Encryption of data at rest - University of Edinburgh€¦ · 4. Although encryption for data at...
Transcript of Encryption of data at rest - University of Edinburgh€¦ · 4. Although encryption for data at...
University of Edinburgh
(v4.0)
January 2019
Encryption of data at rest
www.pwc.co.uk
Scoping exercise
PwC
Overview
The purpose of this report is to help the University of Edinburgh consider possible
approaches to encrypting data at rest, with the intention of reducing the likelihood
of data loss.
Specifically, this report looks at the protection of student data at rest. The report
describes where we believe that encryption will deliver the greatest control benefit
for cost and effort against core systems, identified by the University, involved in the
management of student data. It also sets out key considerations to help the
University decide on the approach to take to encryption.
This focus on protecting sensitive data in the University comes against a backdrop
of increased threats to the Higher and Further Education sectors. At the same time,
the University continues to invest in digital systems and assets to provide services
to students and staff alike. Recognising the need to protect sensitive data from
cyber attack, there is an aspiration from the University to drive a strong security
culture across the organisation and its people.
Introduction Slides 2 – 4
1 Executive Summary Slides 5 – 10
2.1 Protecting student data in the EDW Slides 11 – 16
2.2 Protecting student data in EUCLID and related business services
Slides 17 – 22
3 Appendices Slides 23 – 27
2
PwC
Introduction 2 – Approach
Agreed in advance with the Information Services Group (ISG), this is the approach that we have taken to this report against the objective of
helping to inform the University’s decision making regarding the future use of data encryption.
1.1 What are the key threats to student
data?
1.2 How could these threats lead to the loss of data from
the system? 2.1 EDW: Still in development, we have reviewed how student data will flow into and across the stages of this system.
2.2 EUCLID & central business services: We have reviewed how student data in each layer could be protected.
3.1 How could you apply encryption to
these systems?
3.2 Are there alternative or
additional controls to consider?
1. Threats to student data 3. Protecting student data2. Systems in scope
3.1 Encryption 3.2 Controls
Phishing
Malware
Accidental loss / email
USB download
Physical theft
3
PwC
Executive Summary
4
PwC
Threat Attack Scenario Control benefit of encryption
1. Phishing Believing a fake email to be genuine, a user in the University clicks on a link that leads to a fake webpage and/or malware; this results in their user log-in being compromised, and a sensitive data file is obtained. Via email or web channel the file is then sent outside the University’s environment.
If a data file has been obtained by an unauthorised party then it has no value as it is rendered unreadable by encryption. Risk to the University, for example compliance with privacy regulations, is significantly reduced.
2. Malware Via phishing, exploitation of a vulnerability or other means, malicious software infects a user’s workstation, and a sensitive data file is obtained. Via email or web channel the file is then sent outside the University’s environment.
3. Accidental loss via email
A user downloads a sensitive data file from a core system, attaches the file to an email, and unintentionally emails the wrong recipient or third party.
If the file(s) are encrypted and the password was not known, encryption would make the data unreadable.
4. Download data onto USB
A user with access to the systems in scope for this exercise inserts a USB drive into their workstation and copies a data file to the removable device (for legitimate or malicious reasons).
If the data is encrypted and the keys were not known, the data cannot be read.
5. Physical theft of data
An attacker gains access to the University premise by either tailgating or by posing as another person, and is able to physically remove a workstation containing student data.
Encryption would protect the operating system and files stored on the workstation from being accessed/read, unless the key is known.
Executive Summary 1: Threats to student data
This report is based on the premise that encryption achieves a control benefit: it helps to protect data from mis-use (e.g fraud), where a data file has been obtained through
an unauthorised manner. If this data file is encrypted then the party holding the data file cannot read that file, unless they hold the key to unlock the encryption.
To help identify the control benefit, we have set out below 5 common threat scenarios. These scenarios could feasibly lead to the loss of student data, depending upon a
motivation behind the attack, an ability to circumvent existing controls and an opportunity. We would stress that these threats are not unique to the University but are
common to other sectors too. These 5 scenarios reflect recent industry reporting; where we refer later in the report to threats, it is based on these scenarios:
5
1
1. ‘Cyber security posture survey 2018 research findings’, https://community.jisc.ac.uk/groups/security-products-and-services/document/cyber-security-posture-survey-2018-research-findings
PwC
Executive Summary 2: Systems in scope
As a starting point to understanding how encryption could help to protect sensitive data in the University environment, we agreed with the University that student data at
rest would be the focus of this exercise. Student data in this context means:
- Data held in structured and unstructured form
- Such data held on removable media (specifically USB drives and where hard drives could be removed and taken from University premises).
