Access to TU Delft data not properly regulated

This is what transpired on 24 September during a consultation meeting with the Works Council (OR) and the Executive Board. Executive Board member Nicoly Vermeulen recognises that “arranging data classification, ownership and access is often overlooked at TU Delft.”

The biggest data leak has now been sealed. What happened?

The story starts with OR member Menno Blaauw who discovered in June that something was wrong. To Blaauw’s surprise, a new employee requested and was given access to a storage area with potentially sensitive project information and other data that we are explicitly not stating here. He checked with the ITC Department and found out how this happened. During the consultation meeting, he explained the following. “I heard that there is no system that specifies who the owners of these shared storage areas are and that they simply grant access. To my mind, this is a breach of security.”

Undesirable
Executive Board member Nicoly Vermeulen has an explanation from the IT department ready at the meeting. It explains that requests must always go through a manager or secretary. ‘Requests that are submitted by employees are not processed.’ Vermeulen does not go into the details of Blaauw’s case, where the request was processed. Her explanation suggests that normally a check is done into whether it is an employee, or a manager or secretary on his/her behalf who requests access.

But this does not end the discussion. Blaauw asserts that these checks are meaningless if ICT does not check that the managers have authorisation over the data storage areas for which access is requested. “A manager can request access to an area to which he/she is completely unrelated. ICT does not know who is related to what.” Blaauw calls this situation undesirable.

He also says that in the case of an audit, he would not dare guarantee that unauthorised people would not be able to access sensitive data. “I share that concern,” responds Vermeulen. She says that she will “bring this issue up with IT” and suggests that they “discuss solutions and the plan to go from risky to less risky at a later stage.”

Later, during a telephone conversation, Blaauw says that he does not think that it goes wrong often, but that the potential to go wrong is there, especially now when it is not clear who has access where. Vermeulen acknowledges this in the meeting. “You do need to know what a particular part of the shared storage area is called to be able to ask for access. That is at least something,” says Blaauw.

The procedure to the test
In the meantime, Delta puts the procedure to the test. Editor Marjolein Van der Veldt requests the Service Desk for access to the shared storage area of the OR. She is told that the request must be done by her manager. So as the Editor in Chief, I do so. The request gets processed.

A little later, I am asked by Topdesk if I can be more specific about the location. I can’t. In consultation with Menno Blaauw, we try it with a specific location that does not contain important information but that should be inaccessible for unauthorised personnel. Marjolein is given access without Blaauw, the person responsible for the data, being informed. (The access has since been withdrawn.)

Earlier in the week, Executive Board member Vermeulen had said that she did not have the time to answer questions from Delta. In our search for answers, we approached Marco de Graaf, ICT Security Manager at TU Delft. He needed to check what was going on and what was being done about it. The next day he said that indeed, IT does not know who is responsible for what storage location. He said that checks should be done to verify if managers themselves have access to the locations that they request for their staff. 

Determining ownership
That Delta was able to gain access anyway is ‘wrong’, says De Graaf’s colleague, Chief Information Security Officer Marthe Uitterhoeve. “We will do everything we can to get the system watertight.” ICT has since started by instructing workplace services to work with tighter processes in which the person submitting the request must be either a secretary or manager in the department that owns the data. They must also ask the person submitting the request to review the list of current authorisations to check if the list is still correct. This was already being done in some departments, says Uitterhoeve. “We have now embedded this step in the request procedure.”

Further, ICT supports Blaauw’s suggestion of determining ownership of data so that for each request, it is known who should be informed or consulted. Uitterhoeve: “The link between managers and the data storage locations to which access is requested has now been tightened up: these must belong to the same department.”

Data classification
ICT has also prepared a draft data classification manual. There is currently no classification of sensitive and non-sensitive data. That said, some shared network drives do have an ‘additional authorisation layer’, as De Graaf calls it. He guarantees that even if you would gain access to the drive, you will not be able to open the files. This is how it works with privacy sensitive data, property drawings and other secret information. Do all TU Delft employees know this and do they take the right decisions? De Graaf cannot answer these questions. “It is difficult to monitor whether systems are used properly by staff. The data classification manual will help staff with clear definitions.”

Finally, Uitterhoeve wants to say that ICT is working hard on ‘improving information security, such as the tightening up of this application process for access, a manual for data classification, the introduction of multi-factor authentication, data ownership and security monitoring’. “There is still a lot to do, but we are progressing by leaps and bounds.”