University of Edinburgh

(v4.0)

January 2019

Encryption of data at rest

www.pwc.co.uk

Scoping exercise

PwC

Overview

The purpose of this report is to help the University of Edinburgh consider possible

approaches to encrypting data at rest, with the intention of reducing the likelihood

of data loss.

Specifically, this report looks at the protection of student data at rest. The report

describes where we believe that encryption will deliver the greatest control benefit

for cost and effort against core systems, identified by the University, involved in the

management of student data. It also sets out key considerations to help the

University decide on the approach to take to encryption.

This focus on protecting sensitive data in the University comes against a backdrop

of increased threats to the Higher and Further Education sectors. At the same time,

the University continues to invest in digital systems and assets to provide services

to students and staff alike. Recognising the need to protect sensitive data from

cyber attack, there is an aspiration from the University to drive a strong security

culture across the organisation and its people.

Introduction Slides 2 – 4

1 Executive Summary Slides 5 – 10

2.1 Protecting student data in the EDW Slides 11 – 16

2.2 Protecting student data in EUCLID and related business services

Slides 17 – 22

3 Appendices Slides 23 – 27

2

PwC

Introduction 2 – Approach

Agreed in advance with the Information Services Group (ISG), this is the approach that we have taken to this report against the objective of

helping to inform the University’s decision making regarding the future use of data encryption.

1.1 What are the key threats to student

data?

1.2 How could these threats lead to the loss of data from

the system? 2.1 EDW: Still in development, we have reviewed how student data will flow into and across the stages of this system.

2.2 EUCLID & central business services: We have reviewed how student data in each layer could be protected.

3.1 How could you apply encryption to

these systems?

3.2 Are there alternative or

additional controls to consider?

1. Threats to student data 3. Protecting student data2. Systems in scope

3.1 Encryption 3.2 Controls

Phishing

Malware

Accidental loss / email

USB download

Physical theft

3

PwC

Executive Summary

4

PwC

Threat Attack Scenario Control benefit of encryption

1. Phishing Believing a fake email to be genuine, a user in the University clicks on a link that leads to a fake webpage and/or malware; this results in their user log-in being compromised, and a sensitive data file is obtained. Via email or web channel the file is then sent outside the University’s environment.

If a data file has been obtained by an unauthorised party then it has no value as it is rendered unreadable by encryption. Risk to the University, for example compliance with privacy regulations, is significantly reduced.

2. Malware Via phishing, exploitation of a vulnerability or other means, malicious software infects a user’s workstation, and a sensitive data file is obtained. Via email or web channel the file is then sent outside the University’s environment.

3. Accidental loss via email

A user downloads a sensitive data file from a core system, attaches the file to an email, and unintentionally emails the wrong recipient or third party.

If the file(s) are encrypted and the password was not known, encryption would make the data unreadable.

4. Download data onto USB

A user with access to the systems in scope for this exercise inserts a USB drive into their workstation and copies a data file to the removable device (for legitimate or malicious reasons).

If the data is encrypted and the keys were not known, the data cannot be read.

5. Physical theft of data

An attacker gains access to the University premise by either tailgating or by posing as another person, and is able to physically remove a workstation containing student data.

Encryption would protect the operating system and files stored on the workstation from being accessed/read, unless the key is known.

Executive Summary 1: Threats to student data

This report is based on the premise that encryption achieves a control benefit: it helps to protect data from mis-use (e.g fraud), where a data file has been obtained through

an unauthorised manner. If this data file is encrypted then the party holding the data file cannot read that file, unless they hold the key to unlock the encryption.

To help identify the control benefit, we have set out below 5 common threat scenarios. These scenarios could feasibly lead to the loss of student data, depending upon a

motivation behind the attack, an ability to circumvent existing controls and an opportunity. We would stress that these threats are not unique to the University but are

common to other sectors too. These 5 scenarios reflect recent industry reporting; where we refer later in the report to threats, it is based on these scenarios:

5

1

1. ‘Cyber security posture survey 2018 research findings’, https://community.jisc.ac.uk/groups/security-products-and-services/document/cyber-security-posture-survey-2018-research-findings

PwC

Executive Summary 2: Systems in scope

As a starting point to understanding how encryption could help to protect sensitive data in the University environment, we agreed with the University that student data at

rest would be the focus of this exercise. Student data in this context means:

- Data held in structured and unstructured form

- Such data held on removable media (specifically USB drives and where hard drives could be removed and taken from University premises).

