group membership management, including auto de-provisioning
• Enhance targeted electronic communication by email enabling group IDs
• Support UW cloud computing initiatives by provisioning UW groups to cloud service providers as needed
• Support federation with other institutions and business partners by providing group membership assertions to service providers as needed
28 4/19/2011
Scoring Process• Ran meetings as a facilitated discussion with
three IAM staff, Data Custodian and team
• As with classification, lumped groups with similar characteristics
• First scored under assumption of no controls
• Risks first, then opportunities
• Likelihood x Impact = Risk or Opportunity
29 4/19/2011
Scoring Matrix
30 4/19/2011
Scoring with Current Controls• Controls in scope are those under decision
making authority of Data Custodian
• Excluded physical security of servers, configuration of OS, encryption, etc
• Defined 10 controls and mapped these to risk statements (covered in DC presentation)
• For each group documented state for each of these controls
31 4/19/2011
Access ControlsControl Description
1. Membership viewer control (Groups Service) Who can view the members of a group
2. UW Exchange integration Will the group be email enabled in the UW Exchange system
3. Authorized senders (UW Exchange) Who can send email to a UW Exchange enabled group
4. Application integration approval process What app can connect to the groups service in a programmatic way
5. Cloud provisioning approval process Will a group will be provisioned (copied to) UW cloud partners
6. Membership viewer control (UW cloud partners)
Who can view the members of a group provisioned in the cloud
7. Authorized senders (UW cloud partners) Who can send email to a group provisioned in the cloud partner
8. Approval for attribute release Which Shibboleth SPs can receive group memberOf attributes
9. Online user consent Requirement for Shibboleth SPs to obtain user consent for attribute release
10. 3rd party Data Security Addendum Contractual controls on how a third party uses confidential group data; indemnification for breach
32 4/19/2011
Access Control ExamplesControl uw_employee course_*
1. Membership viewer control (Groups Service)
None1 Group membersu_cac_internal_courses_read
2. UW Exchange integration Disabled Disabled
3. Authorized senders (UW Exchange) n/a n/a
4. Application integration approval process n/a Registrar approval required
5. Cloud provisioning approval process Disabled Registrar approval required
6. Membership viewer control (UW cloud partners)
n/a None
7. Authorized senders (UW cloud partners) n/a Group members
8. Approval for attribute release Not requested yet Registrar approval required
9. Online user consent n/a Required by Registrar
10. 3rd party Data Security Addendum n/a In place for Google
33 4/19/2011
1 Logon to service requires UW member or cert from UW CA
Risk Example
34 4/19/2011
Opportunity Example
35 4/19/2011
Heat Chart Example 1
36 4/19/2011
Heat Chart Example 2
37 4/19/2011
Outcomes• Most groups were found to have a good balance
between risk and opportunity
• Risk avoidance (group deletion) was used for a group with moderate risk and low benefit
• Risk mitigation (access restrictions) was applied to employee org groups and the alumni association group
• Opportunities were leveraged by relaxing controls on course groups*
38 4/19/2011
Reflections• Exercise was facilitated by existence of:
– Data classification standard
– Enterprise risk management toolkit
– Data Management Committee and UW Data Map
• Data Custodians accepted responsibility but needed help to understand Groups Service
• Exchange of perspectives during collaboration was very beneficial
39 4/19/2011
Reflections• Tools and process provided a reusable
framework
• Risk assessment still as much art as science
• Better integration between classification and access control evaluation would be good
• Good risk and opportunity statements are key, but they aren’t easy to write
40 4/19/2011
References• UW Data Map
– https://www.washington.edu/uwit/im/dmc/datamap.html
• UW Data Classification Standard– http://www.washington.edu/admin/rules/policies/APS/02.10TOC.html
• UW Enterprise Risk Management Toolkit– http://f2.washington.edu/treasury/riskmgmt/advice/ERM/
• NIST SP 800-122– http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
41 4/19/2011