CIA (BIV) Classification

CIA (BIV) Classification

First version: 2022-03-29
Last updated: 2023-11-06
Last change(s): Added the 'wrong Accountable' threat and mitigation under Threats and Vulnerability Analysis.

Summary

CIA stands for Confidentiality (Vertrouwelijkheid), Integrity of data (Integriteit), Availability (Beschikbaarheid).  The Workspaces on the myDRE of anDREa are suitable for work that requires a CIA classification of:

Confidentiality:
HIGH
Integrity:
MEDIUM
Availability:
MEDIUM

Confidentiality HIGH implies:

  1. Every login requires MFA, also on-premise
  2. Role-Based Access
  3. Data encryption in-transit and at-rest
  4. Data can only be extracted from a Workspace with authorization
  5. No production data is being used for testing
  6. Each storage account has its own encryption key managed by Microsoft Azure services
  7. No data is stored on local devices except for extracted data
  8. Physical access to storage and compute and destruction is highly regulated Microsoft Azure data center Policies 

Integrity of data MEDIUM implies:

  1. Check on data ingest done by the executor is sufficient, it is assumed that there is:
    1. No need for ingest to be checked by 2nd executor
    2. No need for authorization on the mutation of data
  2. Correction response time is 1 workday, it is assumed there is:
    1. No need for immediate recovery after an issue is ascertained (if self-service restore of snapshot is not sufficient)
MEDIUM may sound low, please observe that IT-systems for Intensive Care (IC) are rated HIGH. The IC and myDRE Integrity requirements are not on the same level.

Availability MEDIUM implies:

  1. 30 day running daily read-only snapshot of the data share, it is assumed that there is
    1. No need to mirroring data in a different data center
    2. No need to backup VMs, because
      1. The workspace data share is independent of a VM
      2. Losing a VM has no impact on the data stored on the data share
      3. Microsoft Azure has a high availability
      4. VMs can relatively quickly be restored with necessary applications
      5. Image gallery that allows for self-service creation of VM images will be available in the near future
      6. Costs are not justified by the numbers thus far
MEDIUM may sound low, please observe that a IT-systems for Intensive Care (IC) are rated HIGH. IC and myDRE availability requirements are not on the same level.


When a higher classification is needed

If a higher classification is required for a specific workspace, it is the responsibility of the workspace accountable to ensure the higher requirements are demonstrably implemented and maintained. If possible, the Support Team will assist in implementing the higher requirements for that specific workspace via non-standard change or project request. Please submit a ticket.

Threats you must mitigate yourself

Threat
Mitigation
Remaining probability
Not withdrawing authorizations in time 
Active policy by Workspace members in the roles Accountable and Privileged Members 
Very low
Functional manager not available for access to and applications in the Workspace 
For applications on VMs & access to workspace minimum of Functional Managers that are member of the Workspace 
Very low
Self-upload of infected files 
Maximum exposure own data, standard windows defender, own virus scanners possible 
Very low
Data breach 
Being able to install the software yourself minimizes the need to egress data from the Workspace for processing. In many cases, being able to (temporarily) scale-up compute removes the need to egress data from the Workspace. Data in the standard Workspace can only be extracted via an authorization workflow with the permission of someone in the Accountable or Privileged Member role 
Very low


Detailed

Introduction

myDRE is a solution for organizations employing researchers. The anDREa myDRE provides secure collaboration workspaces primarily for processing and analyzing data in a research context as can be found in University Medical Centers (UMCs).

myDRE is provided as-a-Service to any organization having a Microsoft Azure billing contract. 

Data processed and/or analyzed in the workspaces, though not always sensitive if exposed to the outside world, should only be accessed and/or changed by authorized users and/or processes. Hence the importance of information security.

Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or at least reducing the probability of unauthorized/inappropriate access, use, disclosure, disruption, deletion/destruction, corruption, modification, inspection, recording or devaluation, although it may also involve reducing the adverse impacts of incidents. Information may take any form, e.g. electronic or physical, tangible (e.g. paperwork) or intangible (e.g. knowledge).

Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data (also known as the CIA/BIV triad) while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:
  1. Identifying information and related assets, plus potential threats, vulnerabilities and impacts;
  2. Evaluating the risks;
  3. Deciding how to address or treat the risks i.e. to avoid, mitigate, share or accept them;
  4. Where risk mitigation is required, selecting or designing appropriate security controls and implementing them;
  5. Monitoring the activities, making adjustments as necessary to address any issues, changes and improvement opportunities.

