View
4
Download
0
Category
Preview:
Citation preview
5/9/18
Secure Box
Erik WielandDocument Management & Web ServicesUniversity of California, San Francisco
“Secure Box2
Put all your eggs in one basket, and then watch that basket!
Andrew Carnegie
Secure Box3
Why We Built Secure Boxadvancing health worldwide
4
UCSF is the Leading University Exclusively Focusedon Health
Our Mission: Through advanced biomedical research, graduate-level education in the life sciences and health professions, and excellence in patient care, UCSF is leading revolutions in health worldwide. Patient Care
EducationResearch
Public MissionAbout UCSF - Data Updated August 2017
UCSF Provides Top Graduate-Level Education inHealth and Sciences
4 professional schoolsMedicine – Dental – Pharmacy – Nursing+ Graduate Division with 19 PhD and11 master’s programs
3,300Students enrolled in degree programs1,500Clinical residents or fellows1,000Postdoctoral scholars
Representing 94 countries
UCSF is Leading Revolutions in Health
5 UCSFScientistshave received the Nobel Prize in Physiology or Medicine
Top public recipient of NIH Funding
Total active inventions
1,700+ 185+Startups from UCSF research including Genentech Inc. and Chiron Corp.
UCSF Patient Care Ranks Among the Best
UCSF Medical Center ranked #1 hospital in CaliforniaBy US News & World Report (2017-18)
UCSF Healthincludes UCSF Medical Center, UCSF Benioff Children’s Hospitals in San Francisco and Oakland, and Langley Porter Psychiatric Hospital and Clinics, as well as affiliations with top tier hospitals and physician groups
UCSF Dental Centeroperates 21 clinics in San Francisco
100+$9.5M charity care provided by
UCSF Health (FY16-17)
community engagement programs
Subsidized care to Medi-Cal patients
153 yrs partnered with San Francisco’s safety-net hospital
$322.45M
43,000 jobs generated by UCSF
24,140 employees
UCSF stands as one of the principle economic engines in the San Francisco Bay Area
$8.9B impact
$6.4B budget revenue
Secure Box11
How We Built Secure Box“IT is an anchor”
Secure Box12
Background
§ Situation- UCSF wants to use Box to collaborate with restricted data- BAA, but no technical controls to ensure data protection
§ Target- File-level encryption of restricted data- Allow users to encrypt other files
§ Proposal- Product that scans for restricted data and encrypts, decrypts files- Secure folder for each user
Secure Box13
Technical Requirements
üIntegrate with existing DLP solution- No reinventing wheel- No duplication of scanning or scan policies
üOff-network encrypted file access- Users need to access encrypted documents from anywhere
üEncryption must follow file- File must stay encrypted even if it is downloaded from Box
üRedundancy, high availability
Secure Box14
From Proposal to Plan to Build§ Discovery
- Consulted DLP vendor, Box, Stanford, Internet2, Gartner
§ RFP- Issued to the 9 Internet2 Box DLP vendors; 4 responded
- Scored responses, selected CipherCloud and Adallom
§ Proof of Concept- Simulated UCSF environment provided by each vendor with DLP
integration using de-identified sample database
- Evaluated against use case matrix, observed vendors
Cloud
Firewall
Outside Inside
DLP Server
DLP Servers
DLP Server
DMZ
CipherCloud Internal
CipherCloud DB
CipherCloudCipherCloud
CipherCloudCipherCloud
DLP Backend
CipherCloud DMZ
Load-balanced
VIP
Load-balanced
VIP
Box Users
Load-balanced
VIP
CipherCloud DB
scan node 1 scan node 2
scan node 3 scan node 4
node 1 node 2
master standby
Secure Box15
Secure Box Architecture
Secure Box16
Secure Box Data Flow
§ Real-time scanning of files added to or changed on Box - Secure folder – no DLP- Everywhere else – DLP
§ On-demand scanning offiles and folders on Box
Secure Box17
Secure Box Data Flow
Firewall
Outside Inside
DLP Server
CipherCloud
DLP Backend:Records\Logs ViolationsControls Policy (Detection Criteria)
From DLP Backend to DLP ServerData Sent: Policy Updates, Indexed MPI for detection
From DLP Server to DLP BackendData Sent: Incident Detections
DLP ServerScans Box dataSends results to CC Gateway and DLP Backend
CipherCloud Backend Manages encryption, decryption keys
From Gateway to DLPData Sent: Box data to be scanned
From DLP to GatewayData Sent: T/F Detection
From Box to CC Gateway Data Sent: Box data to be scanned
From CC Gateway to BoxData Sent: Encrypted documents, Marker Files
Internal Box UsersRemote Box Users
Box Users
DMZ
CipherCloud DMZGateway
Between Box Users and BoxData Sent: Any
From CC Gateway to Box UsersData Sent:Encryption Keys
From Box Users to CC GatewayData Sent:Decryption Key Request
Between CC Gateway and CC BackendData Sent: Keys, logs, violation data
Secure Box18
How Secure Box WorksAccessible | Secure | Simple
Secure Box19
Real-Time Scanning
1. User interacts with Box- User uploads file Bacon.yummy to Box
Secure Box20
Real-Time Scanning
2. CipherCloud requests file from Box- CipherCloud scan nodes are notified of Bacon.yummy file event
via API- CipherCloud requests Bacon.yummy for policy compliance
checking
Secure Box21
Real-Time Scanning
3. CipherCloud policy check and DLP interaction- CipherCloud checks Bacon.yummy and conditions against policy- If Bacon.yummy is in user’s Secure folder no DLP scan- If outside of user’s Secure folder, send Bacon.yummy to DLP for
