1. Data access
Synapse implements an access control system based on the properties of the dataset and/or on the properties of the user profile attempting to gain access.. Public datasets may be controlled (users must agree to specific terms and request access from ACT or another specified entity and may be required to upload certain documentation based on the dataset), restricted (users must agree to specific terms, but access is granted automatically after terms are accepted), or open (users can view data either anonymously or once they have created a Synapse account).
Within dataset specific access requirements and project sharing settings, data contributors may specify whether users must be registered (created account and agreed to Synapse Pledge), certified (passed quiz indicating security and privacy policy awareness), or validated (identity linked to account has been verified) to obtain access.
Rather than restricting or controlling data, project administrators can also choose to make their projects or folders private and only share them with specific synapse users and teams. General Synapse users will not be able to view or access private projects or entities unless explicitly shared to them by a project administrator.
Data Access Threat Scenarios
Threat: A Synapse user intentionally or inadvertently accesses controlled data without qualification
Identify through data warehouse query and end user reporting:
☑ Users who have posted or accessed controlled data without the appropriate access level required for the respective dataset.
Threat: A Synapse user with significant access to data intentionally or inadvertently shares access
Identify through data warehouse query and end user reporting:
☑ A single file downloaded multiple times by a single user
Data Access Associated Queries: Top downloaders
2. Data handling
Synapse allows end users to upload data once they have certified their account by passing the certification quiz. The certification process is an administrative control that trains users on appropriate data handling procedures. Once granted data upload rights, an end user is expected to determine sharing settings and request access restrictions for the data they contribute to the platform, or adopt the sharing/access settings of the respective Synapse community they are contributing to.
Data Handling Threat Scenarios
Threat: A Synapse user intentionally or accidentally copies or uploads a controlled/restricted dataset without appropriate access controls/restrictions.
Identify through data warehouse query and end user reporting:
☑ Original terms of data contribution are not respected. Data proliferated into Synapse beyond the original terms of use
☑ Public Synapse spaces contain only data classified as public
Data Handling Associated Queries: MD5 duplicates
, Restriction change of state
3. Data loss
A Synapse account may be permitted to access many datasets of different classifications. An incident of account sharing or account compromise may result in the download of a dataset beyond what is intended according to an access restriction.
Data Loss Threat Scenarios
Threat: A Synapse account with extensive access to controlled datasets may be compromised:
Identify through data warehouse query and end user reporting:
☑ Detecting the exfiltration of data from Synapse correlated with large-scale download activity by a user
Data Loss Associated Queries: Restriction change of state
, Top downloaders