With the following out of scope at this time: mobile devices (laptops, phones and tablets), and any services provided by 3rd parties to the University.

The following key systems are in scope for this engagement, as directed by (and validated by) the Head of Development Services, and Team manager, Student Systems

Partnership in the ISG:

The Enterprise Data Warehouse (EDW) EUCLIDCentral business services

related to EUCLID

What is the nature of this system?

• Still in development, the EDW will provide a single repository of information and data (including ultimately student data) to help inform decision making by business users across the University.

• Edinburgh University Complete Lifecycle Integrated Development.

• Accommodation Services• Counselling• Online learn

Why is it included in scope?

• As the University itself has noted, “Over time, the EDW will aggregate all of the organisation’s core data in one place…making the EDW a very attractive target for anyone with nefarious intent..” (EDWsecurity policy as per below)

• EUCLID is the University’s Student Record System, the core system that the University uses to manage student (and prospective student) data.

• These services relate to EUCLID and as such are amongst the key business services provided by central ISG.

Keyconsiderations

• How student data will be pulled from sources outside the EDW, across and into the system before it is presented for business purposes.

• Proposals to encrypt student data at rest in the EDW (namely in the Staging & Foundation Layer, the part of the system that holds the whole data set)

• How student data in the EDW will be exported to workstations for business use.

• How encryption could be applied to each layer of EUCLID and central business services.

6

PwC

Executive Summary 3: Protecting student data (1/2)

The University of Edinburgh’s approach to Information Security is to ‘facilitate the protection of the University’s information and technology services against

compromise of its confidentiality, integrity and availability… [whilst recognising] the ability to discover, develop and share knowledge must be maintained.” In line

with this overall objective, the purpose of this report has been to help identify how encryption could provide a control benefit to student data at rest in the systems in scope

for this engagement, in the event of logical (e.g. phishing, malware) or physical (e.g. theft) unauthorised access to that data. On this basis, from the work that we have

conducted, we would recommend that:

1. The University should continue to pursue the Oracle Advanced Security solution for the EDW, as the control benefit will be high and the

indicative costs will be low (additional measures are required to help maximise the control benefit):

2. For a strategic solution (it could be used in relation to the EDW and, over time, EUCLID and related business services) the University should

conduct a detailed costings analysis of a Data Security Platform (DSP). Control benefits will be high, indicative costs will be high also:

7

1

1. University of Edinburgh Information Security Policy, January 2018. Please note, all costs in the report (including in the Executive Summary) are relative costs only.

EDW Comments

EDW1: Oracle Advanced Security provides Transparent Data Encryption (TDE)

• Straightforward to implement

• Allows data encrypted at rest to be presented to the BI tools (Access Layer)

• Uses ‘Oracle Wallet’ for key management, reducing reliance on manual processes

• Approach to key management will require consideration to maximise security benefits; range of additional measures will be required.

• With additional measures in place (as per slide 14), will help to mitigate against all 5 key threats identified in this report.

EDW Comments

AP2: Data security platform (DSP) • Conceptually, a DSP sits between an application and database. All data generated by the application is piped through the DSP, which encrypts the data before it is stored in the database. The data is decrypted and passed back to the application when requested.

• Allows data encrypted at rest. When data is required in the BI tools, data will be presented in a readable form (all of this is managed by the DSP).

• Requires thorough testing of underlying applications (non-trivial) and substantial investment

• Will help to mitigate against all 5 key threats identified in this report.

PwC

Executive Summary 4: Protecting student data (2/2)

3. In the interim, or in the event that you do not pursue a Data Security Platform to help protect Applications, the University should consider the

following alternative controls:

4. Although encryption for data at rest has been enabled on the centrally managed workstations in the University, we believe additional measures

would help to protect student data at rest:

5. We do not believe that encryption of data at rest at the storage layer should be pursued, as it achieves low control benefit only (it only helps to

prevent physical theft of a device, e.g. a hard drive).

6. The University's back-up solution for Oracle Databases does not currently support encryption. The University's back up solution is due to be

replaced in the near future; a decision regarding encryption options should be taken following solution selection.

8

EUCLID: Applications Comments

Proposed alternative / interim controls

• A DSP solution (previous slide) could be employed here, although customisation costs will be high given range of applications used across EUCLID and related business services.

