Spring 2023

In the fall of 2016, U-M released its five-year Diversity, Equity, and Inclusion strategic plan and campus-wide unit plans, which allowed DEI initiatives to be incorporated into more aspects of university planning and operations. IA is proud to actively support these efforts and has cultivated a culture of celebrating individual differences in race, ethnicity, religion, ability, gender, and sexual orientation.

Whether through our hiring practices, technological initiatives, articles, or events, IA has put the values of diversity, equity and inclusion at the core of its mission to protect the university and its community members. Here are some highlights of this work from the last twelve months:

• Upgraded MCommunity with features that offer more personalization, allowing users to add a photo, name pronunciation, and personal pronouns to their profile. The new MCommunity also comes with privacy settings to better control who can see what information. Watch this video to learn more.
• Hosted Women Make Movies screenings and conversations with the film directors in celebration of Women’s History Month in 2022 and 2023. Last spring, we watched and discussed Assia Boundaoui’s award-winning documentary The Feeling of Being Watched. In March 2023, we hosted Emmy-nominated Shalini Kantayya and talked about her film Tik,Tok. Boom.
• Organized a SUMIT keynote on securing at-risk people with Runa Sandvik, a renowned digital security expert, and Elodie Vialle, an affiliate of the Berkman Klein Center for Internet & Society at Harvard University, who was previously a Knight-Wallace Fellow at the University of Michigan. Read a summary of the event and watch the recording here.
• Authored a profile of Black women in cybersecurity in celebration of Black History Month and Women’s History Month.
• Extended offers to ten of the 37 interns in ITS. Since the start of the ITS Internship Program, IA has hired five interns as full-time employees.

In this issue of the Safe Computing Newsletter, you will meet IA’s Pat Steffes, who shares their experience as a transgender professional and U-M community member. Also, in this issue, be sure to read the In the News profile of a study on discrimination in machine-learning-based decision making.

Thank you for all of your hard work and support of diversity, equity and inclusion in our shared Information Assurance responsibility.

In the last few months, IA has welcomed four new staff members, who are already contributing to the important work of securing the University of Michigan:

• Vincent Glud: Vincent is joining the IA team for a few months as part of a CTOP (Cross-Tier Optimization Program) assignment with the Security Operations Center (SOC) team. Vincent comes to us from ITS Support Services and is here to learn more about Information Assurance's work. Vincent joined ITS on the same day in 2013 that he graduated from U-M. Vincent enjoys supporting any and all U-M Athletics, studying history, reading the occasional novel, and walleye fishing.
• Griffin Rogers: Griffin has joined the IAM Dev Ops team. Griffin will be focusing on the upkeep and production support of the Linux IAM ecosystem. As a Grand Valley State University graduate with a bachelor's in chemistry, Griffin previously worked at Plastipak Packaging as a Quality Technician Contractor. Griffin is an aviation enthusiast outside of work and plays soccer when the weather is nice.
• Ryan Vis: Ryan recently joined the IAM team as a Senior ERP Business Systems Analyst. Ryan comes to IA with over 16 years of BSA experience working in ITS. Ryan has helped deploy campus-wide projects such as Google Apps for Education, a virtual data center in AWS, a new Microsoft cloud tenant, and a Salesforce organization. Ryan is an avid woodworker who enjoys watching British game shows and cooking BBQ.
• Rodney Woodward: Rodney joins our IAM Ops team as a Windows AD/Azure Administrator. Rodney has deployed and managed Microsoft Windows systems (AD DS, Exchange, etc.), as well as 'middleware software' and VMware vSphere. During hockey season, he tries to attend as many Toledo Walleye and Columbus Blue Jackets games as possible. Rodney also enjoys kayaking, hiking, and spending time with family and friends.

We look forward to working with each of these new staff members and encourage you to reach out and welcome them to IA and the security community at U-M.

The Identity and Access Management team continues to partner with units to discontinue use of the Cosign Authentication service by the end of June 2023. All remaining integrations will be disabled, and the servers decommissioned in October 2023.

Originally designed at U-M more than two decades ago, Cosign was once widely used across higher education. Now only a small number of universities still use it, and the open source community that once maintained it is winding down.

