Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Policy Guidelines 
Minimum Security Requirements
Employee Guidelines
Computer Protection Agreement
RPM
DOE Notice to Users
Scan Information
Training
System Procedures
Tools & Services
Recent CPP Actions
CPP Intranet
 
  POLICY GUIDELINES  
External and Outsourced Information Systems  

External Information Systems: Analyzing Risks

LBL recognizes that systems are interconnected and that, in many cases, the best service for a particular purpose may be provided most efficiently by an outside organization.  Generally speaking, you and your line management are in the best position to identify when this is.  This document may assist in helping you to judge the risks.


This information has some applicability for situations where a scientific resource is provided externally (grid, experimental system, etc), but it is really meant for situations where a generalized service is being acquired from “the cloud”, such as email, collaborative systems, etc.


One exception: Prohibited (classified and sensitive) information and Protected PII may never be stored on outsourced information systems**. PII>>>


Considerations:

  1. Cyber Security Logging, Protection, and Analysis: Generally speaking, none of the protections in place at the Laboratory will be applicable to your outsourced service.  Monitoring for attacks, stolen credentials, and other issues, is entirely the responsibility of the vendor from which you are buying the service.  As a gross overgeneralization, vendors of free and cheap services tend to care more about the integrity of the overall service, than the confidentiality, integrity, or availability of your data.  Thus, monitoring for stolen credentials, for example, tends to be limited.  Typically, neither you nor LBL would have any ability reconstruct what happened after an incident, or potentially, to even identify whether an incident occurred. 
    1. As an example, one LBL group that uses an outsourced web hosting service had an instructive incident.  The system was compromised and used as a platform for hosting pornography, reflecting on LBL and the particular project.  LBL computer security was unable to reconstruct what happened, and unable to turn off the service to mitigate the damage.  While this may seem minor, the implications for LBL of this kind of content hosting can be very serious (a major project at another National Lab was shutdown for weeks in a similar incident).
    2. Depending on the nature of the service, you should be very familiar with what, exactly, you are being provided with in terms of security, patching, and configuration management.  As an example, most outsourced web hosting services place the responsibility for patching and securing applications entirely on the customer.  Just because the service is in the cloud, doesn’t mean your responsibilities go away.
  2. Expectations of your colleagues:  While many of your research colleagues at other institutions are likely accustomed to using outsourced services, if your colleagues are in other National Labs (especially the non-open science Labs like ORNL, PNNL, LLNL, and LANL – or in DOE/.gov), they may be prohibited or strongly discouraged from using such systems for collaboration. Some research sponsors may also have reservations about the use of such services.
  3. No or Limited Recourse: If the service is free or “click wrap” you probably have little or no recourse against the vendor.  As an example, one major free services vendor is notorious for shutting down the websites of individuals it thinks are responsible for spam (with many false positives), and taking a long time to put them back up.  Can your project live with this?  As a sidenote, some clickwrap agreements appear to run afoul of the University’s prohibition against indemnification agreements.  Some UC campuses believe, for example, that Google’s indemnification clause may violate the Regents bylaws.  LBL has no position on this matter.
  4. Ensure Data Remains Property of UC/DOE:  Whenever you put data on a commercial service, ensure the terms do not conflict with the requirements of the UC/DOE contract in terms of ownership of research results and unlimited grant licenses for DOE for work completed under the contract.
  5. Document Management and Control: Utilizing an outsourced information system does not relieve you of responsibilities for document management, document control, or archiving. Note in particular that if your project is covered by the Document Control Policy under OQMP, it is almost impossible to imagine that an outsourced service can provide the required controls unless it was specially designed for this purpose.
  6. Protection from Legal Disclosure / e-Discovery: The University has a history of acting to protect the interests of itself and its employees, within the law, when it is required to legally disclose information. When you use an outsourced vendor, it is possible that law enforcement or equivalent will go directly to that provider for information and prohibit the disclosure to you or the University.  This means that your privacy is dependent on this outside organization.  While many of these organizations will try to direct the requester to you/the University first, you have no guarantee that this will happen.
  7. Accidental “acceptable use” issues: Some outsourced information systems may run afowl of various acceptable use issues.  Three examples:
    1. One popular free videoconferencing site is also used frequently for adult webcam chatting.  When you drop to the main menu, you see a variety of content, much of which runs afoul of LBL’s acceptable use policies and may not be considered ultra-professional by others who you invite to chat. Obviously, no one is going to claim you violated policy for something like this, but be aware of how other views it.
    2. One popular Voice over Internet service makes use of your available bandwidth in so called “supernode” mode.  Many Universities have concluded that this represents an unacceptable use of bandwidth.  LBL does not have a position on this issue, but this is an example of how some services may create acceptable use concerns.
    3. Many free services are advertising supported, which may make it appear as if you or the University are endorsing a business – both of which are potential policy violations.

 

Quick Reference:

  1. Your responsibilities don't change when you use an external system. You must still comply with LBL policy and take personal responsibility for security. Responsibilities to consider include: complying with e-discovery or other court orders, complying with data calls, patching, incident response, and acceptable use.
  2. Analyze the risks associated with the use of outsourced information systems.  Seek input from CPP and your line management if you have questions.
  3. Don’t put anything on an external information system that you’re not prepared to lose/disclose. That means no PII ever, but it also means strongly considering other operational and pre-publication information.  Bottom line: assume high probability (near 100%) of disclosure in your risk calculation.
  4. Maintain a separation, where possible, between your collaborative and more operational responsibilities.  Example, don’t use your outsourced energy policy blog to also store your PRDs.
  5. Don’t use the same password for external services as you do for internal services (if the service requires its own password*)
  6. Keep any software you install up to date and perform reasonable due diligence to ensure the software is legitimate and free of malware, spyware, etc.
  7. Don’t assume that the vendor will provide security for your information.
  8. Consider the possible vector of social engineering where collaborative services are utilized (someone could pretend to be you or one of your collaborators and utilize this as a foothold to further attacks.)
  9. To the extent you can, utilize the protections that are available to you.  Turn on extensive logging, use offsite backups, change passwords frequently, etc.

 

* LBL is planning to support a number of services that use "federated authentication". Federated authentication allows you to use your LBL password to access non-LBL services, however, your password is only transmitted to LBL - not to the other service. More informationa bout federated authentication is available here>>>

 

**Policy Wonk Note: Outsourced storage of PII approved by the official data custodian, functional owner (HR or CFO), and CPP may be approved on a case by case basis. This broad statement applies to scenarios such as HR storing spreadsheets of PII at Google Docs (absolutely forbidden) and not to sourcing a particular PII processing service (like transaction processing, or tax forms) from an approved, contracted vendor with a security plan (permissible with the permissions above and accredited as part of the BSE).