Locking Down Data at U Nebraska
- By Linda L. Briggs
- 10/15/09
A typical university collects more sensitive data about students than a Fortune 500 company does about customers. Yet spending on data security tends to be miniscule at most universities in comparison with private industry. That's the observation of University of Nebraska Information Security Officer Joshua Mauk. In his three years on the job, Mauk has tightened down data security considerably at the university in a gradual process that has involved not just the right software products, but lots of coordination across university groups--and ongoing user education.
Most institutions have instigated firewalls and other security measures to secure networks, but a remaining challenge is preventing loss of the sort of data that is often inadvertently sent in email messages--Social Security numbers; student health information; faculty and staff employment data; financial information on students, parents, alumni, donors, and vendors; and more. With regulations such as the Family Educational Rights and Privacy Act (FERPA), the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability (HIPAA), and many state regulations specifically mandating careful handling of personal data, preventing data loss is a rising concern.
Unfortunately, confidential information at many institutions routinely leaves the campus in a steady stream, not because of hackers, but through accidental email exposure by users, most of whom are ignorant of good data security policies. The software Mauk and his team installed showed that faculty and staff--they were the target of the University of Nebraska data loss prevention initiative, rather than students--were routinely sending emails with confidential data including social security numbers, spreadsheets with credit card numbers, and other sensitive items.
Data security at any public university is especially challenging because of the open academic culture, distributed silos of duplicate information, poor or nonexistent data security policies, and a new set of students to educate about security each year. Add to that the tight budgets common in higher education, and instigating data security initiatives can be a tremendous challenge.
Mauk and with Data Security Analyst Chris Cashmere have worked together to address that challenge and lock down data, first by identifying the risks the university faced, then by convincing management of the need for better policies and procedures, and by selecting and installing software targeting data protection.
The software they chose, Symantec Data Loss Prevention, first helps identify where confidential data is stored, since that was one of the challenges Mauk and Cashmere faced. With a decentralized environment--the two work from the Central Administration office of the University of Nebraska, which has several campuses across the state--figuring out just what data was being created, stored, used, and shared, and by whom, was the first step.
Symantec DLP searched emails, files, databases, and the institution's web sites for confidential data, including credit card numbers, social security numbers, and other designated information. Monitoring outgoing and incoming email for security violations entailed looking for clues in the email that might reveal sensitive data. The Symantec software might find and flag a social security number in an outgoing email, for example, or a credit card number in incoming mail.
Rather than block the email completely, a level of protection that Symantec DLP does offer, Mauk chose a setting that alerted his team to the violation and sent the offending user an automated email making them aware of the violation. If the risk was severe enough, Mauk or Cashmere would contact the user to suggest better ways to convey the information--via an encrypted message, for example. Eventually, Mauk said, as education efforts continue, the university may tighten controls, effectively blocking the sending of emails containing sensitive data.
Dealing with outside vendors is a continuing challenge, Mauk admitted, since there's often little that can be done to control an outside company's behavior. However, using the same automated functionality within the Symantec DLP software, outside companies are notified of their risky behavior. In extreme cases, Mauk or Cashmere have called the company's privacy officer or security manager directly to drive the point home. "We have surprised a couple of large organizations with our ability to see what their users are doing wrong," Mauk said.
Perhaps the biggest challenge is users. Mauk and Cashmere undertook a year-long awareness campaign using email and posters that focused on data security, along with other training. One poster, for example, featured a retro image of a mailman and warned senders to think of email like a postcard, with the same inherent exposure. "We needed to let people know what they should and shouldn't be doing," Cashmere said. Each of the university's four campuses developed policies and deployed them on their own campuses, with lots of cooperation from the central office.
One big obstacle: Up until 2004 at the University of Nebraska, a student's Social Security number was used as primary identifier at the university. The numbers were everywhere, Mauk said--on central servers as well as individual faculty computers. Getting those numbers under control "was a huge challenge, one of our biggest."
Having used a data loss prevention product at a previous job, Mauk said, he brought with him an understanding the value of DLP software. Convincing management of the need was relatively easy once the team brought in the product for a week-long demonstration and showed what sorts of security breaches it was catching. "Having real-life examples of things that were happening was invaluable," Mauk said. "We were able to report on 20 or 30 tangible [breaches]" that had occurred over the last week.
That sort of risk demonstration convinced everyone, he said, "that we wanted to move pretty quickly on this."
Mauk said he knew he and his team were making progress--but still had a ways to go--when he read a flagged email from a user who was beginning to understand the security concept: "I was a little bit hesitant to include Social Security numbers in an email," the university staff member wrote to the recipient, "but as long as you delete this message when you are done, we should be fine."