With the following out of scope at this time: mobile devices (laptops, phones and tablets), and any services provided by 3rd parties to the University.
The following key systems are in scope for this engagement, as directed by (and validated by) the Head of Development Services, and Team manager, Student Systems
Partnership in the ISG:
The Enterprise Data Warehouse (EDW) EUCLIDCentral business services
related to EUCLID
What is the nature of this system?
• Still in development, the EDW will provide a single repository of information and data (including ultimately student data) to help inform decision making by business users across the University.
• Edinburgh University Complete Lifecycle Integrated Development.
• Accommodation Services• Counselling• Online learn
Why is it included in scope?
• As the University itself has noted, “Over time, the EDW will aggregate all of the organisation’s core data in one place…making the EDW a very attractive target for anyone with nefarious intent..” (EDWsecurity policy as per below)
• EUCLID is the University’s Student Record System, the core system that the University uses to manage student (and prospective student) data.
• These services relate to EUCLID and as such are amongst the key business services provided by central ISG.
Keyconsiderations
• How student data will be pulled from sources outside the EDW, across and into the system before it is presented for business purposes.
• Proposals to encrypt student data at rest in the EDW (namely in the Staging & Foundation Layer, the part of the system that holds the whole data set)
• How student data in the EDW will be exported to workstations for business use.
• How encryption could be applied to each layer of EUCLID and central business services.
6
PwC
Executive Summary 3: Protecting student data (1/2)
The University of Edinburgh’s approach to Information Security is to ‘facilitate the protection of the University’s information and technology services against
compromise of its confidentiality, integrity and availability… [whilst recognising] the ability to discover, develop and share knowledge must be maintained.” In line
with this overall objective, the purpose of this report has been to help identify how encryption could provide a control benefit to student data at rest in the systems in scope
for this engagement, in the event of logical (e.g. phishing, malware) or physical (e.g. theft) unauthorised access to that data. On this basis, from the work that we have
conducted, we would recommend that:
1. The University should continue to pursue the Oracle Advanced Security solution for the EDW, as the control benefit will be high and the
indicative costs will be low (additional measures are required to help maximise the control benefit):
2. For a strategic solution (it could be used in relation to the EDW and, over time, EUCLID and related business services) the University should
conduct a detailed costings analysis of a Data Security Platform (DSP). Control benefits will be high, indicative costs will be high also:
7
1
1. University of Edinburgh Information Security Policy, January 2018. Please note, all costs in the report (including in the Executive Summary) are relative costs only.
EDW Comments
EDW1: Oracle Advanced Security provides Transparent Data Encryption (TDE)
• Straightforward to implement
• Allows data encrypted at rest to be presented to the BI tools (Access Layer)
• Uses ‘Oracle Wallet’ for key management, reducing reliance on manual processes
• Approach to key management will require consideration to maximise security benefits; range of additional measures will be required.
• With additional measures in place (as per slide 14), will help to mitigate against all 5 key threats identified in this report.
EDW Comments
AP2: Data security platform (DSP) • Conceptually, a DSP sits between an application and database. All data generated by the application is piped through the DSP, which encrypts the data before it is stored in the database. The data is decrypted and passed back to the application when requested.
• Allows data encrypted at rest. When data is required in the BI tools, data will be presented in a readable form (all of this is managed by the DSP).
• Requires thorough testing of underlying applications (non-trivial) and substantial investment
• Will help to mitigate against all 5 key threats identified in this report.
PwC
Executive Summary 4: Protecting student data (2/2)
3. In the interim, or in the event that you do not pursue a Data Security Platform to help protect Applications, the University should consider the
following alternative controls:
4. Although encryption for data at rest has been enabled on the centrally managed workstations in the University, we believe additional measures
would help to protect student data at rest:
5. We do not believe that encryption of data at rest at the storage layer should be pursued, as it achieves low control benefit only (it only helps to
prevent physical theft of a device, e.g. a hard drive).
6. The University's back-up solution for Oracle Databases does not currently support encryption. The University's back up solution is due to be
replaced in the near future; a decision regarding encryption options should be taken following solution selection.