• Alternative controls could include network segmentation, privileged access management, USB controls and full web filtering.

• Indicative costs of these alternative controls would be high; they would help to mitigate against phishing; malware and USB download threats (only).

EUCLID: Workstations Comments

Proposed additionalmeasures

• ‘Bitlocker’ encryption has already been enabled on centrally managed workstations; additional controls to help mitigate data loss from workstations include Data Loss Prevention controls, Full Web filtering, USB controls.

• Indicative costs are high; these controls would help to mitigate against phishing, malware and accidental loss.

PwC

Executive Summary 5: Suggested next steps

Activities & Milestones January – March 2019 April – June 2019 July – September 2019

1. Testing – Oracle Advanced Security for EDW

• Build test plan/case

• Testing Oracle Advanced Security

• Solution Assessment / Alternative Solution Procurement

Encryption Implementation Project for EDW

• Initiate Project

• Define & Agree Scope

• Understand integrations between Foundation, Staging & Access DBs for Encryption

• Develop Restore procedures

• Acceptance Testing

• Apply Encryption

Security Management for Encryption

• Develop and Implement Key Management Procedures

• Develop and Implement Master Key Management Procedures

• Training & Awareness

Alternative Controls

• Investigate / Deploy Web Filtering and supporting procedures

• Investigate / Deploy Workstation and supporting procedures

• Investigate / Deploy and Configure Data Loss Prevention Technologies

We have set out below an outline project plan for how the University of Edinburgh could take forward next steps as it continues to focus on the protection of student data in the systems in scope for this engagement. We have focused on the potential use of ‘Oracle Advanced Security’ which the University continues to consider as part of its overall strategy. The University may choose to carry these actions out in another sequence, or run these in parallel dependent on the University's project management methodology. The timelines below are estimates, with delivery dependent on the resources, effort and focus applied to the project.

9

PwC

Section 2.1: Protecting student data in the Enterprise Data Warehouse

10

PwC

Protecting student data in the EDW (1/5)

The Enterprise Data Warehouse (EDW) will utilise data from a number of source systems that hold student data (*systems in scope still to be confirmed). The consolidated data will be held in the EDW ‘Staging and Foundation Layer’ and will be accessed via the ‘Access Layer’ using Business Intelligence Reporting tools (SAPBI, PowerBI and ‘Qlickview.’

The intent of the EDW is to provide reporting based on enterprise data (e.g. finance, forecast planning) to business users across the University.At a high level, this slide sets the planned flow of student data from source applications to workstations, and the ISG’s proposed approach to encryption across these stages.

Student data sources EDW Staging and foundation layer Access layer

Studentdata

Otherdata

StudentBI data

.

Staginglayer

Workstations

DB

A

(Oracle database)Encrypted

Unstructured student data

.

ED

W b

usi

nes

s u

ser

EUCLID

Accommodation services

Other student systems1

CoreEDW data

Foundation layer

1. As proposed under the ‘University of Edinburgh Enterprise Data Warehouse security policy’, November 2017).

11

1

Encrypted

Encrypted

Encrypted

Unencrypted

At present, data in the source applications is not encrypted at rest, but will be encrypted in transfer, as it goes from source to the EDW…

…It is then proposed that student data at rest in the DB will be encrypted…

…Then encrypted in transit at the access layer.

Finally, if exported to workstation(s), student data will not be encrypted.

Identified threats include phishing, malware, and USB download (threats could originate from work station, or physical and logical access to servers, where USB is enabled).

Identified threats include phishing, malware, USB download and physical theft (threats could originate from DBA workstation, or individual with physical and logical access to the server, where USB is enabled).

Identified threats include phishing, malware, USB down load and physical theft (threat could originate from DBA work station, or physical and logical access to servers).

Identified threats include phishing, malware, accidental email loss, USB download and physical theft (all threats originate on workstation)

PwC

Protecting student data in the EDW (2/5)

Focus on Staging and Foundation layers and Access layer – Oracle Database

The EDW security policy (from the ISG) proposes that data at rest in the databases at the Staging and Foundation layers of the system is encrypted. With this in mind,

PwC has assessed four options below to help identify the control benefit that encryption could provide to the student data at rest in the EDW (in the event of unauthorised

access). All options below will allow data encrypted at rest to be de-crypted before it is presented to the BI tools in the Access Layer (a pre-requisite for the ISG regarding

the EDW. For the third option, this applies to Linux servers only).

