Concepts

Access control

Access control is a means of selectively controlling access, use, and consumption of resources or information. Access control is accomplished via a combination of authentication and authorization mechanisms.

• Authentication: This refers to the affirmation that the person is indeed who they say they are. Signing into the CAS is a form of authentication.
• Authorization: After authentication, authorization determines things like account permissions.

Encryption

Encryption is used to protect data and files from unauthorized access by requiring a passphrase or digital key for decryption.

• Encryption at rest: Refers to data encrypted in storage — either in a database, on a disk, or on some other form of media.
• Encryption in transit: Also called encryption in flight, this is data that is encrypted over the network, i.e. via mobile apps, web applications, chats, etc. This encryption protects from attempts to snoop or eavesdrop on information as it travels over the network.

Data encrypted at rest does not necessarily mean the data will be encrypted in transit, and vice versa. Both practices must be employed together.

Logging and audit capabilities

While access control and encryption safeguard data, keeping track of user actions is a critical part of security. Appropriate monitoring and review of logs helps ensure that access control is working properly, and is usually a feature desired by data stewards.

Top

UMD services and tools for secure data and file sharing

The following services and tools leverage access control, encryption and logging and provide different ways to safely share files and documents. Make sure to review the UMD Data Classification Standards in order to assist with your data storage decisions.

Secure Share is the preferred alternative to email attachments for exchanging documents containing sensitive data. The file will be stored temporarily on a secure server, and recipients will be notified via email that a file is being shared with them. They will be provided with the URL for the UMD Secure Share site where they can retrieve the files.

Google Drive is a cloud storage service that allows you to store, share, and collaborate on your files. Drive is also integrated with Google Workspace for Education apps such as Docs, Sheets, and Slides, enabling you to create, store, and share documents in a variety of file formats.

• Approved for data in the Moderate (Level 2) risk level.
• Google Shared Drives are also available. Shared Drives are not tied to individual user accounts and allow you to manage large collections of files and folders separately from individual Drives. about Shared Drives.
• Review specific settings and capabilities for securely storing files in Drive.
  
  • Restrict sharing options on Drive files - Google Workspace Learning Center.
  • Set an expiration date for file access - Google Workspace Learning Center.
  • Restrict Sharing for a Group of Users (must be requested from admins).
  • Google Drive Logging Capabilities.

UMD Box is a cloud storage service that allows you to store, share, and collaborate on your files.

• Approved for data in the High (Level 3) risk level.
• There are multiple settings for controlling access to content uploaded to Box. View Box Sharing Options for an in-depth review of best practices and settings.
• Box logs recent user activity and lifetime activity in terms of file views, downloads, and other related actions important to following up on security incidents.

Networked Storage Service is an unstructured data and file storage service hosted on university-owned storage systems and maintained by the Division of Information Technology (DIT).

• Approved for data up to the High (Level 3) risk level.
• Access Control is managed by owners and admins of individual 'shares' and folders, and relies on the campus Active Directory.
• Data is encrypted at rest on the servers.
• View additional info in Networked Storage Service Security Practices.

CUI Environment is designed and maintained to be NIST SP 800-171 compliant and is available for use by researchers handling and analyzing Controlled Unclassified Information. Non-CUI usage is considered on a case by case basis for researchers handling other types of Restricted data.

• Data in the CUIE is encrypted at rest, and accessing data or virtual machines in the environment uses an end-to-end encrypted connection.
• There is a unique Inbox feature that allows collaborators to upload data securely to the environment. When removing data from the CUIE, we recommend Encrypting CUIE Files for External Use.
• The CUIE has multiple systems logging data for security monitoring and auditing purposes.

Microsoft Office: With some Office products, it's possible to protect documents with a password (the password encrypts the document). This is a quick way to add an extra layer of security, but there are at least two risks. If your password is not sufficiently strong, it can be guessed with a brute force attack. If you lose the password, you will lose access to the file permanently.

Top

UMD services and tools for secure communication

The following services and tools allow for secure communication.

• Webex Teams: Webex Teams uses end-to-end encryption to protect messages and space names. The data is encrypted in transit and in the cloud, and decrypted locally on your device.
• GlobalProtect Virtual Private Network client: Provides an encrypted and secure connection "tunnel" path from a user's machine to its destination through the public Internet. This helps prevent malicious attempts to steal unencrypted network traffic and other connection information. Using the VPN when traveling or on non-UMD internet connections is especially important.

Top

Third-party tools for keeping files and data secure (not supported by DIT)

The following tools have not been reviewed and/or do not necessarily meet UMD requirements for official use (i.e. security, FERPA, ADA)

• 7Zip: This utility is often used for compressing files before sharing, but has a built-in encryption feature that lets you encrypt files with a password that you can keep and provide separately to people who need to access the information.
• Virtru is an add-on tool that uses end-to-end encryption on top of email communications. You can securely send an email to someone, and they can securely reply without installing anything. There is a free version of Virtru for personal use.
• Signal App: An app used for sending messages and files that uses end-to-end encryption.

Top