Breakout discussion: Network access inside a TRE#

Chair: Simon Li

Notes#

  • What angle is this coming from?

  • What do TRE admins see as acceptable

  • Cloud services, e.g. blob storage, limited file shares outside TRE. Some users allowed to egress non-sensitive data outside TRE

  • Limited proxy

  • Full session recording for audit purposes? Tried it for central government projects, defence-in-depth. Discussions about security dominate

    • “Privileged access management” system: Brokers access to different endpoints for admins, so they can manage environment but everything is monitored so can be “replayed” at any point in future

    • Machine learning security controls for anomaly detection. Begins by learning pattern of normal behaviour.

    • False positives? How much work to investigate reports? How disruptive for users?

      • Start in learning mode for several months or longer. Can manually override rules if necessary. Only set to automatically block network connections after you’re confident. Then need 24/7 team on hand to quickly investigate and remedy alerts depending on risk profile

  • One worry with network access is DNS which could be used to egress data, so you need to run a secured dns service

  • Thought about using AI tools to spot disclosive analysis patterns, but very complicated and variable input types. Analyse logs of what people have done, not just outputs

  • Sheffield/AWS: ISO27001 defines requirements for network controls. Less focus on monitoring, network controls are to protect users from themselves.

    • Looking at something similar to HIC, with restricted network proxy. Can’t close off environment completely, but need restrictions on what they can do.

    • Deciding whether to go cloud antive route or build own proxy

    • No developers in infrastructure team though (which drives use of cloud tooling as a primary option)

  • Building everything in OpenStack