8
EUCLID: Applications Comments
Proposed alternative / interim controls
• A DSP solution (previous slide) could be employed here, although customisation costs will be high given range of applications used across EUCLID and related business services.
• Alternative controls could include network segmentation, privileged access management, USB controls and full web filtering.
• Indicative costs of these alternative controls would be high; they would help to mitigate against phishing; malware and USB download threats (only).
EUCLID: Workstations Comments
Proposed additionalmeasures
• ‘Bitlocker’ encryption has already been enabled on centrally managed workstations; additional controls to help mitigate data loss from workstations include Data Loss Prevention controls, Full Web filtering, USB controls.
• Indicative costs are high; these controls would help to mitigate against phishing, malware and accidental loss.
PwC
Executive Summary 5: Suggested next steps
Activities & Milestones January – March 2019 April – June 2019 July – September 2019
1. Testing – Oracle Advanced Security for EDW
• Build test plan/case
• Testing Oracle Advanced Security
• Solution Assessment / Alternative Solution Procurement
Encryption Implementation Project for EDW
• Initiate Project
• Define & Agree Scope
• Understand integrations between Foundation, Staging & Access DBs for Encryption
• Develop Restore procedures
• Acceptance Testing
• Apply Encryption
Security Management for Encryption
• Develop and Implement Key Management Procedures
• Develop and Implement Master Key Management Procedures
• Training & Awareness
Alternative Controls
• Investigate / Deploy Web Filtering and supporting procedures
• Investigate / Deploy Workstation and supporting procedures
• Investigate / Deploy and Configure Data Loss Prevention Technologies
We have set out below an outline project plan for how the University of Edinburgh could take forward next steps as it continues to focus on the protection of student data in the systems in scope for this engagement. We have focused on the potential use of ‘Oracle Advanced Security’ which the University continues to consider as part of its overall strategy. The University may choose to carry these actions out in another sequence, or run these in parallel dependent on the University's project management methodology. The timelines below are estimates, with delivery dependent on the resources, effort and focus applied to the project.
9
PwC
Section 2.1: Protecting student data in the Enterprise Data Warehouse
10
PwC
Protecting student data in the EDW (1/5)
The Enterprise Data Warehouse (EDW) will utilise data from a number of source systems that hold student data (*systems in scope still to be confirmed). The consolidated data will be held in the EDW ‘Staging and Foundation Layer’ and will be accessed via the ‘Access Layer’ using Business Intelligence Reporting tools (SAPBI, PowerBI and ‘Qlickview.’
The intent of the EDW is to provide reporting based on enterprise data (e.g. finance, forecast planning) to business users across the University.At a high level, this slide sets the planned flow of student data from source applications to workstations, and the ISG’s proposed approach to encryption across these stages.
Student data sources EDW Staging and foundation layer Access layer
Studentdata
Otherdata
StudentBI data
.
Staginglayer
Workstations
DB
A
(Oracle database)Encrypted
Unstructured student data
.
ED
W b
usi
nes
s u
ser
EUCLID
Accommodation services
Other student systems1
CoreEDW data
Foundation layer
1. As proposed under the ‘University of Edinburgh Enterprise Data Warehouse security policy’, November 2017).
11
1
Encrypted
Encrypted
Encrypted
Unencrypted
At present, data in the source applications is not encrypted at rest, but will be encrypted in transfer, as it goes from source to the EDW…
…It is then proposed that student data at rest in the DB will be encrypted…
…Then encrypted in transit at the access layer.
Finally, if exported to workstation(s), student data will not be encrypted.
Identified threats include phishing, malware, and USB download (threats could originate from work station, or physical and logical access to servers, where USB is enabled).
Identified threats include phishing, malware, USB download and physical theft (threats could originate from DBA workstation, or individual with physical and logical access to the server, where USB is enabled).
Identified threats include phishing, malware, USB down load and physical theft (threat could originate from DBA work station, or physical and logical access to servers).
Identified threats include phishing, malware, accidental email loss, USB download and physical theft (all threats originate on workstation)
PwC
Protecting student data in the EDW (2/5)
Focus on Staging and Foundation layers and Access layer – Oracle Database
The EDW security policy (from the ISG) proposes that data at rest in the databases at the Staging and Foundation layers of the system is encrypted. With this in mind,
PwC has assessed four options below to help identify the control benefit that encryption could provide to the student data at rest in the EDW (in the event of unauthorised
access). All options below will allow data encrypted at rest to be de-crypted before it is presented to the BI tools in the Access Layer (a pre-requisite for the ISG regarding
the EDW. For the third option, this applies to Linux servers only).
