U Nebraska Turns to Data Loss Prevention To Lock Down Sensitive Communications

A typical university collects more sensitive data about students than a Fortune 500 company does about customers. Yet spending on data security tends to be miniscule at most universities in comparison with private industry. That's the observation of University of Nebraska Information Security Officer Joshua Mauk. In his three years on the job, Mauk has tightened down data security considerably at the university, in a gradual process that has involved coordination across university groups--and ongoing user education.

Most institutions have instigated firewalls and other security measures to secure networks, but a remaining challenge is preventing the loss of the sort of data that is often inadvertently sent in e-mail messages--Social Security numbers; student health information; faculty and staff employment data; financial information on students, parents, alumni, donors and vendors; and more. With regulations and standards such as the Family Educational Rights and Privacy Act (FERPA), the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability (HIPAA), and many state regulations specifically mandating careful handling of personal data, preventing data loss is a rising concern.

Unfortunately, confidential information at many institutions routinely leaves the campus in a steady stream, not because of hackers, but through accidental e-mail exposure by users, most of whom are ignorant of good data security policies. The software Mauk and his team installed showed that faculty and staff--they were the target of the University of Nebraska data loss prevention initiative, rather than students--were routinely sending e-mails with confidential data including Social Security numbers, spreadsheets with credit card numbers, and other sensitive items.

The Challenges of Data Security in Higher Education
Data security at any public university is especially challenging because of the open academic culture, distributed silos of duplicate information, poor or nonexistent data security policies, and a new set of students to educate about security each year.

Add to that the tight budgets common in higher education, and instigating data security initiatives can be a tremendous challenge.

Mauk and data security analyst Chris Cashmere have worked together to address that challenge and lock down data, by identifying the risks the university faced, by convincing management of the need for better policies and procedures, and by selecting and installing software targeting data protection.

A Software Approach
The software they chose, Symantec Data Loss Prevention, first helps identify where confidential data is stored, since that was one of the challenges Mauk and Cashmere faced. With a decentralized environment--the two work from the Central Administration office of the University of Nebraska, which has several campuses across the state--figuring out just what data was being created, stored, used, and shared--and by whom--was the first step.

Symantec DLP searched e-mails, files, databases, and the institution's Web sites for confidential data, including credit card numbers, Social Security numbers, and other designated information. Monitoring outgoing and incoming e-mail for security violations entailed looking for clues in the e-mail that might reveal sensitive data. The Symantec software might find and flag a Social Security number in an outgoing e-mail, for example, or a credit card number in incoming mail.


A Symantec DLP dashboard overview of confidential data leaving the school

 

Rather than block the e-mail completely, a level of protection that Symantec DLP does offer, Mauk chose a setting that alerted his team to the violation and sent the offending user an automated e-mail making them aware of the violation. If the risk was severe enough, Mauk or Cashmere would contact the user to suggest better ways to convey the information--via an encrypted message, for example. Eventually, Mauk said, as education efforts continue, the university may tighten controls, effectively blocking the sending of e-mails containing sensitive data.

The Challenges with Users
Dealing with outside vendors is a continuing challenge, Mauk admitted, since there's often little that can be done to control an outside company's behavior. However, using the same automated functionality within the Symantec DLP software, outside companies are notified of their risky behavior. In extreme cases, Mauk or Cashmere have called the company's privacy officer or security manager directly to drive the point home. "We have surprised a couple of large organizations with our ability to see what their users are doing wrong," Mauk said.

Perhaps the biggest challenge is users. Mauk and Cashmere undertook a year-long awareness campaign using e-mail and posters that focused on data security, along with other training. One poster, for example, featured a retro image of a mailman and warned senders to think of e-mail like a postcard, with the same inherent exposure. "We needed to let people know what they should and shouldn't be doing," Cashmere said. Each of the university's four campuses developed policies and deployed them on their own campuses, with lots of cooperation from the central office.

One big obstacle: Up until 2004 at the University of Nebraska, a student's Social Security number was used as primary identifier at the university. The numbers were everywhere, Mauk said--on central servers as well as individual faculty computers. Getting those numbers under control "was a huge challenge, one of our biggest."

Building Awareness
Having used a data loss prevention product at a previous job, Mauk said, he brought with him an understanding the value of DLP software. Convincing management of the need was relatively easy once the team brought in the product for a week-long demonstration and showed what sorts of security breaches it was catching. "Having real-life examples of things that were happening was invaluable," Mauk said. "We were able to report on 20 or 30 tangible [breaches]" that had occurred over the past week. That sort of risk demonstration convinced everyone, he said, "that we wanted to move pretty quickly on this."

Mauk said he knew he and his team were making progress--but still had a way to go--when he read a flagged e-mail from a user who was beginning to understand the security concept: "I was a little bit hesitant to include Social Security numbers in an e-mail," the university staff member wrote to the recipient, "but as long as you delete this message when you are done, we should be fine."

An archive of Campus Technology's Webinar on data loss prevention at the University of Nebraska (from July 2009) can be accessed here.

Featured