Option Detail Pros Cons

EDW1: Oracle Advanced Security provides Transparent Data Protection (TDE)

• With TDE, data is written to application tables, and decrypts the data as it is being read from application tables.

• Allows data encrypted at rest to be presented to the BI tools in the Access Layer in readable form.

• Personnel with high priv. accounts could still access data (absent other controls)

• Specific to Oracle, so any future databases provided will either need to use Oracle also, or alternative controls will need to be considered.

EDW2: Data Security Platform

• Data encrypted or tokenised at this level remains protected at lower layers of stack (e.g. DB).

• Allows data encrypted at rest to be to be presented in readable form to the BI tools in the Access Layer.

• Can be used with a variety of apps (unless very old), not just Oracle.

• Could be ‘scaled’ more easily than option above.

• Requires thorough testing of underlying applications (non-trivial)

• Requires substantial investment

12

PwC

Protecting student data in the EDW (3/5)

Focus on Staging and Foundation layers and Access layer – Oracle Database

Recommendations:

• The University should continue to pursue the Oracle Advanced Security solution for the EDW, as the control benefit will be high and the indicative costs will be low

(additional measures are required to help maximise the control benefit, these include consideration given to key management in line with slide 15).

• For a strategic solution (it could be used in relation to the EDW and, over time, EUCLID and related business services) the University should conduct a detailed

costings analysis of a Data Security Platform (DSP). The control benefits of such as solution would be high, but so too would the costs of implementation and testing

(especially where legacy apps are involved).

• We do not believe that encryption data at rest at the storage layer should be pursued, as it achieves low control benefit only (it only helps to prevent physical theft of a

device, e.g. a hard drive).

13

Option Detail Pros Cons

EDW3: Apply Full Disk Encryption (server)

• Encrypts the hard drive partitions.

• One of the simplest methods of deploying encryption.

• Allows data to be presented to BI tools (for Linux servers only).

• Non-physical threats are not mitigated.

EDW4: SAN storage encryption (bit by bit on the storage level)

• Encrypts data as it is written to storage, and decrypts data as it is read from storage.

• Encrypts the whole virtual machine, helping to mitigate against unauthorised logical and physical attacks.

• May not be applicable to the current networkstorage configuration and may require separate infrastructure.

• Difficult to back-up and restore, requires decryption before any restore.

PwC

Protecting student data in the EDW (4/5)

Reviewing the (proposed) flow of student data into and out of the EDW

Given the strategic role that the EDW will play across the University it is important to view each stage involved in the flow of student data into and ultimately out of the EDW(as it relates to data at rest). The below outlines how the potential threats to each stage / layer could be mitigated either by encryption or by an additional / alternative control:

Recommendations:

• Although encryption for data at rest has been enabled on the centrally managed workstations in the University, we believe additional measures (as outlined above) would help to protect student data at rest

Student data sources* (Application layer)

Staging & Foundation layer

(Oracle database)

Access Layer (Database, separate to Staging & Foundation)

Workstation(EDW business users/DBAs)

Encryption proposedunder EDW security policy?

• Not at rest, but in transit • Yes at rest and in transit

• Yes at rest and in transit

• Not covered, but ‘Bitlocker’ encryption already in place.

Key proposedalternative/ additional controls

• Restrict capability of data source (e.g. EUCLID) to export data to limited authorised users only.

• Whitelist EDW IP addresses for feed of data from sources

• Access controls proposed in EDW security policy, DBA access only.

• Access controls proposed in EDW security policy (including role of Data Steward)

• Multi factor auth. for DBA users• Enforced confidential files

password protection.• DLP controls• Targeted user awareness and

training• USB controls

14

*Note, not part of the EDW

PwC

Protecting student data in the EDW (5/5)

Focus on key management

15

As the ISG is aware, the importance of key management in encryption (as data is encrypted and then de-crypted for use) cannot be over-stated. We have therefore

outlined below the different stages that make up the lifecycle of key management, to help inform the ISG’s approach to encryption regarding both the EDW and EUCLID

and related business services.

Generation

Operation

RevocationRenewal

Escrow

1. Generation – how will the keys be generated for use? Which roles will generate them?

2. Operation – have you considered the operation of a key, noting that each key will be live for

a specific time period only?

