| Date |
|
|---|---|
| Time | 1:00PM |
| Duration | 60 mts |
| Location | Zoom |
| Zoom | |
| Attendees | |
| Project/Program | Security Assessment remediation - SAR |
| Project Board | ITS PMO |
| Log Time | |
| OTL | |
| Objective(s) | Review controls on spreadsheet and if time permits, follow-up/update discussions on iPaas Access, GoA vs Qumulo, and Spirion, |
Notes:
| Speaker | Description | Notes | |
|---|---|---|---|
| Louis | GoAnywhere | RA-20 GoAnywhere does not use AD groups to track permission. Great account lock auto when not logged into in 2 months. Some is tied to AD - Some can be reinstalled because this doesn't propagate to systems. Same with Nifi - There are users that don't go away unless they are removed. Claudio is looking at this When primary account is disabled access is disable, but app accounts still have to also be removed We're building a list for each owner of the domains Louis adding key for what colors on the tabs he's keeping track of mean Ashraf the spreadsheet needs more information such as the number of accounts that were removed. 800171 This is for all accounts including the few vendor accounts and some contract accounts that were all removed. How often will this review be done - At least every 6 months The next time someone goes through this, it'll be easier with the work Louis has done. The second round we will start to create the process. Compliance is that it is done and within past 6 months. Automation not necessary for first round, but definitely in 2nd round Policy for all IT controls (IS3 outlines periodic review) include statement "User access periodic review of privileged accounts will be conducted every 6 months". Need SOP for iPaas From Loius - Suggestion We pick 2 months out of the year and have security review 2 months and have people go to the website to confirm what was done for security. Ashish- every new system brought in should have SOP and auto fetch of privileged user for approval or turns them off
| |
| Louis | iPaas Login Review | Where in Splunk logins are going KSQL - AD TEAM LOGGING Airflow - Kafka - From - Nathalie https://collab.ucsd.edu/x/M538Cg Could deprecate Kafka Drop - We have Kafka CC | |
| Ashish | Blockers | Bring Mike in to discuss next steps regarding blockers RA92/SAR-21 iPaas access control - need to know and least access | |
| Ashish/Achraf | Notes from 10/13 Spreadsheet review meeting | We’ll open any controls that we haven’t looked at and try to resolve them. Select 3 or 4 controls we haven’t discussed and see if we can close them quickly We will have to bring Mike in for those we’re going back and forth We need an SME for tasks not ours Whoever disagrees should go back to Mike to resolve and determine if yes or no for the dead end/wall Add a column for the blocker and outcome of their meetings with Mike Get full definition of status column entries When there is a discussion that the solution isn’t accepted, we should create a task and that gets comments entered that is not being done. Hana – to be able to track action back to user not doable. Create Epic for line item for all but tagged as low, and move tasks created to the appropriate new Epic or creating standard tasks for "Analysis" and tasks that come out of analysis where needed.. Add tags for blockers were needed. | |
| Bill S. | iPaaS Access using jumpbox – follow-up and decision | Document requirements Section 9 on IS3 9.1.2 what is a secure access control point? This means we have to route everyone through a secure access control point. Limit to only those that need it. Declare what is a p3 p4 system and create a gate (jumpbox) with access control points, develop/create doorways for entry and exit. configured in a way that prevents leakage of data. How are we securing all of campus? UCOP considers payroll P4 is VPN considered a secure access control point. Yes that is one We can focus on making systems p3 and p4 compliant Example - History dept logs into UCPath do we have to make sure they are on VPN? People can log into various systems using https? Should we enforce all users to VPN? HOw do we interpret these rules? Privileged or non privileged access? Important factors are
Elevated users- people who can see the additional volume of data or can modify data Need to balance what end user can do without using the jupbox. Bill – what is ucsd's policy for development environment Nathalie - what controls based on the breaches we have seen. e.g. Auditing of logins is sufficient
Usecase discussion:
Risks:
| |
| Bill S. | GoA vs Qumulo – Follow-up and decision | Comments - OneDrive, Google Drive, Qumulo, GoAnywhere
Action items::
| |
| Claudio and Rob | Installing Spirion on iPaaS servers | ||
| Achraf | Spirion - agent installed on each station. Stores sensitive data. Scans for passwords, credit cards. | Achraf - Workstations, Data link policy to prevent sensitive information access Risk isn't only impact, but security is priority Ashish-It won't be for workstations, but just the server, workstations don't connect at all to nyfy or the servers themselves Bill - clarification - reading document written for all of campus. How are we securing all of campus from loging into our payroll, financial or student systems? Are all campuses making people log into jumpboxes first. Vendors never told us why. Doesn't solve getting in. Rob Nyland - DAniel responded tht Spriorn has redhat installed and default profiles installed Claudio - performance inmapct? - Achraf scans all desktop files, some impact, we have to create a profiel an dtune it. Claudio - so many agents being added the impact will add up Achraf - Spririon wil most likely cause an impact Daniel - we should get the impact numbers first. If there is no data, the scan will process quickly Claudio - are there excel files on the server - No Ahsish all on FXS Ashish - we can do a quick check on the servers for data Achraf - Are we good with the server install for Spirion ? Ashish to review. Nathalie - It isn't just end users, we need to make sure there isn't any discs or saving that could cause the risk Step 1 identify if there is any sensitive data is installed. What about log files. If they are p3 or p4 data. Yes, even if users don't have access.
| |
RA-16 | In progress Status = Solution in Progress | ||
RA-26 | Status = In Progress Part of Louis's review | ||
RA-28 | Status = Solution in Progress Business applications - Ranger, Ambari, - Create a task for that | ||
RA-3 |
SAR-89 - Getting issue details... STATUS Status = Completed - Out Of Scope Build an inventory of authorized software, This should be an ITS wide project. | ||
RA-4 | Status = Not Started | ||
RA-5 | Status = Not Started | ||
RA-6 | Status = Solution Ready for Review | ||
| Account removal |
| ||
| |||
| Anjelica | Past Due Tasks |
| |
| Anjelica | Next Steps | Keep next weeks meeting and then update series.
| |
| All | Time away | Anjelica Oct 26, 27 and Nov 10 thru 15 Ashish Oct 24, 25 |
Add Comment