Option Detail Pros Cons
EDW1: Oracle Advanced Security provides Transparent Data Protection (TDE)
• With TDE, data is written to application tables, and decrypts the data as it is being read from application tables.
• Allows data encrypted at rest to be presented to the BI tools in the Access Layer in readable form.
• Personnel with high priv. accounts could still access data (absent other controls)
• Specific to Oracle, so any future databases provided will either need to use Oracle also, or alternative controls will need to be considered.
EDW2: Data Security Platform
• Data encrypted or tokenised at this level remains protected at lower layers of stack (e.g. DB).
• Allows data encrypted at rest to be to be presented in readable form to the BI tools in the Access Layer.
• Can be used with a variety of apps (unless very old), not just Oracle.
• Could be ‘scaled’ more easily than option above.
• Requires thorough testing of underlying applications (non-trivial)
• Requires substantial investment
12
PwC
Protecting student data in the EDW (3/5)
Focus on Staging and Foundation layers and Access layer – Oracle Database
Recommendations:
• The University should continue to pursue the Oracle Advanced Security solution for the EDW, as the control benefit will be high and the indicative costs will be low
(additional measures are required to help maximise the control benefit, these include consideration given to key management in line with slide 15).
• For a strategic solution (it could be used in relation to the EDW and, over time, EUCLID and related business services) the University should conduct a detailed
costings analysis of a Data Security Platform (DSP). The control benefits of such as solution would be high, but so too would the costs of implementation and testing
(especially where legacy apps are involved).
• We do not believe that encryption data at rest at the storage layer should be pursued, as it achieves low control benefit only (it only helps to prevent physical theft of a
device, e.g. a hard drive).
13
Option Detail Pros Cons
EDW3: Apply Full Disk Encryption (server)
• Encrypts the hard drive partitions.
• One of the simplest methods of deploying encryption.
• Allows data to be presented to BI tools (for Linux servers only).
• Non-physical threats are not mitigated.
EDW4: SAN storage encryption (bit by bit on the storage level)
• Encrypts data as it is written to storage, and decrypts data as it is read from storage.
• Encrypts the whole virtual machine, helping to mitigate against unauthorised logical and physical attacks.
• May not be applicable to the current networkstorage configuration and may require separate infrastructure.
• Difficult to back-up and restore, requires decryption before any restore.
PwC
Protecting student data in the EDW (4/5)
Reviewing the (proposed) flow of student data into and out of the EDW
Given the strategic role that the EDW will play across the University it is important to view each stage involved in the flow of student data into and ultimately out of the EDW(as it relates to data at rest). The below outlines how the potential threats to each stage / layer could be mitigated either by encryption or by an additional / alternative control:
Recommendations:
• Although encryption for data at rest has been enabled on the centrally managed workstations in the University, we believe additional measures (as outlined above) would help to protect student data at rest
Student data sources* (Application layer)
Staging & Foundation layer
(Oracle database)
Access Layer (Database, separate to Staging & Foundation)
Workstation(EDW business users/DBAs)
Encryption proposedunder EDW security policy?
• Not at rest, but in transit • Yes at rest and in transit
• Yes at rest and in transit
• Not covered, but ‘Bitlocker’ encryption already in place.
Key proposedalternative/ additional controls
• Restrict capability of data source (e.g. EUCLID) to export data to limited authorised users only.
• Whitelist EDW IP addresses for feed of data from sources
• Access controls proposed in EDW security policy, DBA access only.
• Access controls proposed in EDW security policy (including role of Data Steward)
• Multi factor auth. for DBA users• Enforced confidential files
password protection.• DLP controls• Targeted user awareness and
training• USB controls
14
*Note, not part of the EDW
PwC
Protecting student data in the EDW (5/5)
Focus on key management
15
As the ISG is aware, the importance of key management in encryption (as data is encrypted and then de-crypted for use) cannot be over-stated. We have therefore
outlined below the different stages that make up the lifecycle of key management, to help inform the ISG’s approach to encryption regarding both the EDW and EUCLID
and related business services.
Generation
Operation
RevocationRenewal
Escrow
1. Generation – how will the keys be generated for use? Which roles will generate them?
2. Operation – have you considered the operation of a key, noting that each key will be live for
a specific time period only?
