Library Privacy Checklist 2: Data Exchange Between Networked Devices and Services

Library Privacy Checklist 2: Data Exchange Between Networked Devices and Services

This checklist is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines. It is an overview checklist that highlights general actions that are applicable across multiple guidelines. There are also specific checklists that libraries can consult for each guideline.

Priority 1 are actions that hopefully all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions may be more difficult for libraries to implement depending on their technical expertise, available resources, and organizational structure.

This checklist is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines for Data Exchange Between Networked Devices and Services.

Priority 1 are actions that hopefully all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions may be more difficult for libraries to implement depending on their technical expertise, available resources, and organizational structure.

Priority 1 Actions

  1. Establish minimum security practices for devices and services.
    1. Change any default passwords.
    2. Disable remote access to the superuser account (i.e. root or administrator).
    3. Keep all software up-to-date using a secure and verified source.
  2. Require authentication for all client connections to services that allow access to patron information.
    1. Limit clients to only the access they need, i.e. the least privilege model.
    2. Enable mutual authentication of server and client if supported.
    3. Use a secure authentication standard such as oauth when feasible.
  3. Implement a logging policy for devices and services that covers rotation and retention, types of data collected, and the implications on patron privacy.

Priority 2 Actions

  1. Harden security on devices and services.
    1. Disable any extraneous services that are running on devices.
    2. Limit administrative privileges to authorized individuals through user access controls or the sudo program.
    3. Require a unique password for each instance of a service.
    4. Implement and enforce a strong password policy that specifies password length, formation, and duration.  Consider using randomly generated passwords.
  2. Encrypt data communications between client applications and server applications that may include patron information.
    1. Configure services when possible to require encryption by default, i.e. do not allow unencrypted connections.
    2. If services do not support encryption (e.g. SIP2), use an encrypted transport such as SSH tunnel or a VPN.
  3. Encrypt sensitive data at rest (i.e. data warehouses, archives, tapes, offsite backups, etc).
  4. Store passwords in applications using up-to-date best practices for encryption (i.e. hashed and salted).

Priority 3 Actions

  1. All remote access (including SSH) should be through secure keys not passwords.
    1. Keys should be no less than 2048 bit, 4096 bit is preferable.
    2. Do not allow deprecated or insecure ciphers.
    3. Ensure private keys are secure (use subkeys and keep master keys very safe).
    4. Rotate keys regularly and be ready to revoke them in case of compromise.
  2. Review the protocols employed by devices and services.  Protocols should:
    1. Be standard, established, and open.
    2. Not be deprecated due to security concerns.
    3. Support data integrity including origin authentication, non-repudiation of origin, non-repudiation of receipt, and verification of payload using cryptographic signature or a hash.
  3. Verify security of devices and services by using penetration testing tools.

Resources

  • Passwords:  CPNI
  • Burr, W. E., Dodson, D. F., & Elaine, M. (2011). Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, and Emad A. Nabbus. Electronic authentication guideline. NIST Special Publication, 800-63.
  • Chandramouli, R., Iorga, M., & Chokhani, S. (2014). Cryptographic key management issues and challenges in cloud services. In Secure Cloud Computing (pp. 1-30). Springer New York.
  • Hoeper, K. & Chen, L. (2009). Recommendation for EAP Methods Used in Wireless Network Access Authentication. Retrieved from: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-120.pdf
  • Jakimoski, K. (2016). Security Techniques for Data Protection in Cloud Computing. International Journal of Grid and Distributed Computing, 9(1), 49-56.
  • Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing. NIST special publication, 800(144), 10-11.
  • National Center for Education Statistics (Ed.). (n.d.). Chapter 6: Maintaining a Secure Environment, Weaving a Secure Web Around Education: A Guide to Technology Standards and Security. Retrieved from https://nces.ed.gov/pubs2003/secureweb/ch_6.asp
  • Peng, C., Kesarinath, G., Brinks, T., Young, J., & Groves, D. (2009). Assuring the Privacy and Security of Transmitting Sensitive Electronic Health Information. AMIA Annual Symposium Proceedings, 2009, 516–520.
  • Singhal, A., Winograd, T., & Scarfone, K. (2007). Guide to secure web services. NIST Special Publication, 800(95), 4.
  • Tysowski, P. (2016). OAuth Standard for User Authorization of Cloud Services. Encyclopedia of Cloud Computing, 406-416