Security & Certifications

The security at the core of CASD know-how

Granting access to confidential data is of the utmost importance for studies and research. Detailed personal data require a high level of security to avoid unwarranted dissemination or misuse (by an unauthorized third party) and, therefore, makes infrastructures, tools and systems allowing access critical.

To address these issues, CASD has put together its set of technologies for data dissemination which guarantees security and technically prevents any data file export.

CASD used all its know-how to create a secure data hosting setup compliant with the French regulation pertaining to the processing and dissemination of data protected by secrecy.

The party wishing to disseminate its confidential data can :

  • Have their data hosted at CASD;
  • Name the authorized persons to access the data (for the amount of time the party will have chosen);
  • Instruct CASD as to who will be authorized to have an SD-box;
  • Define the confidentiality rules.

This is in order to benefit from the guarantee of high level security for their data through confinement to avoid dissemination, while maximizing user comfort in terms of ergonomics and IT efficiency.

CASD processing has been authorized by the Commission Nationale de l’Informatique et des Libertés, CNIL (CNIL – Delibération number 2014-369). The ISO 27001 is presently in its final stages.

Health Data Security Referential (RSDS)

The SNDS fixes constraints applicable to hosting and making health data available. CASD has already integrated the referential in its daily procedures and handlings of access requests.

CASD is applying for ISO 27 001 certification which mostly overlaps with the health data referential (RSDS).

Furthermore, an exhaustive risk analysis was carried out by CASD (492 pages) covering every possible item on security, physical or otherwise. Countermeasures, which mostly were already implemented, were formalized to limit security risks.

Although the RSDS does not make session recording mandatory, CASD is currently setting it into place for health data and has made the necessary investments to capture and store interactive actions from user sessions so as to ensure traceability.

Here is the table describing CASD’s compliance with the RSDS:

RSDS CASD
Risk analysis Carried out exhaustively for “medical files”.
Impact study Idem Risk Analysis
Carrying it out Completed
Testing Completed
Labelling To be done with the person in charge of processing
IT monitoring and follow up Completed
Externalisation
Risk Analysis Completed, Detailed risk analysis
PGSSI OK
Audit modalities OK – synthesis can be supplied on demand
Export OK – only towards RSDS
Awareness raising OK – enrolment sessions and contracts
awareness raising and training for administrators
Access modalities
Availability 24/24, 7/7
Access from an internal work station (PSSI-MCAS) Dedicated SD-Box™
The SD-Box™ has a dedicated use that is subjected to a high level of security
Data output Verification of a priori or a posteriori outputs with traceability and accountability (integrity by encryption)
Code of Good Practice of European Statistics
Data integrity The user only has reader access to source data (no editing or other type of access authorized).
Admin access Users and administrators have no internet access.
SD-Box™ guarantees the Bubble’s isolation
Identification and authentification
Identification Physical identification
Authentification Certification, access card, biometry, Authorization number 2014-369 by the French authorities (CNIL)
Traceability
Authentification Strong
Certification, access card, biometry
Role and authorization management OK, centralized by a directory
User Referential OK – Secure dedicated software
Resource referential OK – Secure dedicated software
Role and authorization referential OK – Secure dedicated and synchronized software
Shared dating OK – Dedicated infrastructure
Tracing back OK, session record
Specific Documentation OK
Trace logs: access, outputs, data matching, and admin operations. OK, technical traces
The need to trace can be arbitrated upon according to the risk
Surveillance
System response time OK
Increasing rights; OK – Audited regularly
Non-authorized output; OK – Audited regularly and tracebility
Non-authorized access to SNDS resource; OK – Audited regularly
Unusual modification source data from the SNDS; OK – Reading  only
Too large output OK – Audited regularly
Incident handling OK – See “palier 3 imputabilité”
Time-stamping OK – Dedicated and recorded procedure
Regular audits réguliers OK – At minimum, annually
Authorisation review OK – At minimum, annually
Access rights If possible technically (excluding anonymisation)

Audits

Auditing companies aim to verify as completely as possible the level of security cleared by CASD infrastructure within the constraints defined by data depositors.

The auditor must be specialized in IT security, PASSI (IT audit label) and labelled by the ANSSI (national agency for IT security), as well as competent in client OS, server, VPN attack methods, authentification mode attack methods, etc.

Audits follow 4 gradual scenarios which aim to successfully intrude, usurp identity, or retrieve a data file.

SCENARIO 1 : Internet encrypted tunnel attack with no declared IP public address

The auditing company knows the CASD network address, but the IP address is not among the list of addresses authorized to connect to CASD.

The company must study if an attack is possible on the VPN-SSL tunnel outlet, or if it is possible to extract information from this tunnel.

SCENARIO 2 : Internet encrypted tunnel attack with a declared IP public address

The company knows the CASD network address, the IP address is within the list of addresses authorized to connect to CASD.

The company must study if an attack is possible on the VPN-SSL tunnel outlet, or if it is possible to extract information from this tunnel.

SCENARIO 3 : Internet encrypted tunnel attack with a declared IP public address and in possession of an SD-Box

The company knows the CASD network address, the IP address is within the list of addresses authorized to connect to CASD, and they are in possession of an SD-Box.

The company must study if an attack is possible on the VPN-SSL tunnel outlet, or if it is possible to extract information from this tunnel.

The auditor will test if they can take control of the box:

– Take control of the OS (modification of the boot),
– Access the Shell one way or another,
– Access the RDP to open a session remotely,
– Access the box through the network,
– Usurp the central infrastructure (attack of the “man in the middle” type),
– Access USB ports, boot on a USB port,
– Modify the Bios,
– Read the hard-drive content (and if so try to connect),
etc.
This list is non-exhaustive and the company must attempt a maximum number of attacks (known or unknown to GENES) in that configuration.

SCENARIO 4 : VPN-SSL Internet attack with a declared IP public address, a smartcard and in a possession of an SD-Box

The company knows the CASD network address, the IP address is within the list of addresses authorized to connect to CASD, and they are in possession of an SD-box and a smartcard.

This attack configuration mimics an internal intrusion attempt. The company can connect as an internal user would. An account will be created specifically for this testing purpose.

The aim is to launch hijacking maneuvers to address at least one of the following issues:

– Is it possible to retrieve a file?
– Is it possible to access files to which the user has theoretically no access to (files or other projects)?
– Is it possible to usurp a user’s identity with or without his card?

Resilience tests to authentification modes will also be done (card tests, driver tests, etc).

Additionnal verification: CASD network isolation

GENES provides access to its building so it can test whether CASD is indeed isolated from the GENES IT system (separate switch network, firewall parameters, etc).

Audit report

It must be complete and specific regarding the testing modalities, protocols used, source codes for the programs used in the attacks…

4 audits were carried out successfully by companies certified by the ANSSI with the most recent taking place in January 2017.

PGP

CASD’s Public PGP key can be used to secure data before sending it to CASD. You can contact us at service@casd.eu for further information.

TÉLÉCHARGER LA CLEF PGP PUBLIQUE DU CAS
Download casd’S PGP key

Details on the key :

ID: 2BBE1271
Type : RSA
Size : 4096/4096
Created : 2013-06-12
Expiration : None
Cipher : AES-256
Fingerprint : 53B8 8ED6 A9F1 0E0B 62FD 5208 889E 5557 2BBE 1271