The following is a summary of the activities that will continue through retirement. If you have questions or need assistance, please contact the project team at [email protected].

Reducing inactive applications using Cosign

In May 2022, all applications required an exception to continue to use Cosign during the retirement period. To continue to reduce Cosign use, exceptions will be removed monthly for applications with fewer than 20 logins during the past 90 days. Without the exception in place, users will no longer be able to sign in to the application. A list of the applications that will lose exceptions each month is shared with U-M Security Community groups and members of the Strategic Technology Advisory Committee (STAC).

Units to discontinue use by June 30, 2023

As part of the Internal Controls survey completed in September 2022, unit leadership attested to discontinuing Cosign use or planning to do so by June 30, 2023. Units that need to continue past the June deadline must submit their plan to IAM. If a unit has a plan but is unable to be off of Cosign by June 30, they need to contact the ITS Service Center to submit a ticket to the IAM Single Sign-On group.

All plans must conclude use by October 2023, when the Cosign service will be fully decommissioned.

Upcoming Shibboleth update to remove reliance on Cosign

An update that will enable Shibboleth to perform both authentication and authorization without reliance on Cosign is planned for release to production in spring, 2023. The Shibboleth staging environment was updated on March 6 and has been tested by ITS and units. Units that do not have a Shibboleth staging environment for testing received instructions to test against a simulated production environment. This will ensure that Shibboleth allows authentication and that attributes are released as expected.

Retirement timeline

• May 2022 • Self-service for installing Cosign with new applications ended. All applications using Cosign are granted an exception.
• September 2022 • Units attest to discontinuing or creating plans to discontinue using Cosign by June 2023, per the FY22 Internal Controls certification process.
• February 2023 • Monthly schedule to remove exceptions from inactive applications begins and will continue through June 2023.
• April 15, 2023 • Technical change to remove Shibboleth’s reliance on Cosign. Currently, Shibboleth uses Cosign for authentication.
• June 30, 2023 • Units discontinue using Cosign.
• October 16, 2023 • Remaining integrations are disabled, and servers are decommissioning afterward.

Support for removing Cosign from your applications

Visit the Cosign at U-M website for the drop-in support lab schedule, more information about the retirement, including a resource toolkit with sample code, and other helpful information for switching to Shibboleth.

Join Single Sign On Notify, a self-joinable MCommunity group, to receive future emails about Cosign’s retirement.

This summer, U-M's Sponsor System will be upgraded to replace its dependency on Cosign authentication with Shibboleth. As part of the upgrade, the user interface will be updated with better accessibility and an improved Search/Match function to enhance the sponsorship process. The business functions and processes in place with the current Sponsor System will largely remain the same.

Departments and units use the Sponsor System to sponsor people who have a relationship to U-M that requires them to have a uniqname, MCommunity profile, and use of some U-M computing services (and, in some cases, a UMID). People who receive sponsorships include contractors, summer program attendees, new faculty/staff who need computing accounts before their hire date, and more.

• Sponsored people receive a uniqname and UMICH (Level-1) password if they do not already have them.
• If they have an old, inactive uniqname, it is reactivated by the sponsorship process, and a new password is set for them.

Enhancements that will accompany this upgrade are:

• Improved password handling and better generated passwords
• Better management of people with multiple sponsorships
• Improved bulk creation performance
• Streamlined sponsorship reasons, including removing creation of the infrequently-used Type 2 sponsorships from the application
• Simplified minimum data requirements for newly-created uniqnames
• Simplified contact and address fields set for sponsored people
• Clearer notification text Improvements to the API

Targeted emails will be sent to the administrative users of the Sponsor System to inform them of the changes and to provide updated documentation in advance of the upgrade.

Information Assurance (IA) regularly reviews the important tools that allow units to evaluate security risks in their area and improve their ability to respond to threats. IA continually reviews its tool sets for effectiveness and efficiency, and as needed will replace a tool or capability with a new and improved version. This spring, in the spirit of providing agency, transparency, and up-to-date information to security unit liaisons (SUL) and IT staff, we announce two changes to key IA capabilities:

New InfoAssure Portal

IA has begun transitioning to the new InfoAssure.umich.edu portal for RECONs, in preparation for the March 31 retirement of the previous RECON web portal.