3. Revocation – in the event that a key is compromised, how will you revoke it?
4. Renewal – have you considered the measures required when a key expires?
5. Escrow – in the event that you lose a key, do you have a back-up position?
It is noted that ‘Oracle Advanced Security’ that the University is currently reviewing in respect of EDW will manage all these stages above.
PwC would recommend a broad range of controls are used to help protect every stage of the key management lifecycle. Defined roles should be set for those responsible for key
management, with consideration given to:
- Enhanced pre-employment screening
- Robust physical security controls (such as safes, keys held in different compartments, biometrics used to access safes)
- Detective controls to help manage the lifecycle (e.g the ability to monitor if keys are deleted).
- Integration of processes relating to key management into the University’s incident management processes, i.e development of relevant playbooks, scenario exercising.
PwC
Section 2.2: Protecting student data in EUCLID and central business services
16
PwC
Protecting student data in EUCLID and central business services (1/5)
1. [xxx]
17
Application Layer
The University’s systems typically presents information to the end user through a graphical user interface. This includes the Euclid, Accommodation Services and Online LEARN solutions applications with underlying databases.
Encryption applied at the Application layer protects information within all below ‘layers’. While application level encryption offers the most security, it is typically difficult, costly and may be time-intensive to implement.
Database Layer
Refers to the underlying databases and structured data that is accessed by the applications. This includes the Oracle and SQL databases that hold the data that is read and written by the application itself. The ‘Counselling’ system currently utilises a database for administrative and reporting purposes.
Database encryption, such as TDE, can protect the underlying information within the database tables from physical theft and unauthorised logical access to server flat files that make up the database. (For example a criminal gains unauthorised access to the database server, and copies and transfers the database outside of the University environment).
Storage Layer
Refers to the physical disks and storage mediums that holds data used by the applications and databases. These are hosted within the two primary data centres within the University.
Full-Disk Encryption at the storage level protects against the physical loss of storage media. Storage Area Network (SAN) level encryption can also be applied to protect Virtual Machine environments.
Back Up Layer
This refers to the back up procedures used to replicate systems / data in the event they need to be restored. The University uses Easter Bush campus as their back up site.
Encryption at the back up layer encrypts the back up mediums against physical theft.
Business End Users / Workstation layer
For EUCLID and related business services we have reviewed how student data in each layer could be protected:
- where we believe encryption could provide a control benefit,
- where we believe measures in addition to encryption are required, or
- where we believe alternatives to encryption should be considered from a cost / resource perspective.
The below table sets out, at a high level, the different layers involved and how encryption could be applied (for illustrative purposes).
PwC
Protecting student data in EUCLID and central business services (2/5)
These slides set out options for encryption at each of the layers in scope for these systems, whether the option would help to mitigate the threats in scope for this review, and an indicative cost of each option, relative to the other options proposed:
Layer/ service
Options Does option help to mitigate threats leading to data loss?
Pros Cons Cost1
Ph
ish
ing
Ma
lwa
re
Acc
iden
tal
loss
via
em
ail
US
B d
riv
e
Ph
ysi
cal
thef
t
Apps AP1: Re-code high risk apps to encrypt underlying sensitive data.
No No No No Yes • Data encrypted at application level remains protected at the lower layers of stack.
• Can be a good opportunity to modernise legacy apps.
• Requires significant effort.
• Potentially significant costs forre-coding.
• Increased likelihood for business disruption.
£££
AP2: Implement a data security platform; this sits between the application and the database and encrypts data at the app layer.
Yes Yes Yes Yes Yes • Data encrypted at this level remains protected at lower layers of stack (e.g. DB).
• Does not require substantial re-architecting of apps.
• Requires thorough testing of underlying applications(non-trivial).
• May require substantial investment to avoid latency issues.
£££
Database DB1: Transparent Data Encryption (TDE) (broadly, as per slide 12)
Yes Yes Yes* Yes Yes• Does not require substantial re-
engineering of existing apps and infrastructure.
• Specific to Oracle, in event other apps are used new solution will be required
£££
DB2: Data tokenization solution, sits between apps and database layers and swaps actual data values with a token, then used in database operations.
Yes Yes Yes Yes Yes
• Does not require major changes to the existing applications and databases;
• Low potential for business disruption.
• Relative to other options, costs can be high (as required in front of each potential instance in scope).
