Balancing Risk and Opportunity for an Institutional Groups Service

Michael BroganUW-IT, Identity & Access Management

mbrogan@uw.edu

4/19/2011

Presentation Roadmap• The problem

• UW Groups Service background

• Goals for data classification and access work

• Responsible parties

• Process and tools

• Examples and outcomes

• Reflections

2 4/19/2011

The Problem• UW Groups Service has been used to create

many thousands of groups

• Groups sourced from institutional systems with varying levels of sensitivity

• Initial provisioning based on light interaction with data source owners

• How should groups data be classified?

• What access controls should be applied?

3 4/19/2011

Groups Service Architecture

4 4/19/2011

Structure of a GroupProperty Value

Group ID uw_major_amath_pathway-00_2010spr

Display name APPLIED MATHEMATICS Majors, Spring 2010

Description This group is updated nightly from the Student Database. It is available for appropriate business purposes …

Contact

Administrators

Member managers

Subgroup creators

Membership viewers uw_employeeu_groups_major_read-access

Members 67 UW NetIDs representing students in this major

5 4/19/2011

Uses of Groups• Two primary uses

– Communications

– Access control

• Specific examples

– Email

– Calendaring

– Controlling access to file shares, web apps

– Asserting memberships to Shib service providers

6 4/19/2011

Groups Namespace

Groups that people and apps create and manage

• UW NetID-based home groups (u_netid)

• Organizational home groups (uw_org-name)

7 4/19/2011

Groups NamespaceGroups created and managed by Groups Service

• Budget-based org groups (uw_org_budget_*)

• Affiliation groups (uw_affiliation_*)

• eduPerson groups (uw_employee, uw_faculty, uw_staff, uw_student, uw_affiliate)

• Course groups (course_*)

• Major groups (uw_major_*)

8 4/19/2011

Institutional Groups• Groups provisioned from institutional systems

of record by UW-IT automated processes

• Managed with institutional standards for data quality in mind

• They have no administrators and can only be managed by Groups Service infrastructure

• The focus of our data classification and access control work

9 4/19/2011

Institutional Groups

UW currently has 53,420 of these

• 86% course groups

• 12% student major groups

• 2% everything else

10 4/19/2011

Security Tradeoffs• Each group is an asset that needs to be

classified and protected appropriately

• Selecting access controls involves tradeoffs between protection and usability

• Too permissive, security of data is at risk

• Too tight, unnecessary expense and interference with business process

11 4/19/2011

Goals• Data classification for institutional groups

• Evaluate current access controls

• Update controls as needed to obtain an appropriate balance between minimizing risk and leveraging opportunities

• Publish tools and procedures for other UW group owners

12 4/19/2011

Who’s Responsible?• Organizational security policy makes Data

Custodians responsible for institutional data

• The Data Management Committee defined the UW Data Map with seven subject areas

• Subject areas have multiple business domains, each with a designated Data Custodian

13 4/19/2011

UW Data Map

14 4/19/2011

Classification and Access Process• Map institutional groups to Data Custodians

• Engage with Data Custodians and initiate collaboration

• Complete classification of their groups

• Evaluate current group access controls

• Update controls as appropriate

15 4/19/2011

Mapping to Data Custodians

Subject Area (Data Custodian) Related Groups

Academic(University Registrar)

uw_student, uw_affiliation_undergraduate, uw_affiliation_graduate,uw_affiliation_extension-student, uw_affiliation_applicant,course_*, uw_major_*, uw_curriculum_*

Advancement(AVP Advancement Services, Development & Alumni Relations)

uw_affiliation_alumni,uw_affiliation_alumni-association-members, uw_affiliation_development-affiliate

Human Resources(AVP HR Administration, AVP Academic Personnel)

uw_employee, uw_faculty, uw_staff, uw_affiliation_student-employee, uw_affiliation_affiliate-employeeBudget-based org groups for faculty, staff, student employees (pilot, n = 1063)

16 4/19/2011

Initial Engagement• Documented our processes

• Created a draft mapping of groups to subject areas and business domains

• Created a draft classification of groups

• Created a Data Custodian presentation

• Invited Data Custodians to collaborate

• Gave presentation, reviewed process, listened, answered LOTS of questions

17 4/19/2011

Data Classification• The UW has a data classification scheme

documented (APS 2.10)

