Homework answers / question archive / Organisation used multiple systems: • Recorda, a system for maintaining student records • MoneyRA, a finance system used for various functions such as expense submission, accessible only by members of staff • MyStudent, an app accessible only by students used to present timetables, events, other information

Organisation used multiple systems: • Recorda, a system for maintaining student records • MoneyRA, a finance system used for various functions such as expense submission, accessible only by members of staff • MyStudent, an app accessible only by students used to present timetables, events, other information

Computer Science

Share With

---

Organisation used multiple systems:

• Recorda, a system for maintaining student records

• MoneyRA, a finance system used for various functions such as expense submission, accessible only by members of staff

• MyStudent, an app accessible only by students used to present timetables, events, other information.

• VLearning, a virtual learning environment (VLE)

• CoursesView, A course/modules record system (CRS) which stores details of every course and module in the institute

• CloudData, a configurable open-source cloud storage and file sharing system

The institute is looking to expand its CloudData instance to store the data used by Recorda, MoneyRA, MyStudent, VLearning, CoursesView (so that these services access their data from CloudData. Some of this data is sensitive. For example, following the redesign, CloudData will be used to hold financial data, student personal information (including medical data) and exam papers. As such, the institute will need to redesign its security and cryptographic practices. Additionally, the institute is hoping to set up a Single Sign-On (SSO) system that will allow users to use a single login to access any online service that is run by the institute.

Aside from CloudData (where, by default, users can decide who can view their files), the institute has implemented role-based access control (RBAC) for all services, where only users with the correct role can view sensitive data (the financial team for financial data, the welfare team for student health data, and so on). The institute wishes to increase the protections so that sensitive data is also encrypted at rest. CloudData supports file- and disk-level encryption, but it is up to you to decide which algorithms to use and how to generate and store keys. You are free to decide what roles to use (within reason) as long as you state them clearly and briefly justify your choices.

The institute also collaborates with industry partners, conducting research on their behalf. Because the institute may store partners’ intellectual property on its own CloudData instance, the institute is highly cyber security-conscious and actively seeks to protect this data from unauthorised access. Files related to company IP may be created by either the companies or the academics they work with, but they should be encrypted at rest and accessible only by these groups of people (after they have been invited to view the files).

In summary, the data that needs to be protected includes:

• Student records, which are currently stored on Recorda

• Some parts of the financial system on MoneyRA should only be visible to the finance team, and users (such as staff and students) can see elements relevant to them

• Exams are stored on CloudData

• Collaborator IP is also stored on CloudData

Finally, the institute wishes to develop an SSO identity provider system to allow students to log into all of the services listed above using a single login . You are free to decide how users will authenticate themselves (username and password, 2FA etc.), but you should be mindful of the potential usability and security issues, as well as how this will interact with the rest of the system.

Your task is to propose a cryptographic simulation addressing these requirements. There are no strict restrictions on your proposal - it can work in any way so long as it addresses the requirements.

Your solution should also address:

• Where data for each service is stored

• How data is transferred between each service

• The cryptographic protocols and algorithms used

• Key management (ie. how keys are generated and stored)

• Authentication in addition to encryption

Where relevant, your solution should be compliant with GDPR, CCPA and PSD2.

Task 1:

Provide a narrative description of the SSO proposal supported. The description must be supported with a UML sequence diagram, and must show communication between entities such as the authentication authority, the different services, and the user.