The Norwegian Refugee Council (NRC) is an independent humanitarian organization helping people who have been forced to flee their homes. The NRC works in more than 30 countries, and in 2020 has served more than 12 million people. They are Norway’s largest international humanitarian organization and are widely recognized as a leading field-based displacement agency within the international humanitarian community. As a rights-based group, their main activity is the delivery of humanitarian aid through program activities in the field specializing in six areas of expertise: shelter and settlements; livelihoods and food security; information, counseling and legal assistance; education; camp management; and water, sanitation and hygiene promotion.
Partnering on a Skills-Based Volunteering project
In December 2021, NRC and GitHub’s Skills-Based Volunteering Program partnered together to solve information security issues for an NRC product called NRC Core that manages the information and relationship of the people who are forced to flee. Led by Cassie Seo, Head of Digital Transformation, and supported by Ludovic Cleroux, Irena Laemmerer, and Ben McAlindin at the NRC, Core resolves problems around the lack of a common repository for programme and activity data at the field office level—and the absence of standards (security, privacy, data governance, integration between data sources) for handling activity and personal data.
GitHub staff Stefan Edwards @lojikil, John Poulin @forced-request, and Rahul Zhade @rzhade3 took on this project and have been integral to its success. The project began with discovery sessions to understand NRC’s dataflow, trust zones, and systems-based sequence diagrams, as well as a review of the code. However, once the GitHub team dug deeper into the project, they decided to perform rapid risk assessments on all of NRC’s architecture and policies, not just Core, in order to tackle security issues.
The project team ran a number of rapid risk assessments from NRC’s offline procedures to the identity access management and case management system, the attachment server and blob storage, as well as geolocation IP and monitoring discussions. Each rapid risk assessment began by gathering information, establishing a data dictionary, and understanding what the component connections are. Then the team discussed threat scenarios and provided a series of recommendations.
These are some questions the GitHub team asked:
- What will affect NRC’s data confidentiality, integrity, and availability?
- What is the easiest attack vector and have any of the threats been mitigated?
- What happens to NRC if a certain service goes down?
- How would NRC know if something has been tampered with?
Project outcome
After twelve sessions, the security threat modeling project concluded with a series of recommendations that the NRC Digital Transformation team will work to implement. The GitHub team included a number of ways the NRC can better protect its data and their staff.
Recommendations included how NRC can structure their vendor policy, ways to audit an attacker’s path through an application, direction on identifying stakeholders and playbooks in the event of an attack, policies on sharing devices with different levels of access, and ways to reconcile versions of data between server and local instances—essentially providing a strategic guide for the NRC to think about how to approach security challenges and uncover potential vulnerabilities now and in the future.
Thank you to the GitHub project team, Stefan Edwards @lojikil, John Poulin @forced-request and Rahul Zhade @rzhade3 for all the hard work on keeping NRC secure!