InfoAssure was created using technology from OneTrust, and promises a smoother and faster workflow for RECONs. IA also hopes to leverage this tool to support external third party risk assessment, and possibly other assessment processes in the future.

The previous RECON process often involved exchanging email, documents, and questionnaires, which required IA staff and our unit partners to keep track of many pieces of information, sometimes in many places. The new InfoAssure portal allows IA staff and unit partners to send and receive information, respond to questions, and mark tasks complete, while storing the information about an assessment in a single place. IA hopes to begin leveraging the new system's capability to automate messaging, such as alerting RECON participants of changes in the status of risks or treatment plans.

"We won't need to rely as heavily on email and spreadsheets to find materials we need for these processes," said Sol Bermann, Executive Director of Information Assurance and Chief Information Security Officer. "This also helps replace the need for internal development of tools to track and manage our important risk management work," he added.

The new InfoAssure tool will simplify the process, allowing both IA staff and unit partners to spend more time mitigating risks and engaging in other risk reduction efforts.

MitiGate Retirement

MitiGate, a first-of-its-kind online dashboard, was developed by IA in 2019 to provide units with a single location to see certain types of IT security data. That point-in-time data was sourced from multiple authoritative systems. Since deploying the Mitigate dashboard, there have been improvements in other IA tools which allow for units to more easily access important information assurance data, including the Crowdstrike console, Tenable.io for unit IT, and the Sensitive Data Discovery portal.

To make it easier to access relevant and actionable real-time data, IA is replacing the MitiGate application with a web page for MitiGate Resources (accessible only by Security Unit Liaisons) that combines:

• shortcuts to the systems providing real-time data,
• important information contained in IT Security Community presentations and Unit Security Checklists,
• links to other IA capabilities designed to help units identify and manage IT security risks.

IA remains committed to improving and streamlining capabilities, tools, and resources that support our shared responsibility to protect U-M systems and data. If you have any questions regarding these IA updates, submit a ticket to the ITS Service Center and assign it to the ITS-Security group.

In December 2021, the world was introduced to the massive zero-day vulnerability known as Log4j, which was used to perform remote code execution and provide unauthorized access to servers. This vulnerability remains an active threat as US healthcare organizations, including those in the public health sector, continue to be targeted.

To focus attention on timely action when it comes to addressing threats to university resources and data, the FY23 Internal Control Annual Certification asks units to certify that they regularly review and remediate critical vulnerabilities within the timeframes specified in the Vulnerability Management (DS-21) standard.

IA remains vigilant and takes proactive steps to identify threats. We use Tenable.io to scan U-M networks and communicate with customers on patching vulnerable machines. Without the advanced monitoring, discovery, and mitigation Tenable.io agents provide, scanning accuracy for Log4j is limited. Units are encouraged to reach out to IA to discuss testing and installation of Tenable.io agents on unit-managed machines. Submit a ticket to the ITS Service Center with attention to ITS-IAPROACTIVE-Security.

Through close partnership, compliance with technical standards, and proactive use of IT security technology, we can better protect the university and our community.

ITS Information Assurance is partnering with U-M units to pilot using TeamDynamix for Hardware Asset Inventory purposes. A hardware asset inventory is a place to collect, store, and update information on hardware assets. TeamDynamix has an inventory capability currently used by more than 15 campus units and allows groups to manage their inventory records, add custom fields to records, and update via API.

Appropriate tracking of the assets is an integral part of any security program, particularly when those assets are regularly added and removed from the network. The benefits of a Hardware Asset Inventory include the following:

• Enhanced security. With a list of devices on the network, units can focus on identifying unauthorized devices quickly.
• Improved compliance. Having an up-to-date list of assets on the network helps meet the inventory requirements of specific compliance processes.
• Faster issue resolution. An up-to-date inventory allows service providers to quickly identify and resolve problems and restore service quickly.

IA is working with five units for this pilot, intending to leverage data collected when devices are connected to the network to establish a baseline of devices and hardware assets and identify new and retired assets. Units currently providing data and spending time validating data collected by IA for the Hardware Asset Inventory include Michigan Radio, Museum of Art, School of Dentistry, COE-Robotics-Lab, and KECC in the School of Public Health.

