This session is intended to complement the later session on best practice on access rights on file servers.
All throughout the university, we have big contracts with cloud storage vendors. There is a huge degree of adoption, but it is unclear how users are actually using the services and if they are doing so according to security guidelines. Can we discuss (1) technical and (2) cultural things we can do to make sure services are used effectively without causing security problems?
Problem: People with no technical background do not realize the implications of their actions and can expose us to security threats.
-
Cloud storage is more of a democratic tool than network file sharing.
-
The feature set is not well understood by most users.
Is there a cultural solution?
Can we have a tool that can help them through the right way to set this up? In current state there is NO baseline of training or guidance.
Phil feels strongly about a cultural solution. We need to get the message out and pound on it. We must have more thorough education about what is data that fits into different categories.
Do safety team monitors serve as a model?
The true challenge is reviewing and actively managing.
Is there a technical solution?
Some units pre-provision by putting limitations on users’ activity. There are tools within Box (Medicine Box) to curb use. Pre-provisioning with rules and constraints.
Medicine leads the way with Medicine Box (totally different instance). Medicine Box cannot connect to the system without being on an encrypted computer.
Code Green is a service deployed to detect risks.
Actively management is required. Otherwise initial secure setup is often overrun by users jerry-wrigs.
Who has visibility into other sharing that has occurred? According to Box website there is an enterprise admin report that can be run for permissions.
We need a way to see into our groups are doing, we need UITs cooperation who have control over the macro tools. Can also investigate the use of APIs to create custom reports that reflect sharing?
Exposure is when people leave for elsewhere, AND when they use their own services that are not the university approved applications.
Users need to know what the difference is between the roles.
Need monitoring. People come up with their own ad hoc solutions.
Is there a master monitoring tool that generated reports on where stuff was generated?
Path of least resistance is key. People will not listen to urging to review settings, and there needs to be an active tool to monitor it.
UIT has been reticent to direct users to single vendors. But users also need guidance for what tool to use for the sake of efficiency (not just security).
Research data is also being put on cloud in the absence of a solution for a clear solution.
We need best practice guides, and how-to wizards. We are pleading with people in central IT to lead the way to finding a solution.
Manage: time and resources are needed.
Docushare was managed. There are no best practices for Box or Google.
Secret file storage access is controlled through a workgroup manager.
Bottom Line
-
Reporting tool
-
Guides and best practices.
-
It needs to be actively managed
-
Cultural solution in addition.
Should university adopt the medicine model?
Can we get logs from Box?
Fewer hurdles in Box, Google about users setting up their own systems.
Name the folders with an indication of who the intended audience is. That can augment the audience audit.