3. Revocation – in the event that a key is compromised, how will you revoke it?

4. Renewal – have you considered the measures required when a key expires?

5. Escrow – in the event that you lose a key, do you have a back-up position?

It is noted that ‘Oracle Advanced Security’ that the University is currently reviewing in respect of EDW will manage all these stages above.

PwC would recommend a broad range of controls are used to help protect every stage of the key management lifecycle. Defined roles should be set for those responsible for key

management, with consideration given to:

- Enhanced pre-employment screening

- Robust physical security controls (such as safes, keys held in different compartments, biometrics used to access safes)

- Detective controls to help manage the lifecycle (e.g the ability to monitor if keys are deleted).

- Integration of processes relating to key management into the University’s incident management processes, i.e development of relevant playbooks, scenario exercising.

PwC

Section 2.2: Protecting student data in EUCLID and central business services

16

PwC

Protecting student data in EUCLID and central business services (1/5)

1. [xxx]

17

Application Layer

The University’s systems typically presents information to the end user through a graphical user interface. This includes the Euclid, Accommodation Services and Online LEARN solutions applications with underlying databases.

Encryption applied at the Application layer protects information within all below ‘layers’. While application level encryption offers the most security, it is typically difficult, costly and may be time-intensive to implement.

Database Layer

Refers to the underlying databases and structured data that is accessed by the applications. This includes the Oracle and SQL databases that hold the data that is read and written by the application itself. The ‘Counselling’ system currently utilises a database for administrative and reporting purposes.

Database encryption, such as TDE, can protect the underlying information within the database tables from physical theft and unauthorised logical access to server flat files that make up the database. (For example a criminal gains unauthorised access to the database server, and copies and transfers the database outside of the University environment).

Storage Layer

Refers to the physical disks and storage mediums that holds data used by the applications and databases. These are hosted within the two primary data centres within the University.

Full-Disk Encryption at the storage level protects against the physical loss of storage media. Storage Area Network (SAN) level encryption can also be applied to protect Virtual Machine environments.

Back Up Layer

This refers to the back up procedures used to replicate systems / data in the event they need to be restored. The University uses Easter Bush campus as their back up site.

Encryption at the back up layer encrypts the back up mediums against physical theft.

Business End Users / Workstation layer

For EUCLID and related business services we have reviewed how student data in each layer could be protected:

- where we believe encryption could provide a control benefit,

- where we believe measures in addition to encryption are required, or

- where we believe alternatives to encryption should be considered from a cost / resource perspective.

The below table sets out, at a high level, the different layers involved and how encryption could be applied (for illustrative purposes).

PwC

Protecting student data in EUCLID and central business services (2/5)

These slides set out options for encryption at each of the layers in scope for these systems, whether the option would help to mitigate the threats in scope for this review, and an indicative cost of each option, relative to the other options proposed:

Layer/ service

Options Does option help to mitigate threats leading to data loss?

Pros Cons Cost1

Ph

ish

ing

Ma

lwa

re

Acc

iden

tal

loss

via

em

ail

US

B d

riv

e

Ph

ysi

cal

thef

t

Apps AP1: Re-code high risk apps to encrypt underlying sensitive data.

No No No No Yes • Data encrypted at application level remains protected at the lower layers of stack.

• Can be a good opportunity to modernise legacy apps.

• Requires significant effort.

• Potentially significant costs forre-coding.

• Increased likelihood for business disruption.

£££

AP2: Implement a data security platform; this sits between the application and the database and encrypts data at the app layer.

Yes Yes Yes Yes Yes • Data encrypted at this level remains protected at lower layers of stack (e.g. DB).

• Does not require substantial re-architecting of apps.

• Requires thorough testing of underlying applications(non-trivial).

• May require substantial investment to avoid latency issues.

£££

Database DB1: Transparent Data Encryption (TDE) (broadly, as per slide 12)

Yes Yes Yes* Yes Yes• Does not require substantial re-

engineering of existing apps and infrastructure.

• Specific to Oracle, in event other apps are used new solution will be required

£££

DB2: Data tokenization solution, sits between apps and database layers and swaps actual data values with a token, then used in database operations.

Yes Yes Yes Yes Yes

• Does not require major changes to the existing applications and databases;

• Low potential for business disruption.

• Relative to other options, costs can be high (as required in front of each potential instance in scope).

££££

18

*where user compromised does not have authorised access to sensitive data

PwC

Protecting student data in EUCLID and central business services (3/5)

Layer/service

Options Does option help to mitigate threats leading to data loss?