Analysis of the need

For various activities, primarily but not limited to (medical) (scientific) research, it is necessary to receive, process, and analyze in a safe (collaborative) environment and/or further egress data. This (collaborative) environment is further referred to in the document as a Workspace.

The term Tenant in this document refers to the organization that has entered into an agreement with anDREa. anDREa-consortium develops, manages and maintains the myDRE as an environment to create Workspaces; Workspace-as-a-Service.

The Workspaces are created and managed by anDREa-consortium within the subscription(s) created by the Tenant on its own part of Microsoft Azure and made available to anDREa.
The Workspace is the responsibility of one person who has the role Accountable. This person is a) employed by the Tenant in whose subscription the Workspace is located, and b) mandated by the Tenant to request and use Workspaces. The Accountable determines the purpose, who can access when in what role, what Azure Resources can be used, what tooling and options can be used and who can do data egress.

The Workspace is data agnostic and by default, the data used is located in the Workspace. The data in a workspace can be from a few Megabytes to Terabytes in size. From images to unstructured and structured data. From public to business logistical to privacy-sensitive data. This is up to the Accountable. anDREa-consortium is a processor in this regard.
To ensure the integrity and confidentiality of the data / IP, and cost control only authorized persons and processes should have access to the specific meDRE Workspace; for data ingress, processing, analysis and egress.

By default, there are no automated links to or from servers outside the myDRE Workspace. By default, it is also not possible to access the internet from an myDRE Workspace for direct ingress or egress of data.

Users of a requested myDRE Workspace are:
  1. At least one person associated with and mandated by the Tenant (Accountable), and/or
  2. Employed by the Tenant, and/or
  3. People external to the Tenant
The myDRE Workspace must be accessible from anywhere in the world. 
It is up to the Accountable to comply with the Tenant's policy prior to commissioning a Workspace, which may require a CIA classification for the specific use. The implementation and supervision for obtaining a CIA classification are up to the Tenant.

There is no (inter)dependence of the Workspaces.

Impact analysis

Aspect "Confidentiality"

The myDRE Workspace can contain confidential information. Violation of confidentiality will lead to repair costs (improving security, communication activities, etc.). Those involved will have to be informed about this. Potential financial consequences are expected in the event of a breach of confidentiality, due to the reporting of a data breach. Image damage will occur to the Tenant if the confidentiality is breached.

Aspect "Integrity"

Incorrect and/or incomplete information in the myDRE Workspace means extra work for the employees involved. Potentially wrong data is used, but this is overcome by quality control, which is a standard method for many studies, after data ingress, processing, and/or analysis and before egress.
Via a self-service principle, members can restore data that was on the data share up to 30 days ago. It is not possible to overwrite data during an upload, uploaded data comes in a separate time-stamped folder, which also makes it possible to check the upload. It is traceable who has uploaded the data and when. Only members of a Workspace can upload data. Financial consequences or claims for the Tenant as a result of incorrect and/or incomplete functioning of the myDRE are not expected. There will be limited damage to the image of the Tenant. A loss of up to 24 hours of data is acceptable if it has been available in rolling increment for the past 20 days.

Aspect "Availability"

myDRE unavailability means that the data in the Workspace is not accessible, cannot be processed and cannot be analyzed. No direct financial consequences are expected in the event of short-term, infrequent failures. Damage to the Tenant will result from a long-term or repeated failure of myDRE due to non-fulfilment of contracts with customers and delays in scientific collaborations. A maximum outage of 3 working days is acceptable.
 

Classification of the required work in the myDRE Workspace

Based on the consequences mentioned in the previous chapter and there is no (inter)dependence of the Workspaces. The myDRE Workspace is classified for work that requires.

Confidentiality:
 HIGH
Integrity:
MEDIUM
Availability:
 MEDIUM

The maximum allowable outage duration of the myDRE, (the period within which the information system must be operational again after an incident/calamity occurs) is 3 working days. The maximum permissible data loss of the data is 1 working day.

When a higher classification is needed

If a higher classification is required for a specific workspace, it is the responsibility of the workspace accountable to ensure the higher requirements are demonstrably implemented and maintained. If possible, the Core Support Team will assist in implementing the higher requirements for that specific workspace via non-standard change or project request.

