U Nebraska Turns to Data Loss Prevention To Lock Down Sensitive Communications

  • By Linda L. Briggs
  • 09/17/09

A typical university collects more sensitive data about students than a Fortune 500 company does about customers. Yet spending on data security tends to be miniscule at most universities in comparison with private industry. That's the observation of University of Nebraska Information Security Officer Joshua Mauk. In his three years on the job, Mauk has tightened down data security considerably at the university, in a gradual process that has involved coordination across university groups--and ongoing user education.

Most institutions have instigated firewalls and other security measures to secure networks, but a remaining challenge is preventing the loss of the sort of data that is often inadvertently sent in e-mail messages--Social Security numbers; student health information; faculty and staff employment data; financial information on students, parents, alumni, donors and vendors; and more. With regulations and standards such as the Family Educational Rights and Privacy Act (FERPA), the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability (HIPAA), and many state regulations specifically mandating careful handling of personal data, preventing data loss is a rising concern.

Unfortunately, confidential information at many institutions routinely leaves the campus in a steady stream, not because of hackers, but through accidental e-mail exposure by users, most of whom are ignorant of good data security policies. The software Mauk and his team installed showed that faculty and staff--they were the target of the University of Nebraska data loss prevention initiative, rather than students--were routinely sending e-mails with confidential data including Social Security numbers, spreadsheets with credit card numbers, and other sensitive items.

The Challenges of Data Security in Higher Education
Data security at any public university is especially challenging because of the open academic culture, distributed silos of duplicate information, poor or nonexistent data security policies, and a new set of students to educate about security each year.

Add to that the tight budgets common in higher education, and instigating data security initiatives can be a tremendous challenge.

Mauk and data security analyst Chris Cashmere have worked together to address that challenge and lock down data, by identifying the risks the university faced, by convincing management of the need for better policies and procedures, and by selecting and installing software targeting data protection.

A Software Approach
The software they chose, Symantec Data Loss Prevention, first helps identify where confidential data is stored, since that was one of the challenges Mauk and Cashmere faced. With a decentralized environment--the two work from the Central Administration office of the University of Nebraska, which has several campuses across the state--figuring out just what data was being created, stored, used, and shared--and by whom--was the first step.

Symantec DLP searched e-mails, files, databases, and the institution's Web sites for confidential data, including credit card numbers, Social Security numbers, and other designated information. Monitoring outgoing and incoming e-mail for security violations entailed looking for clues in the e-mail that might reveal sensitive data. The Symantec software might find and flag a Social Security number in an outgoing e-mail, for example, or a credit card number in incoming mail.


A Symantec DLP dashboard overview of confidential data leaving the school

 

Rather than block the e-mail completely, a level of protection that Symantec DLP does offer, Mauk chose a setting that alerted his team to the violation and sent the offending user an automated e-mail making them aware of the violation. If the risk was severe enough, Mauk or Cashmere would contact the user to suggest better ways to convey the information--via an encrypted message, for example. Eventually, Mauk said, as education efforts continue, the university may tighten controls, effectively blocking the sending of e-mails containing sensitive data.

The Challenges with Users
Dealing with outside vendors is a continuing challenge, Mauk admitted, since there's often little that can be done to control an outside company's behavior. However, using the same automated functionality within the Symantec DLP software, outside companies are notified of their risky behavior. In extreme cases, Mauk or Cashmere have called the company's privacy officer or security manager directly to drive the point home. "We have surprised a couple of large organizations with our ability to see what their users are doing wrong," Mauk said.

Perhaps the biggest challenge is users. Mauk and Cashmere undertook a year-long awareness campaign using e-mail and posters that focused on data security, along with other training. One poster, for example, featured a retro image of a mailman and warned senders to think of e-mail like a postcard, with the same inherent exposure. "We needed to let people know what they should and shouldn't be doing," Cashmere said. Each of the university's four campuses developed policies and deployed them on their own campuses, with lots of cooperation from the central office.

One big obstacle: Up until 2004 at the University of Nebraska, a student's Social Security number was used as primary identifier at the university. The numbers were everywhere, Mauk said--on central servers as well as individual faculty computers. Getting those numbers under control "was a huge challenge, one of our biggest."

Building Awareness
Having used a data loss prevention product at a previous job, Mauk said, he brought with him an understanding the value of DLP software. Convincing management of the need was relatively easy once the team brought in the product for a week-long demonstration and showed what sorts of security breaches it was catching. "Having real-life examples of things that were happening was invaluable," Mauk said. "We were able to report on 20 or 30 tangible [breaches]" that had occurred over the past week. That sort of risk demonstration convinced everyone, he said, "that we wanted to move pretty quickly on this."

Mauk said he knew he and his team were making progress--but still had a way to go--when he read a flagged e-mail from a user who was beginning to understand the security concept: "I was a little bit hesitant to include Social Security numbers in an e-mail," the university staff member wrote to the recipient, "but as long as you delete this message when you are done, we should be fine."

An archive of Campus Technology's Webinar on data loss prevention at the University of Nebraska (from July 2009) can be accessed here.

Featured

  • digital classroom interface with virtual hand icons raised, representing students participating in an online poll

    Boosting Student Engagement with Interactive and Practical Teaching Methods

    Traditional teaching methods like slide-to-slide PowerPoint presentations no longer engage students in the way they used to. Here's how one educator developed engaging, interactive methods to help students grasp complex concepts.

  • Global AI vibrancy ranking

    United States Leads in Stanford HAI Global AI Ranking

    A new ranking tool from the Stanford Institute for Human-Centered AI (HAI) AI Index puts the United States in the No. 1 spot for global AI leadership.

  • interconnected cloud icons with glowing lines on a gradient blue backdrop

    Report: Cloud Certifications Bring Biggest Salary Payoff

    It pays to be conversant in cloud, according to a new study from Skillsoft The company's annual IT skills and salary survey report found that the top three certifications resulting in the highest payoffs salarywise are for skills in the cloud, specifically related to Amazon Web Services (AWS), Google Cloud, and Nutanix.

  • a glowing gaming controller, a digital tree structure, and an open book

    Report: Use of Game Engines Expands Beyond Gaming

    Game development technology is increasingly being utilized beyond its traditional gaming roots, according to the recently released annual "State of Game Development" report from development and DevOps solutions provider Perforce Software.