Data and Information
A key component in research is data, which when processed and interpreted becomes information. It therefore very important that the data (information) is protected at all stages during its lifecycle.
The Basics
A most common model designed to guide policies and practices for Information Security in an organisation is the AIC (availability, integrity and confidentiality) triad. What this means is that we use the triad to see if there are any risks to the data/information at each stage in the dataflow.
The next section covers a very simple dataflow that involves an exchange of information between entities, its processing, storage and subsequent transformation into a report.
The Case
A research study would like to interview patients (includes medical history and personal details) and prepare a research report. The interviews are conducted using encrypted voice recorders and the interviews are uploaded to the cloud for automated transcription. The converted text is then downloaded to the researcher’s machine and a research report is prepared. Sounds simple enough? Yes, but!
What could possibly go wrong?
There are several gaps where a breach could take place. Let’s identify some of them and see what controls (if any) can be implemented.
The encrypted voice recorders aren’t configured correctly, or the user has forgotten to turn the encryption function on. Maybe the user writes the password down and stores it along with the voice recording device. Oops! Not too bad, but what if the voice recording device is lost along with the password? Another point to watch out for; if the device uses an outmoded algorithm, in which case the encryption can be easily subverted and the recording/s accessed.
Assuming all goes well so far. The researcher now has to upload the encrypted recording to a ‘safe’ area so that decryption is possible. If the decrypting area isn’t sanitised or isn’t up to spec or patched, a hacker could exploit a vulnerability and access the recording. Maybe the hacker changes the encryption keys, thereby denying access to the recording/s and maybe asking for a ransom. Not going well so far? Read on!! There’s more. Anyway, let us assume that there are no problems this far; all the recordings are decrypted and transferred to the researchers laptop. As a precaution, the recordings are deleted from the decrypting server/s. Good practise, yes!! But is it?
And then?
The researcher now has the decrypted recording/s to be uploaded for automated transcription, but, hold on a minute, where’s the laptop that holds the recordings? I thought it was here a moment ago, I just kept it aside for a moment to pay for a beverage.Sounds familiar? Not to worry, the laptop’s password protected, not to mention that I’ve saved the password in my notebook which is safe and sound in the laptop carry bag. Oh no! This isn’t going well. Not to worry, the laptop has full disk encryption; we are safe, but unfortunately the recordings are lost as well as transcriptions. This is now a loss of Availability (refer the AIC triad). All the research data is lost, not to mention the loss of reputation and funding. Keeping source data separate and ensuring that there are secure backups of all versions is a good control to have in this case.
Oh No!!
The researcher can now upload the recording to the cloud application for automated transcription and subsequent download of the text. Hold on a minute, did I just say CLOUD? Where am I uploading the data to? Who controls the application in the “Cloud”? Does UCL have a formal agreement with the application provider? What will the application provider do with my data? Yes, but they’re certified ISO_something. They say so on their site. Yes, that’s good, but, is UCL covered in case the data is misused or their site is hacked. Read the T&Cs carefully. Ask Legal Services for advice and see if they can suggest suitable statements to protect UCL. Check with ISG to see what other controls can be implemented.
What next?
There are further nuances to this story but we will leave that for another post. In the meantime if you feel that there are other controls that can be implemented to protect the information, please email ISG [isg (at) ucl {dot} ac {dot} uk] and mention this post [Securing the Dataflow] and let us know if there are other issues that the researcher did not consider and a control that could’ve been thought about. Here’s your chance to win an Amazon voucher. This is open only to the academic research community at UCL. Quick!! Offer open to the first two entries only, I’m afraid! Good Luck!