Pros Cons Cost1

Ph

ish

ing

Ma

lwa

re

Acc

iden

tal

loss

via

em

ail

US

B d

riv

e

Ph

ysi

cal

thef

t

Storage S1: Full Disk Encryption (FDE) encrypts data as it is written to storage, and decrypts data as it is read from storage.

No No No No Yes • One of the simplest methods of deploying encryption

• Performance may be negatively impacted.

• Limited threat reduction

££

19

Recommendations:

For the EUCLID and other services, we believe that the University should consider:

- AP2 Data Security Platform as part of strategic solution for encrypting student data at rest, as it could cover both EDW and EUCLID (and related business

services) systems.

- The other options will either involve implementation and or running costs that are high, or offer only limited control benefits against the threats in scope for this

engagement.

- In the event that the University decides to not pursue a Data Security Platform (at the Application level), or as an interim position, we have identified alternative

controls (outlined on the following slides) that may help to protect student data at rest in the systems in scope for this engagement.

PwC

Protecting student data in EUCLID and central business services (4/5)

Where we believe encryption will not provide a control benefit, or where we believe additional controls would help to mitigate the key risk of data loss, we have set out below alternative or additional controls to help protect student data at rest in each layer of EUCLID and related services:

20

Layer/ service that additionalor alternatives controls could be introduced

Options Does option help to mitigate threats leading to data loss?

Pros Cons Cost1

Ph

ish

ing

Ma

lwa

re

Acc

iden

tal

loss

via

em

ail

US

B d

riv

e

Ph

ysi

cal

thef

t

Workstations Data Loss Prevention controls

Yes Yes Yes No No

• Helps to mitigate impact of both data compromise attacks and incidents caused by human error.

• Requires significantbusiness ‘buy in’ and support.

£££

USB controlsNo No No Yes No

• In addition to helping to prevent data loss, can help mitigate ‘rouge device’ attacks against an IT estate.

• Requires significant business ‘buy in’ and support.

££

Targeted end user awareness & training

Yes Yes Yes Yes Yes

• Relative to other options, implementation and roll-out is straightforward

• Can be difficult to measure effectiveness.

£

Full web filtering

Yes Yes No No No• Helps to mitigate a wide range of

commodity attacks including phishing, malware, ransomware

• Requires significant business ‘buy in’ and support.

££

Applications & Databases

Multifactor Authentication

Yes Yes No Yes No• Further strengthens access control

measures.• Increases the overhead for

account recovery.££

Network segmentation Yes Yes No No No

• Helps to mitigate a wide range of network compromise attacks

• Expensive, and requires significant business and technology change.

££££

PwC

Protecting student data in EUCLID and central businessservices (5/5)

21

Layer/ service that additionalor alternatives controls could be introduced

Options Does option help to mitigate threats leading to data loss?

Pros Cons Cost1

Ph

ish

ing

Ma

lwa

re

Acc

iden

tal

loss

via

em

ail

US

B d

riv

e

Ph

ysi

cal

thef

t

Applications & Database (continued)

Privileged Access Management Yes Yes No No Yes

• Once in place, significant access control benefits can be achieved.

• Requires significant business resource and support.

£££

Storage Targeted User Awareness &Training

Yes Yes Yes Yes Yes

• Relative to other options, cheap. • Can be difficult to measure in a meaningful way.

£

Where we believe encryption will not provide a control benefit, or where we believe additional controls would help to mitigate the key risk of data loss, we have set out below alternative or additional controls to help protect student data at rest in each layer of EUCLID and related services:

*Costs

Indicative costs only, full assessment of technical configuration and business inputs required before deployment (e.g. testing, training).

£ Low costs for initial investment and ongoing roll-out and maintenance.

££ Medium costs for initial investment and ongoing roll-out and maintenance.

£££ High costs for initial investment and ongoing roll-out and maintenance.

££££ Very high costs for initial investment and ongoing roll-out and maintenance.

PwC

Appendices1. Threats to student data2. Proposed alternative controls3. Approach 4. Previous attacks at other universities

22

PwC

Appendix 1: Threats to student data

What are the key threats to student data, and how could these threats lead to the loss of data from the system?