££££
18
*where user compromised does not have authorised access to sensitive data
PwC
Protecting student data in EUCLID and central business services (3/5)
Layer/service
Options Does option help to mitigate threats leading to data loss?
Pros Cons Cost1
Ph
ish
ing
Ma
lwa
re
Acc
iden
tal
loss
via
em
ail
US
B d
riv
e
Ph
ysi
cal
thef
t
Storage S1: Full Disk Encryption (FDE) encrypts data as it is written to storage, and decrypts data as it is read from storage.
No No No No Yes • One of the simplest methods of deploying encryption
• Performance may be negatively impacted.
• Limited threat reduction
££
19
Recommendations:
For the EUCLID and other services, we believe that the University should consider:
- AP2 Data Security Platform as part of strategic solution for encrypting student data at rest, as it could cover both EDW and EUCLID (and related business
services) systems.
- The other options will either involve implementation and or running costs that are high, or offer only limited control benefits against the threats in scope for this
engagement.
- In the event that the University decides to not pursue a Data Security Platform (at the Application level), or as an interim position, we have identified alternative
controls (outlined on the following slides) that may help to protect student data at rest in the systems in scope for this engagement.
PwC
Protecting student data in EUCLID and central business services (4/5)
Where we believe encryption will not provide a control benefit, or where we believe additional controls would help to mitigate the key risk of data loss, we have set out below alternative or additional controls to help protect student data at rest in each layer of EUCLID and related services:
20
Layer/ service that additionalor alternatives controls could be introduced
Options Does option help to mitigate threats leading to data loss?
Pros Cons Cost1
Ph
ish
ing
Ma
lwa
re
Acc
iden
tal
loss
via
em
ail
US
B d
riv
e
Ph
ysi
cal
thef
t
Workstations Data Loss Prevention controls
Yes Yes Yes No No
• Helps to mitigate impact of both data compromise attacks and incidents caused by human error.
• Requires significantbusiness ‘buy in’ and support.
£££
USB controlsNo No No Yes No
• In addition to helping to prevent data loss, can help mitigate ‘rouge device’ attacks against an IT estate.
• Requires significant business ‘buy in’ and support.
££
Targeted end user awareness & training
Yes Yes Yes Yes Yes
• Relative to other options, implementation and roll-out is straightforward
• Can be difficult to measure effectiveness.
£
Full web filtering
Yes Yes No No No• Helps to mitigate a wide range of
commodity attacks including phishing, malware, ransomware
• Requires significant business ‘buy in’ and support.
££
Applications & Databases
Multifactor Authentication
Yes Yes No Yes No• Further strengthens access control
measures.• Increases the overhead for
account recovery.££
Network segmentation Yes Yes No No No
• Helps to mitigate a wide range of network compromise attacks
• Expensive, and requires significant business and technology change.
££££
PwC
Protecting student data in EUCLID and central businessservices (5/5)
21
Layer/ service that additionalor alternatives controls could be introduced
Options Does option help to mitigate threats leading to data loss?
Pros Cons Cost1
Ph
ish
ing
Ma
lwa
re
Acc
iden
tal
loss
via
em
ail
US
B d
riv
e
Ph
ysi
cal
thef
t
Applications & Database (continued)
Privileged Access Management Yes Yes No No Yes
• Once in place, significant access control benefits can be achieved.
• Requires significant business resource and support.
£££
Storage Targeted User Awareness &Training
Yes Yes Yes Yes Yes
• Relative to other options, cheap. • Can be difficult to measure in a meaningful way.
£
Where we believe encryption will not provide a control benefit, or where we believe additional controls would help to mitigate the key risk of data loss, we have set out below alternative or additional controls to help protect student data at rest in each layer of EUCLID and related services:
*Costs
Indicative costs only, full assessment of technical configuration and business inputs required before deployment (e.g. testing, training).
£ Low costs for initial investment and ongoing roll-out and maintenance.
££ Medium costs for initial investment and ongoing roll-out and maintenance.
£££ High costs for initial investment and ongoing roll-out and maintenance.
££££ Very high costs for initial investment and ongoing roll-out and maintenance.
PwC
Appendices1. Threats to student data2. Proposed alternative controls3. Approach 4. Previous attacks at other universities
22
PwC
Appendix 1: Threats to student data
What are the key threats to student data, and how could these threats lead to the loss of data from the system?