• The current classification is focused on confidentiality (no integrity or availability)

• Categories are Public, Restricted, Confidential

• APS 2.10 provides definitions and some examples to aid implementers

18 4/19/2011

Data Classification• NIST 800-122 “Guide to Protecting the

Confidentiality of Personally Identifiable Information” used as supplement

• Discusses factors that should be considered when classifying and protecting PII

– Identifiability — Context of use

– Quantity of PII — Obligation to protect

– Data sensitivity — Access to, location of PII

19 4/19/2011

Example ClassificationsGroup Factors Impact (I/UW) Classification

uw_affiliation_alumni • Direct identifier• Large no. records (160K)• Low data element sensitivity• UW graduates• No compliance obligation

Low/Low Public

uw_major_*(n = 6166)

• Direct identifier• Low no. records/group• Low data element sensitivity• Students in a major• FERPA - directory info

Low/Mod Restricted

course_*(n = 46,171)

• Direct identifier• Low no. records/group• Low data element sensitivity• Students in a course• FERPA - not directory info

Mod/Mod Confidential

20 4/19/2011

Access Control Evaluation• Used a risk-based approach:

– Write risk statements (bad things to avoid)

– Write opportunity statements (benefits to accrue)

– Estimate likelihood and impacts under assumptions of no controls and current controls

– Evaluate current balance of risk vs. opportunity

• Propose new controls as appropriate, rescore likelihood and impact

21 4/19/2011

UW ERM Toolkit• Describes a UW standard Enterprise Risk

Management process

• Provides guidance on writing risk statements

• Provides definitions and scales for:

– Likelihood

– Positive impact

– Negative impact

• We adopted this for our Groups work

22 4/19/2011

LikelihoodScore Meaning

0 – Does not apply Risk or opportunity does not apply in current analysis

1 – Rare Not expected to occur in the next 5 years

2 – Unlikely Could occur at some time in the next five years

3 – Possible Might occur in the next 1-5 years

4 – Likely Will probably occur at least once per year

5 – Almost certain Expected to occur more than once per year

23 4/19/2011

Positive ImpactScore Meaning

0 – Does not apply Impact does not apply in current analysis

1 – Insignificant Little or no impact on the achievement of objectives or capability

2 – Minor Low opportunity. May improve the achievement of some objectives or capability.

3 – Moderate Moderate opportunity. Will improve the achievement of some objectives or capability.

4 – Major Significant opportunity. Major improvement to the achievement of objectives or capability.

5 – Outstanding Outstanding opportunity. Significantly enhance capability and achievement of objectives.

24 4/19/2011

Negative ImpactScore Injury

FinancialLoss

AssetLoss

ServiceInterruption

Reputation& Image

PerformanceLoss

0Doesn’t apply

n/a n/a n/a n/a n/a n/a

1Insignificant

No injuries < $5M or < 1% of

GOF/DOF

Little or no impact on

assets

< 1/2 day Unsubstantiated, low impact, low profile or no news items

< 5% variation to KPI

2Minor

First aid $5M-$20M or< 2% of

GOF/DOF

Minor loss or damage to

assets

1/2 day - 1 day Substantiated, low impact, low news profile

5-10% variation to KPI

3Serious

Medical treatment

$20M-$50M< 6% of

GOF/DOF

Major damage to assets

1 day - 1 wk Substantiated, public embarrassment, moderate

impact, moderate news profile

10-25% variation to KPI

4Disastrous

Death or extensive

injury

$50M-$150Mor < 18% ofGOF/DOF

Significant loss of assets

1 wk - 1 month Substantiated, public embarrassment, high impact, high news profile, 3rd party

actions

25-50% variation to KPI

5Catastrophic

Multiple deaths or

severe permanentdisabilities

> $150M or> 18% ofGOF/DOF

Complete loss of assets

> 1 month Substantiated, public embarrassment, very high

multiple impacts, high widespread news profile, 3rd

party actions

> 50% variation to KPI

25 4/19/2011

Writing Risk Statements• Avoid getting into details of threat modeling

and technical vulnerability assessment

• Focus on high-level statements of harm

• Use language Data Custodians will relate to

• Keep the list short

• Invite suggestions from Data Custodians

26 4/19/2011

Risk Statements• Compliance fines, penalties, and settlements; increased

oversight or audit burden

• Physical harassment, injury, or death; resulting lawsuits

• Loss of donor funds

• Loss of strategic partnerships

• Burdening faculty, staff, and students with unnecessary or inappropriate email

• Confidential UW information stolen via successful phishing attacks

27 4/19/2011

Opportunity Statements• Reduce costs incurred from duplicative group creation and management

processes across the institution

• Improve quality and reliability of groups by leveraging institutional systems of record for memberships