Confidentiality HIGH implies:

  1. Every login requires MFA, also on-premise
  2. Role-Based Access
  3. Data encryption in-transit and at-rest
  4. Data can only be extracted from a Workspace with authorization
  5. No production data is being used for testing
  6. Each workspace has its own encryption key stored in the key vault
  7. No data is stored on local devices except for extracted data
  8. Physical access to storage and compute and destruction is highly regulated Microsoft Azure data center Policies

Integrity of data MEDIUM implies:

  1. Check on data ingest done by the executor is sufficient, it is assumed that there is:
  2. No need for ingest to be checked by 2nd executor
  3. No need for authorization on the mutation of data
  4. Correction response time is 1 workday, it is assumed there is:
  5. No need for immediate recovery after an issue is ascertained
  6. (if self-service restore of snapshot is not sufficient)

Availability MEDIUM implies:

  1. 30 day running daily read-only snapshot of the data share, it is assumed that there is
  2. No need to mirroring data in a different data center
  3. No need to backup VMs, because
  4. The workspace data share is independent of a VM
  5. Losing a VM has no impact on the data stored on the data share
  6. Microsoft Azure has a high availability
  7. VMs can relatively quickly be restored with necessary applications
  8. Image gallery that allows for self-service creation of VM images will be available in the near future
  9. Costs are not justified by the numbers thus far 

Threats and vulnerability analysis

Threat

Mitigation

Remaining probability

Not withdrawing authorizations in time

Active policy by Workspace members in the roles Accountable and Privileged Members

Very low

Cyberattack

Username/password and MFA always

Very low

Microsoft Azure related failures

Compliant with Microsoft Azure SLA

Low

myDRE related malfunctions

anDREa DEV team (5 * 8) + Rapid Circle Support (365/24), DTAP, Peer Review on Code

Low

Physical access unauthorized

Security Microsoft

Very low

Loss of data

30-day rolling 24-hour non-writable snapshots of the data share

Very low

Functional manager not available for myDRE

anDREa Support Team as backup in case of unplanned unavailability

Very low

Functional manager not available for access to and applications in the Workspace

For applications on VMs & access to workspace minimum of two functional Managers that are member of the Workspace

Very low

Access to physical data carriers

Microsoft authorized people only, data encryption at-rest (encryption at rest in Microsoft cloud services)

Very low
Traffic interception
Data encryption in-transit (sha256RSA)
Very low

Self-upload of infected files

Maximum exposure own data, standard windows defender, own virus scanners possible

Very low

Phishing, brutal force attack

MFA, at most outbound traffic possible (determined by the Owner role), VMs can only be accessed from whitelisted IP. IP of VM changes after a reboot, VMs go out by default at 19:00, active monitoring by Rapid Circle

Very low

Data breach

Being able to install the software yourself minimizes the need to egress data from the Workspace for processing. In many cases, being able to (temporarily) scale-up compute removes the need to egress data from the Workspace. Data in the standard Workspace can only be extracted via an authorization workflow with the permission of someone in the Accountable or Privileged Member role

Very low
Research Support, Accountable or Privileged Member invites the wrong person.
Always copy/paste the @mydre.org username from the ticket or email, verify after adding and remove if alternate email address is not correct. Ask for Login, VM access or Data Requests logging when in doubt.
Low



    • Related Articles

    • A.8.2 Information classification

      Version: 3.0 Valid until: 2025-03-26 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-07-07 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • anDREa FAQ

      First version: 2021-12-09 Last updated: 2024-03-10 Last change: Added Overview Agreements and User Training links Introduction This FAQ is a comprised out of links to other articles related to a particular topic. Contact details Contact information ...

    • End User License Agreement (EULA)

      First version: 2021-05-27 Last version: 2023-11-28 Last change: Banner on top anDREa reserves the right to modify the EULA and SLA at any time in its sole discretion. Changes will be effective upon the posting of the modifications on the EULA and ...

    • Terms of Service (TOS)

      Introduction anDREa is committed to protecting the security of data in Workspaces, users and Tenants related data, and anDREa’s own business information. The purpose of this document is to describe anDREa’s Terms of Service (ToS). The ToS is a legal ...

    • Clause 4 Context of the organisation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions/changes as part of the periodic ...