This review of where encryption could benefit the University has been underpinned by five key threats that could result in the material loss of sensitive student data from
the University. We have assessed whether encryption will help to mitigate these threats and also identified alternative controls that could be applied to ensure a ‘defence in
depth’ approach to information security. The below scenarios are based on industry reporting (a survey by JISC reported that the top threats faced by the HE sector were
phishing and social engineering; malware; and accidental loss respectively) as well as our understanding of the cyber threat landscape. Given the open nature of the
University estate (with workstations that can access student data located across the campus) we have added scenarios relating to USB download and physical theft,
respectively.
1. ‘Cyber security posture survey 2018 research findings, https://community.jisc.ac.uk/groups/security-products-and-services/document/cyber-security-posture-survey-2018-research-findings.
Threat Scenario stages
Attack Compromise Breach
1: Phishing
Fake emails are sent to a user with access to the systems in scope; believing the email to be genuine, the user clicks on a link that leads to a fake webpage or malware.
From the initial attack, the criminal acquires the log-in credentials of the genuine user, and accesses student data held on an application, or held locally on their workstation.
Compromised student data is sent out via the email channel, or uploaded via the web channel, where it is then accessed by the criminal outside the University network.
2: Malware
Via phishing attack, fake social media or exploitation of a vulnerability, malicious (malware) software infects the workstation of a user with access to the systems in scope for this exercise holding student data.
From the user’s workstation, the criminal gains wider access to applications holding student data, or to underlying databases, held in the University estate.
Compromised student data is sent out via the email channel, or uploaded via the web channel, where it is then accessed by the criminal outside the University network.
3: Accidental loss via email
A user downloads a set of student data from one of the systems in scope for this exercise to their local workstation (e.g. as an excel file).
Either for malicious intent, or by accident, the users then emails file outside of the University environment as an attachment.
Once outside the University’s environment (and control), the file may be further copied or disseminated.
4: Download data onto USB
A user with access to the systems in scope for this exercise inserts a USB drive or similar media into their workstation.
Student data is downloaded on to the USB drive by the user (for either legitimate reasons, or for malicious intent).
The USB drive is then removed from the University and accessed by the user or other party outside the University environment.
5: Physical theft of data
Access is gained to the University by either tailgating or by posing as another person.
A workstation or other device holding student data is located, and removed from University premises.
The workstation or other media is then accessed by the user or other party outside the University environment.
23
PwC
Appendix 2: Proposed alternative controls
Helping to reduce the risk of data loss or other compromise
On previous slides (including 14, 20 and 21) we have set out controls that the University of Edinburgh may wish to consider as an alternative to encryption (for reasons of cost, or because the control benefit achieved by encryption may be limited, or both. More detail on these controls is set out below:
Control Detail Industry references1 Comment
Web filtering Access to websites is regulated, blocking access to sites known or suspected to be malicious (e.g. host malware).
UK Government’s ‘10 steps’ guidance: ‘Malware Protection.’
Given dynamic nature of threat, any filter needs to be continually reviewed (resources required).
Network segmentation Segment University network to restrict logical access to systems holding student data.
UK Government’s ‘10 steps’ guidance: ‘Network Security.’
Major project requiring input from across ISG and wider set of stakeholders.
Privileged Access Management (PAM)
Comprehensive review of PAM across all assets holding student data, followed by new policies and controls.
UK Government’s ‘10 steps’ guidance: ‘Managing User Privileges.’
Requires identification of privileged accounts and assets, supported by a PAM policy (all of which are non-trivial tasks).
1. www.ncsc.gov.uk
24
Targeted user awareness & training
In addition to generic user awareness and training, introduce more targeted user training.
UK Government’s ‘10 steps’ guidance: ‘User Education & Awareness.’
Compared to other compensating controls, relatively cheap to introduce.
DLP controls Introduce data loss prevention tools at the endpoint, reinforced with policies.
NCSC guidance on ‘Protecting Bulk Data.’ Significant initial investment in technologies and configuration required.
Multi-factor authentication
Introducing an extra authentication factor for users accessing student data held in applications in scope for this engagement.
NCSC guidance, ‘Multi-factor authentication for online services.’
Compared to other compensating controls, relatively cheap to introduce, although maintenance costs need to be considered too.
USB (or other drives) controls
Introduce limits on use of USB drives in University environment (e.g. access to media ports denied by default).
UK Government’s ‘10 steps’ guidance: ‘Removable Media Controls.’