• Improve effectiveness of groups for access control through automated group membership management, including auto de-provisioning

• Enhance targeted electronic communication by email enabling group IDs

• Support UW cloud computing initiatives by provisioning UW groups to cloud service providers as needed

• Support federation with other institutions and business partners by providing group membership assertions to service providers as needed

28 4/19/2011

Scoring Process• Ran meetings as a facilitated discussion with

three IAM staff, Data Custodian and team

• As with classification, lumped groups with similar characteristics

• First scored under assumption of no controls

• Risks first, then opportunities

• Likelihood x Impact = Risk or Opportunity

29 4/19/2011

Scoring Matrix

30 4/19/2011

Scoring with Current Controls• Controls in scope are those under decision

making authority of Data Custodian

• Excluded physical security of servers, configuration of OS, encryption, etc

• Defined 10 controls and mapped these to risk statements (covered in DC presentation)

• For each group documented state for each of these controls

31 4/19/2011

Access ControlsControl Description

1. Membership viewer control (Groups Service) Who can view the members of a group

2. UW Exchange integration Will the group be email enabled in the UW Exchange system

3. Authorized senders (UW Exchange) Who can send email to a UW Exchange enabled group

4. Application integration approval process What app can connect to the groups service in a programmatic way

5. Cloud provisioning approval process Will a group will be provisioned (copied to) UW cloud partners

6. Membership viewer control (UW cloud partners)

Who can view the members of a group provisioned in the cloud

7. Authorized senders (UW cloud partners) Who can send email to a group provisioned in the cloud partner

8. Approval for attribute release Which Shibboleth SPs can receive group memberOf attributes

9. Online user consent Requirement for Shibboleth SPs to obtain user consent for attribute release

10. 3rd party Data Security Addendum Contractual controls on how a third party uses confidential group data; indemnification for breach

32 4/19/2011

Access Control ExamplesControl uw_employee course_*

1. Membership viewer control (Groups Service)

None1 Group membersu_cac_internal_courses_read

2. UW Exchange integration Disabled Disabled

3. Authorized senders (UW Exchange) n/a n/a

4. Application integration approval process n/a Registrar approval required

5. Cloud provisioning approval process Disabled Registrar approval required

6. Membership viewer control (UW cloud partners)

n/a None

7. Authorized senders (UW cloud partners) n/a Group members

8. Approval for attribute release Not requested yet Registrar approval required

9. Online user consent n/a Required by Registrar

10. 3rd party Data Security Addendum n/a In place for Google

33 4/19/2011

1 Logon to service requires UW member or cert from UW CA

Risk Example

34 4/19/2011

Opportunity Example

35 4/19/2011

Heat Chart Example 1

36 4/19/2011

Heat Chart Example 2

37 4/19/2011

Outcomes• Most groups were found to have a good balance

between risk and opportunity

• Risk avoidance (group deletion) was used for a group with moderate risk and low benefit

• Risk mitigation (access restrictions) was applied to employee org groups and the alumni association group

• Opportunities were leveraged by relaxing controls on course groups*

38 4/19/2011

Reflections• Exercise was facilitated by existence of:

– Data classification standard

– Enterprise risk management toolkit

– Data Management Committee and UW Data Map

• Data Custodians accepted responsibility but needed help to understand Groups Service

• Exchange of perspectives during collaboration was very beneficial

39 4/19/2011

Reflections• Tools and process provided a reusable

framework

• Risk assessment still as much art as science

• Better integration between classification and access control evaluation would be good

• Good risk and opportunity statements are key, but they aren’t easy to write

40 4/19/2011

References• UW Data Map

– https://www.washington.edu/uwit/im/dmc/datamap.html

• UW Data Classification Standard– http://www.washington.edu/admin/rules/policies/APS/02.10TOC.html

• UW Enterprise Risk Management Toolkit– http://f2.washington.edu/treasury/riskmgmt/advice/ERM/

• NIST SP 800-122– http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

41 4/19/2011