Refer to Hardware Asset Management Pilot project for more detail. Contact [email protected] if you’re interested in piloting this process, including collection, validation, and import of hardware asset data into TDx.

Information assurance is a shared responsibility, and every member of the U-M community has a part to play in supporting IT security, privacy, identity and access management, IT policy, and compliance efforts. Part of this responsibility is for each unit, school, and college to designate a member of their staff as a Security Unit Liaison (SUL). Together, ITS Information Assurance (IA) staff and SULs work to enable unit missions while promoting security awareness, education, monitoring, and compliance. This partnership is fundamental in supporting the university’s security posture, and IA is committed to maintaining strong and productive relationships with SULs, listening to their feedback, and supporting their needs.

IA publishes unit security checklists to support units in their shared responsibility to protect U-M systems and data and created the Winter 2023 SUL Checklist to ensure we share the same understanding and vision for your role and help you assess your alignment to expectations as a Security Unit Liaison and your partnership with Information Assurance.

As a U-M Dearborn alumni and ITS Information Assurance (IA) Senior Software Programmer Analyst, Pat Steffes (they/them) applies their skills and passion to creating and leveraging inclusive technology, engaging in Diversity, Equity, and Inclusion (DEI) efforts at U-M, and supporting the broader transgender community in cybersecurity. Pat is one of the 1.4 million adults in the US identifying as transgender and also identifies as non-binary. They recall growing up hearing about U-M fighting for racial diversity and the rights of marginalized groups, and knowing it was somewhere they wanted to be. After almost ten years of working on IA’s Identity and Access Management (IAM) team, Pat still feels immense gratitude for finding an inclusive environment and unconditional support within their team and by IA and ITS leadership.

Pat grew up in Livonia, Michigan, and attended a Catholic elementary school. The traditional environment gave Pat a profound understanding of the obstacles they would face as transgender. “Deep down, I knew that I was trans, and I understood that I had to be perfect if I was going to exist.” Though Pat didn’t begin their transition journey until several years after starting at U-M, they attribute their ability to come out as trans at work to the DEI efforts they witnessed in IA. “The IAM team was 50% female when I first joined, and the first training I received was a DEI course provided by IA. I also heard managers like Chris Hable, and IAM Director DePriest Dockins, consistently speaking about and acting on DEI initiatives.” In addition, Pat has been encouraged by the overall support for DEI by coworkers across ITS. “I’ve truly felt more supported by ITS and my coworkers' efforts to use my chosen name and pronouns than some of the friends and relatives in my life.”

With many friends who cannot come out and are uncomfortable with changing their pronouns at work, Pat is dedicated to living authentically and paving the way for others to do so. Pat focuses much of their energy on inclusive technology supporting the LGBTQIA+ U-M community, including solutions that enable others to update their pronouns and preferred names in U-M-provided services. “It’s dehumanizing not to be called the name you identify with or have others use your chosen pronouns.” Pat also works with the Diversity, Equity, and Inclusion committees at ITS and co-presented at the 2022 Michigan IT Symposium on Leveraging Technology to Enable Inclusion, where they shared their experience and the importance of inclusive technology for marginalized groups.

Although Pat celebrates ITS’ commitment to DEI and the support they’ve received throughout their transition, they also recognize there’s still work to be done at U-M. Pat would like higher priority associated with DEI projects, including creating a single space to update identity information, such as Chosen Name, for all U-M systems and services. “My team sometimes has to reshuffle priorities to make room for important projects. That doesn’t happen with these DEI efforts, and I would like to see this be a priority now, instead of a future project.”

Pat and their partner live in Ypsilanti, share two dogs and two cats, and are very involved with the local LBGTQIA+ community. They also share a passion for supporting feminists and queer artists in the Metro Detroit area.

Refer to Diversity Equity and Inclusion to learn more about DEI efforts at U-M. For more information on IAM's work, refer to Identity and Access Management. Finally, refer to Faculty and Staff Counseling and Consultation Office (FASCCO) if you need mental health care and emotional support, including confidential and professional counseling.

ITS Information Assurance celebrated Data Privacy Day with two Privacy@Michigan events, intended to raise awareness, promote best practices, and provoke thought and conversation on privacy topics relevant to the U-M community and society as a whole.