This review of where encryption could benefit the University has been underpinned by five key threats that could result in the material loss of sensitive student data from

the University. We have assessed whether encryption will help to mitigate these threats and also identified alternative controls that could be applied to ensure a ‘defence in

depth’ approach to information security. The below scenarios are based on industry reporting (a survey by JISC reported that the top threats faced by the HE sector were

phishing and social engineering; malware; and accidental loss respectively) as well as our understanding of the cyber threat landscape. Given the open nature of the

University estate (with workstations that can access student data located across the campus) we have added scenarios relating to USB download and physical theft,

respectively.

1. ‘Cyber security posture survey 2018 research findings, https://community.jisc.ac.uk/groups/security-products-and-services/document/cyber-security-posture-survey-2018-research-findings.

Threat Scenario stages

Attack Compromise Breach

1: Phishing

Fake emails are sent to a user with access to the systems in scope; believing the email to be genuine, the user clicks on a link that leads to a fake webpage or malware.

From the initial attack, the criminal acquires the log-in credentials of the genuine user, and accesses student data held on an application, or held locally on their workstation.

Compromised student data is sent out via the email channel, or uploaded via the web channel, where it is then accessed by the criminal outside the University network.

2: Malware

Via phishing attack, fake social media or exploitation of a vulnerability, malicious (malware) software infects the workstation of a user with access to the systems in scope for this exercise holding student data.

From the user’s workstation, the criminal gains wider access to applications holding student data, or to underlying databases, held in the University estate.

Compromised student data is sent out via the email channel, or uploaded via the web channel, where it is then accessed by the criminal outside the University network.

3: Accidental loss via email

A user downloads a set of student data from one of the systems in scope for this exercise to their local workstation (e.g. as an excel file).

Either for malicious intent, or by accident, the users then emails file outside of the University environment as an attachment.

Once outside the University’s environment (and control), the file may be further copied or disseminated.

4: Download data onto USB

A user with access to the systems in scope for this exercise inserts a USB drive or similar media into their workstation.

Student data is downloaded on to the USB drive by the user (for either legitimate reasons, or for malicious intent).

The USB drive is then removed from the University and accessed by the user or other party outside the University environment.

5: Physical theft of data

Access is gained to the University by either tailgating or by posing as another person.

A workstation or other device holding student data is located, and removed from University premises.

The workstation or other media is then accessed by the user or other party outside the University environment.

23

PwC

Appendix 2: Proposed alternative controls

Helping to reduce the risk of data loss or other compromise

On previous slides (including 14, 20 and 21) we have set out controls that the University of Edinburgh may wish to consider as an alternative to encryption (for reasons of cost, or because the control benefit achieved by encryption may be limited, or both. More detail on these controls is set out below:

Control Detail Industry references1 Comment

Web filtering Access to websites is regulated, blocking access to sites known or suspected to be malicious (e.g. host malware).

UK Government’s ‘10 steps’ guidance: ‘Malware Protection.’

Given dynamic nature of threat, any filter needs to be continually reviewed (resources required).

Network segmentation Segment University network to restrict logical access to systems holding student data.

UK Government’s ‘10 steps’ guidance: ‘Network Security.’

Major project requiring input from across ISG and wider set of stakeholders.

Privileged Access Management (PAM)

Comprehensive review of PAM across all assets holding student data, followed by new policies and controls.

UK Government’s ‘10 steps’ guidance: ‘Managing User Privileges.’

Requires identification of privileged accounts and assets, supported by a PAM policy (all of which are non-trivial tasks).

1. www.ncsc.gov.uk

24

Targeted user awareness & training

In addition to generic user awareness and training, introduce more targeted user training.

UK Government’s ‘10 steps’ guidance: ‘User Education & Awareness.’

Compared to other compensating controls, relatively cheap to introduce.

DLP controls Introduce data loss prevention tools at the endpoint, reinforced with policies.

NCSC guidance on ‘Protecting Bulk Data.’ Significant initial investment in technologies and configuration required.

Multi-factor authentication

Introducing an extra authentication factor for users accessing student data held in applications in scope for this engagement.

NCSC guidance, ‘Multi-factor authentication for online services.’

Compared to other compensating controls, relatively cheap to introduce, although maintenance costs need to be considered too.

USB (or other drives) controls

Introduce limits on use of USB drives in University environment (e.g. access to media ports denied by default).

UK Government’s ‘10 steps’ guidance: ‘Removable Media Controls.’

Will require feasibility study to understand business needs for removable media before identification of appropriate controls.