content (grease/fat/taste index) inspection
Secure Box22
Real-Time Scanning
4. DLP scans file - DLP scans Bacon.yummy against local DLP policies- Send True/False back to CipherCloud regarding content
inspection- Record detection (if applicable) and send to DLP backend
Secure Box23
Real-Time Scanning
5. CipherCloud takes action - DLP returned True on Bacon.yummy- Encrypt Bacon.yummy- Remove public links and external collaborators- Place encrypted file and marker file – education!- Record detection with CipherCloud backend
Secure Box24
Real-Time Scanning
6. User opens CipherCloud encrypted file- User attempts to access Bacon.yummy.ccsecure
§ Box Web or Box Mobile (download), Box Edit or Box Sync (open)- CipherCloud agent contacts CipherCloud gateway to check for
decryption rights, then sends keys to agent to open file
Secure Box25
Secure Folder
§ Secure folder created for all users§ Secure folder is recommended for all files with restricted data§ Anything that goes in here is encrypted (no DLP scanning)§ Allows us to encrypt file types that DLP cannot currently scan
(video, graphics)§ DLP scanning is just a safety net
Secure Box
Account & Folder Provisioning
ProvisioningListener
CheckLDAP/AD
Status
Identity StoreLDAP/AD
BoxProvisioning
DB
ShibbolethSSO
MessageQueue
EventCapture
Box New UserProvisioning
Authentication/Attributes
Custom Provisioning
PrepopulateActive Users
Secure Box26
Secure Box27
Account & Folder DeprovisioningHappens in 2 Phases
§ Inactivation- User status changed to
inactivated in DB- Inactivate user in Box- Reassign to manager, or
notify editors, co-owners- Activate returning users- Update provisioning DB
§ Deletion- User record inactive for
more than 90 days- Delete Box account and
folders (including Secure folders)
- Activate returning users- Update provisioning DB
Secure Box28
How We Launched Secure Box
Secure Box29
Deployment§ Clients
- Windows- Mac- Android- iOS
§ Deployment methods- BigFix- Software.ucsf.edu- Apple, Google app stores
Secure Box30
Pilot§ Enrollment
- Initial scan for PHI, log- The Usual Suspects™ and
squeaky wheels§ Resources
- Survey with test script, feedback mechanism
- Brown bags- Web page with user
guides, FAQs
Lessons learned/confirmed§ Set expectations for what
is changing, what is not§ Find analogies
that help usersunderstand
§ Prepare forescalations
§ A pilot isn’t (only)indoctrination
Secure Box31
Communications§ Communications matrix,
resource list§ Tracking list
- Date, category, audience, content, owner of message
- Document follow-up tasks, owners, dates
§ Find all the meetings, all the email lists, all the websites, all the signs
Lessonslearned,confirmed§ Involve
customer service, engineering early
§ Use consistent branding§ Identify your audience to
your audience§ Same message every time§ No substitute for face-to-
face meetings
Secure Box32
Go-live, StabilizationLaunched on October 2, 2016
§ Launch + 2 weeks- 92k files encrypted in
secure folders- 4k files encrypted outside
of secure folders- Public links to 26 files
containing UCSF PHI removed
§ Today- 1.7m files encrypted in
secure folders- 80k files encrypted outside
of secure folders- Public links to 1.2k files
containing UCSF PHI removed
Secure Box33
How We Run Secure Box
Secure Box34
On-demand Scans
§ Highest security risk
before launch: public links
to files containing PHI
- Scanned and logged which
users had public links
- Scanning folders of those
2800 users, logging results
to report back to UCSF
Privacy
§ Scans stopped or timed
out because of volume or
performance impact
§ Broke 2800 users into
smaller groups
§ Separated on-demand
queue from real-time
queue to mitigate
performance issues
UCCSC 2017
Secure Box35
Real-time Scans
Logging public links found in real-time, on-demand scans1. Review daily reports2. Combine with Box logs to create narrative
- File/folder creation- Public link creation- Access history
3. Share results with Privacy Office
Secure Box36
User Experience
§ Central ownership of Secure folders- Users can tell when they are viewing content that is in a Secure
folder, even if it is not their own § Easy to see when a file is encrypted
- .ccsecure is appended to file name- If outside of Secure folder, a marker file is placed in folder to
notify non-UCSF collaborators§ Accessible everywhere, even when offline
Secure Box37
Challenges
§ Users conflate Box Edit/Sync issues with CipherCloud issues§ File size, type limits§ Keeping up with the volume of our Box traffic§ Working with vendor to resolve server issues§ Rare false positives, or what users think are false positives
Secure Box38
Costs
§ One-time Costs: $80K- Developer: $25K- Box API consulting: $5K- CipherCloud professional
services: $50K- Resource time: PM,
Engineering, Analyst, Solutions, Security, Applications
§ Annual Costs: $435K- Box: $144K- CipherCloud: $50K- DLP for Box: $160K- ~1.25 FTEs to manage
system: $125K- Infrastructure: $25-40K
Secure Box39
Where Do We Go from Here?
§ Share our experiences with other institutions§ Improve system architecture and performance§ Collect feedback and use cases from users§ Enhance DLP§ Move to the cloud?§ Scan for other data?
Secure Box40
Want to Learn More?
Links § Internet2 Box§ CipherCloud§ UCSF Box
*No bacon or asparagus were harmed in the making of Secure Box
Recommended