• It’s Everyone’s (But the Children’s) Home: A Look at Child Safety in the Smart Home - Kaiwen Sun took the audience through a sample of the internet-connected tech in homes of families with kids and discussed the physical, physiological, and social impacts on children. Because Sun’s research shows that companies’ marketing strategies capitalize on images featuring kids' interaction with smart tech in the home, often without providing efficient parental controls and child safety features and resources, she recommends parents stay informed and take action as consumers by supporting companies that do invest in child safety and privacy. Read more of Kaiwen Sun’s work in her article Child Safety in the Smart Home: Parents’ Perceptions, Needs, and Mitigation Strategies.
• Privacy, Power, and Platforms: How to think about user privacy expectations online - Privacy@Michigan’s keynote event featured Dr. Kirsten Martin, U-M alumna, and Hazel B. White Professor of Technology Ethics and Professor of IT, Analytics, and Operations in the Mendoza College of Business at the University of Notre Dame. Dr. Martin discussed privacy expectations on online platforms and provided the audience with two perspectives: that of standard companies that assume individuals relinquish privacy expectations when online for the use of “free” services, and another of privacy scholars whose view includes using consumer data only in the context it was shared. Dr. Martin argues that when platforms collect, use, and share personal information against their users’ privacy expectations, they abuse their power and market dominance. Visit the Privacy@Michigan Keynote event page to view the recording of Dr. Martin’s thought-provoking presentation and her conversation with Dr. Florian Schaub, Associate Professor of Information, School of Information, and Associate Professor of Electrical Engineering and Computer Science, College of Engineering.

In March, IA and the Dissonance Event Series (which seeks to increase university-wide multidisciplinary discourse on technology, policy, privacy, security, and law), partnered to offer a free viewing of Shalini Kentayya’s documentary, TikTok, Boom. The film told a complex story and spurred a thoughtful and engaging conversation with the filmmaker and a diverse panel of U-M faculty, students, and staff. To watch the conversation, visit the TikTok, Boom. event page on the Safe Computing website. Refer to Past Dissonance Events to view other events in the U-M Dissonance Event Series, including the 2021 panel discussion of Kentayya’s award-winning film Coded Bias.

We will continue to bring to you Privacy@Michigan and Dissonance events throughout the year and hope to see many of you attend and get engaged. Refer to the Safe Computing calendar for more information on cybersecurity, privacy, and Dissonance events at U-M and beyond.

Discrimination against minorities and disadvantaged groups based on gender, race, sexual orientation and other personal characteristics is not new and has historically been tackled by removing sensitive personal information from data used for making important decisions. Researchers from Western University and Queen’s University in Canada, along with collaborators in UnionBank of the Philippines and Aboitiz Data Innovation, found that in the absence of identifying data, ML algorithms extrapolate the information using other parameters, resulting in discriminatory recommendations.

The authors of the study provide examples from Apple and Amazon, where in an attempt to prevent discrimination in loan-lending and hiring decisions, ML algorithms were used without gender data. The results showed clear discrimination against women, requiring human intervention to correct decision making.

The authors make the case that “access to sensitive attributes data can substantially reduce discrimination and sometimes also increase profitability.” In the context of emerging laws regulating artificial intelligence, they offer ways for organizations to safely and ethically use sensitive identifying information in ML decision making:

• Pre-process data before a ML algorithm training to ensure more balanced data.
• Impute gender from other variables (e.g., professions, or a relationship between work experience and number of children).
• Tune model hyper-parameters with gender, and then remove gender for model parameter estimation.

Companies are encouraged to work with regulating bodies to identify and measure discrimination in the algorithms they employ, and use sensitive data to correct it.

At U-M, we provide resources to safely use sensitive data in support of the university’s administrative, education, and research missions. If you have any questions regarding data classification or use of sensitive data, contact Information Assurance through the ITS Service Center.

On March 2, 2023, the Biden Administration released a National Cybersecurity Strategy aimed at securing the technology, infrastructure, and data of the United States. This strategy is not an executive order, but the presidential administration's outline of what it would like to see done to improve cybersecurity, and how it hopes to achieve those goals.