Will require feasibility study to understand business needs for removable media before identification of appropriate controls.
PwC
Appendix 3: Approach
We have set out below a generic approach to understanding the control benefit that may be achieved from encrypting data at rest, to help the
University of Edinburgh consider how other sensitive data sets could be protected.
1.1 What does the University’s threat
landscape look like?
1.2 What key threats could result in the loss of
sensitive data?
2.1 How is sensitive data used and where is the data held?
2.2 What information technologies support these processes?
3.1 How could you apply encryption to
these systems?
3.2 Are there alternative or
additional controls to consider?
1. Threats to data 3. Protecting data2. Systems and Data
3.1 Encryption 3.2 Controls
25
• Assess key threats which could lead to the exposure of data
• This may differ depending on data type, organisational area (i.e. Schools, Central Services) and end users of data.
• Typical outputs would include identification of material threats, aligned to the University's risk appetite.
• Inputs would include:- CISO team- National Cyber Security Centre reporting
- Open source (e.g. media)
• Understand the technical architecture of the solutions and the layers at which encryption could be applied, that meet the requirements for increasing the security of the data without significantly impacting usability.
• Consider which threats identified present the greatest concern (could lead to a material risk) and how encryption could best mitigate the threat (or threats).
• Determine the technologies, processes and assets used in the storage and use of critical data within the environment which should be further protected. Business use, integrations, dependencies and planned major changes should be considered too.
• Infrastructure and Production Management teams, Data Owners, end users and vendors should also be consulted to understand the flow of data and use case of systems.
• A ‘defence in depth’ approach should be considered, and several controls would serve to further protect the University’s information assets.
• Review the current control environment to understand what mitigating controls are already in place, that may include preventative technical controls, business processes and physical protections. Ongoing security programmes should also be considered.
PwC
Appendix 4: Previous Cyber Attacks at UK Universities
Who did it impact Attack methodology Aim of attacker Details
Multiple UK Universities,August 2018
Hackers created fake websites that resembled login pages for each university. Believing them to be legitimate, students would enter their login credentials to these sites, before redirected to the legitimate website to disguise attack.
To steal unpublished researchand intellectual property from Universities.
NCSC believed those responsible to be linked to the Iranian government, as part of a major campaign targeting 76 universities in 14 countries.
Oxford University, University of Warwick and UCL included in Group in 2017 Attack
Ransomware, phishing emails and denial of service attacks. To steal research data and documents to sell to highest bidders.
Cyber criminals interested in defence technologies and research into novel fuels and better batteries.
Multiple UK Universities including Aberdeen University, October 2018
Phishing emails appearing to be from HMRC for fake tax refunds. The link takes the individual to a fake HMRC website where payment details are taken. Emails were distributed from legitimate university email addresses to avoid detection.
To steal money. The largest direct attack the tax body has seen with thousands of fraud attempts.
University in North of England, 2017
Staff targeted by phishing emails in an attempt to change account details on the HR system.
To redirect wage payments in a money laundering scheme.
Students at other universities were used as mules to receive payments.
UCL, 2017 Ransomware Attack deployed through phishing emails with links to destructive software.
Steal Money and cause disruption for students.
Attack launched at critical study time, to increase chance of payment.
26
This is a draft prepared for discussion purposes only and should not be relied upon; the contents are subject to amendment or withdrawal and our final conclusions and findings will be set out in our final deliverable.
This document has been prepared only for University of Edinburgh and solely for the purpose and on the terms agreed with University of Edinburgh in our agreement dated 12 November 2018. We accept no liability
(including for negligence) to anyone else in connection with this document, and it may not be provided to anyone else. In the event that, pursuant to a request which University of Edinburgh has received under the
Freedom of Information (Scotland) Act 2002 or the Environmental Information Regulations 2004 (as the same may be amended or re-enacted from time to time) or any subordinate legislation made thereunder
(collectively, the “Legislation”), University of Edinburgh is required to disclose any information contained in this document, it will notify PwC promptly and will consult with PwC prior to disclosing such document.
University of Edinburgh agrees to pay due regard to any representations which PwC may make in connection with such disclosure and to apply any relevant exemptions which may exist under the Legislation to such
report. If, following consultation with PwC, University of Edinburgh discloses any this document or any part thereof, it shall ensure that any disclaimer which PwC has included or may subsequently wish to include in
the information is reproduced in full in any copies disclosed.© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC
network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.__________________________________