Threat Scenarios

Synapse implements an access control system based on the properties of the dataset and/or on the properties of the user profile attempting to gain access..  Public datasets may be controlled (users must agree to specific terms and request access from ACT or another specified entity and may be required to upload certain documentation based on the dataset), restricted (users must agree to specific terms, but access is granted automatically after terms are accepted), or open (users can view data either anonymously or once they have created a Synapse account). 

Within dataset specific access requirements and project sharing settings, data contributors may specify whether users must be registered (created account and agreed to Synapse Pledge), certified (passed quiz indicating security and privacy policy awareness), or validated (identity linked to account has been verified) to obtain access. 

Rather than restricting or controlling data, project administrators can also choose to make their projects or folders private and only share them with specific synapse users and teams. General Synapse users will not be able to view or access private projects or entities unless explicitly shared to them by a project administrator.

Data Access Threat Scenarios

Threat: A Synapse user intentionally or inadvertently accesses controlled data without qualification

Identify through data warehouse query and end user reporting:

Users who have posted or accessed controlled data without the appropriate access level required for the respective dataset.

Threat: A Synapse user with significant access to data intentionally or inadvertently shares access

Identify through data warehouse query and end user reporting:

A single file downloaded multiple times by a single user

Data Access Associated Queries: Top downloaders

Synapse allows end users to upload data once they have certified their account by passing the certification quiz. The certification process is an administrative control that trains users on appropriate data handling procedures. Once granted data upload rights, an end user is expected to determine sharing settings and request access restrictions for the data they contribute to the platform, or adopt the sharing/access settings of the respective Synapse community they are contributing to.  

Data Handling Threat Scenarios 

Threat: A Synapse user intentionally or accidentally copies or uploads a controlled/restricted dataset without appropriate access controls/restrictions.

Identify through data warehouse query and end user reporting:

Original terms of data contribution are not respected. Data proliferated into Synapse beyond the original terms of use

Public Synapse spaces contain only data classified as public

Data Handling Associated Queries: MD5 duplicates, Restriction change of state

A Synapse account may be permitted to access many datasets of different classifications. An incident of account sharing or account compromise may result in the download of a dataset beyond what is intended according to an access restriction.

Data Loss Threat Scenarios

Threat: A Synapse account with extensive access to controlled datasets may be compromised:

Identify through data warehouse query and end user reporting:

Detecting the exfiltration of data from Synapse correlated with large-scale download activity by a user

Data Loss Associated Queries: Restriction change of state, Top downloaders