The new strategy outlines five pillars:

1. Defend critical infrastructure.
2. Disrupt and dismantle threat actors.
3. Shape market forces to drive security and resilience.
4. Invest in a resilient future.
5. Forge international partnerships to pursue shared goals.

Each pillar is further broken down into detailed areas of sub-focus. This cybersecurity strategy expands on familiar themes from previous administrations, such as calling for increased coordination in response to threats and improved information sharing. Unlike previous strategies, it adds holding vendors to a higher degree of responsibility, as well as spelling out a role for the government in cybersecurity insurance.

With an emphasis on collective public and private responsibility, universities like U-M will have a role to play, and opportunities to support the new strategy through our research, education, and partnership efforts. If you want to know more about meeting our shared responsibility to secure U-M, check out the video Securing the University of Michigan.

To read more about the National Cybersecurity Strategy, we recommend:

• National Cybersecurity Strategy, Whitehouse.gov
• FACT SHEET: Biden-⁠Harris Administration Announces National Cybersecurity Strategy, Whitehouse.gov
• What is the National Cybersecurity Strategy? A cybersecurity expert explains what it is and what the Biden administration has changed, The Conversation
• New Biden Cybersecurity Strategy Assigns Responsibility to Tech Firms, The New York Times
• White House cybersecurity strategy stresses software safety, AP News.

Dealing with identity theft was a bit like a nightmare; it came out of nowhere, was disorienting, and left me unable to shake off my lingering fear. It happened to me on a typical workday. One minute, I was thinking about my afternoon meeting, and the next, I was trying not to panic while calling about an email that notified me of a loan I had never applied for being deposited into a new bank account opened with my social security number. I acted quickly and got the account shut down, so the money couldn’t be withdrawn. The experience was a stark reminder that I need to take action to safeguard my credit from identity theft in the future.

Identity theft occurs when someone uses your name, Social Security number, credit card number, or other personal information to commit fraud or other crimes. The good news is you can take action to protect yourself if you suspect identity theft. Here are some ways to do that:

• Contact one of the three nationwide credit reporting agencies to place a 90-day fraud alert on your credit report. When a fraud alert is set with one agency, it is also reported to the other two agencies.
• Place a credit freeze (security freeze) on your account, restricting access to your credit report and making it more difficult for identity thieves to open new accounts in your name. For more information, refer to Federal Trade Commission: Credit Freeze FAQs.
• Set up alerts for your credit card(s) and bank accounts to receive an email or text message when money is spent above certain thresholds or your account has been used without the card present.
• Review your credit report, credit card statements, and other financial information for suspicious activity.
  • You can request a free credit report from each of the three nationwide consumer credit reporting agencies (listed above) per 12-month period. The easiest way to get free credit report copies is to visit AnnualCreditReport.com.
  • Look for suspicious activity, such as new accounts you did not open or purchases you didn't make.

I put a fraud alert and a credit freeze on my accounts, which will remain until I lift it for future purchases. As a result, I am now better informed and feel more protected.

Refer to Identity Theft for information on detecting, preventing and mitigating identity theft.

Cleaning is almost as much a right of spring as baseball, flowers, and migrating birds. As lots of us start tackling that closet, basement, or corner of the garage, Information Assurance (IA) would like to remind you that data and devices can always use a little spring cleaning, too.

A key task that many of us put off is making sure that any university data, files, and folders we control are co-owned by, and shared with, appropriate parties. That means using a shared group drive, and making sure that teammates and supervisors that might need access to that data have it. This helps protect U-M business processes, and saves everyone the time and effort of tracking down and getting access to data and files if you win the lottery and disappear to a tropical island. It also means less work for you if you change jobs or retire. Check out Shared Access to Business Documents for more information on helping protect your unit.

Have some old devices or data you want to get rid of? Keep your data from falling into the wrong hands by securely deleting it before you dispose of an old device. Even devices that you decide to sell or hand down to friends or family need to be properly erased or reset before you pass them on. Check out Erase Personal Devices Before Disposal and remember that the U-M Tech Shop's Tech Repair Secure Device Sanitization service is there to help you if needed!

Last, but definitely not least, remember that if you have U-M devices or any personal device that has U-M data on it, you are required to securely erase and dispose of it. See Securely Dispose of U-M Data and Devices for details on what you need to do to protect yourself and U-M.