PwC

Appendix 3: Approach

We have set out below a generic approach to understanding the control benefit that may be achieved from encrypting data at rest, to help the

University of Edinburgh consider how other sensitive data sets could be protected.

1.1 What does the University’s threat

landscape look like?

1.2 What key threats could result in the loss of

sensitive data?

2.1 How is sensitive data used and where is the data held?

2.2 What information technologies support these processes?

3.1 How could you apply encryption to

these systems?

3.2 Are there alternative or

additional controls to consider?

1. Threats to data 3. Protecting data2. Systems and Data

3.1 Encryption 3.2 Controls

25

• Assess key threats which could lead to the exposure of data

• This may differ depending on data type, organisational area (i.e. Schools, Central Services) and end users of data.

• Typical outputs would include identification of material threats, aligned to the University's risk appetite.

• Inputs would include:- CISO team- National Cyber Security Centre reporting

- Open source (e.g. media)

• Understand the technical architecture of the solutions and the layers at which encryption could be applied, that meet the requirements for increasing the security of the data without significantly impacting usability.

• Consider which threats identified present the greatest concern (could lead to a material risk) and how encryption could best mitigate the threat (or threats).

• Determine the technologies, processes and assets used in the storage and use of critical data within the environment which should be further protected. Business use, integrations, dependencies and planned major changes should be considered too.

• Infrastructure and Production Management teams, Data Owners, end users and vendors should also be consulted to understand the flow of data and use case of systems.

• A ‘defence in depth’ approach should be considered, and several controls would serve to further protect the University’s information assets.

• Review the current control environment to understand what mitigating controls are already in place, that may include preventative technical controls, business processes and physical protections. Ongoing security programmes should also be considered.

PwC

Appendix 4: Previous Cyber Attacks at UK Universities

Who did it impact Attack methodology Aim of attacker Details

Multiple UK Universities,August 2018

Hackers created fake websites that resembled login pages for each university. Believing them to be legitimate, students would enter their login credentials to these sites, before redirected to the legitimate website to disguise attack.

To steal unpublished researchand intellectual property from Universities.

NCSC believed those responsible to be linked to the Iranian government, as part of a major campaign targeting 76 universities in 14 countries.

Oxford University, University of Warwick and UCL included in Group in 2017 Attack

Ransomware, phishing emails and denial of service attacks. To steal research data and documents to sell to highest bidders.

Cyber criminals interested in defence technologies and research into novel fuels and better batteries.

Multiple UK Universities including Aberdeen University, October 2018

Phishing emails appearing to be from HMRC for fake tax refunds. The link takes the individual to a fake HMRC website where payment details are taken. Emails were distributed from legitimate university email addresses to avoid detection.

To steal money. The largest direct attack the tax body has seen with thousands of fraud attempts.

University in North of England, 2017

Staff targeted by phishing emails in an attempt to change account details on the HR system.

To redirect wage payments in a money laundering scheme.

Students at other universities were used as mules to receive payments.

UCL, 2017 Ransomware Attack deployed through phishing emails with links to destructive software.

Steal Money and cause disruption for students.

Attack launched at critical study time, to increase chance of payment.

26

This is a draft prepared for discussion purposes only and should not be relied upon; the contents are subject to amendment or withdrawal and our final conclusions and findings will be set out in our final deliverable.

This document has been prepared only for University of Edinburgh and solely for the purpose and on the terms agreed with University of Edinburgh in our agreement dated 12 November 2018. We accept no liability

(including for negligence) to anyone else in connection with this document, and it may not be provided to anyone else. In the event that, pursuant to a request which University of Edinburgh has received under the

Freedom of Information (Scotland) Act 2002 or the Environmental Information Regulations 2004 (as the same may be amended or re-enacted from time to time) or any subordinate legislation made thereunder

(collectively, the “Legislation”), University of Edinburgh is required to disclose any information contained in this document, it will notify PwC promptly and will consult with PwC prior to disclosing such document.

University of Edinburgh agrees to pay due regard to any representations which PwC may make in connection with such disclosure and to apply any relevant exemptions which may exist under the Legislation to such

report. If, following consultation with PwC, University of Edinburgh discloses any this document or any part thereof, it shall ensure that any disclaimer which PwC has included or may subsequently wish to include in

the information is reproduced in full in any copies disclosed.© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC

network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.__________________________________