Locking Down Data at U Nebraska -- Campus Technology

Cybersecurity

Locking Down Data at U Nebraska

By Linda L. Briggs
10/15/09

A typical university collects more sensitive data about students than a Fortune 500 company does about customers. Yet spending on data security tends to be miniscule at most universities in comparison with private industry. That's the observation of University of Nebraska Information Security Officer Joshua Mauk. In his three years on the job, Mauk has tightened down data security considerably at the university in a gradual process that has involved not just the right software products, but lots of coordination across university groups--and ongoing user education.

Most institutions have instigated firewalls and other security measures to secure networks, but a remaining challenge is preventing loss of the sort of data that is often inadvertently sent in email messages--Social Security numbers; student health information; faculty and staff employment data; financial information on students, parents, alumni, donors, and vendors; and more. With regulations such as the Family Educational Rights and Privacy Act (FERPA), the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability (HIPAA), and many state regulations specifically mandating careful handling of personal data, preventing data loss is a rising concern.

Unfortunately, confidential information at many institutions routinely leaves the campus in a steady stream, not because of hackers, but through accidental email exposure by users, most of whom are ignorant of good data security policies. The software Mauk and his team installed showed that faculty and staff--they were the target of the University of Nebraska data loss prevention initiative, rather than students--were routinely sending emails with confidential data including social security numbers, spreadsheets with credit card numbers, and other sensitive items.

Data security at any public university is especially challenging because of the open academic culture, distributed silos of duplicate information, poor or nonexistent data security policies, and a new set of students to educate about security each year. Add to that the tight budgets common in higher education, and instigating data security initiatives can be a tremendous challenge.

Mauk and with Data Security Analyst Chris Cashmere have worked together to address that challenge and lock down data, first by identifying the risks the university faced, then by convincing management of the need for better policies and procedures, and by selecting and installing software targeting data protection.

The software they chose, Symantec Data Loss Prevention, first helps identify where confidential data is stored, since that was one of the challenges Mauk and Cashmere faced. With a decentralized environment--the two work from the Central Administration office of the University of Nebraska, which has several campuses across the state--figuring out just what data was being created, stored, used, and shared, and by whom, was the first step.

Symantec DLP searched emails, files, databases, and the institution's web sites for confidential data, including credit card numbers, social security numbers, and other designated information. Monitoring outgoing and incoming email for security violations entailed looking for clues in the email that might reveal sensitive data. The Symantec software might find and flag a social security number in an outgoing email, for example, or a credit card number in incoming mail.

Rather than block the email completely, a level of protection that Symantec DLP does offer, Mauk chose a setting that alerted his team to the violation and sent the offending user an automated email making them aware of the violation. If the risk was severe enough, Mauk or Cashmere would contact the user to suggest better ways to convey the information--via an encrypted message, for example. Eventually, Mauk said, as education efforts continue, the university may tighten controls, effectively blocking the sending of emails containing sensitive data.

Dealing with outside vendors is a continuing challenge, Mauk admitted, since there's often little that can be done to control an outside company's behavior. However, using the same automated functionality within the Symantec DLP software, outside companies are notified of their risky behavior. In extreme cases, Mauk or Cashmere have called the company's privacy officer or security manager directly to drive the point home. "We have surprised a couple of large organizations with our ability to see what their users are doing wrong," Mauk said.

Perhaps the biggest challenge is users. Mauk and Cashmere undertook a year-long awareness campaign using email and posters that focused on data security, along with other training. One poster, for example, featured a retro image of a mailman and warned senders to think of email like a postcard, with the same inherent exposure. "We needed to let people know what they should and shouldn't be doing," Cashmere said. Each of the university's four campuses developed policies and deployed them on their own campuses, with lots of cooperation from the central office.

One big obstacle: Up until 2004 at the University of Nebraska, a student's Social Security number was used as primary identifier at the university. The numbers were everywhere, Mauk said--on central servers as well as individual faculty computers. Getting those numbers under control "was a huge challenge, one of our biggest."

Having used a data loss prevention product at a previous job, Mauk said, he brought with him an understanding the value of DLP software. Convincing management of the need was relatively easy once the team brought in the product for a week-long demonstration and showed what sorts of security breaches it was catching. "Having real-life examples of things that were happening was invaluable," Mauk said. "We were able to report on 20 or 30 tangible [breaches]" that had occurred over the last week.

That sort of risk demonstration convinced everyone, he said, "that we wanted to move pretty quickly on this."

Mauk said he knew he and his team were making progress--but still had a ways to go--when he read a flagged email from a user who was beginning to understand the security concept: "I was a little bit hesitant to include Social Security numbers in an email," the university staff member wrote to the recipient, "but as long as you delete this message when you are done, we should be fine."

E-Mail this page

Printable Format

Featured

New Turnitin Product Brings AI-Powered Tools to Students with Instructor Guardrails

Academic integrity solution provider Turnitin has introduced Turnitin Clarity, a paid add-on for Turnitin Feedback Studio that provides a composition workspace for students with educator-guided AI assistance, AI-generated writing feedback, visibility into integrity insights, and more.
From Fire TV to Signage Stick: University of Utah's Digital Signage Evolution

Jake Sorensen, who oversees sponsorship and advertising and Student Media in Auxiliary Business Development at the University of Utah, has navigated the digital signage landscape for nearly 15 years. He was managing hundreds of devices on campus that were incompatible with digital signage requirements and needed a solution that was reliable and lowered labor costs. The Amazon Signage Stick, specifically engineered for digital signage applications, gave him the stability and design functionality the University of Utah needed, along with the assurance of long-term support.
New Nonprofit to Work Toward Safer, Truthful AI

Turing Award-winning AI researcher Yoshua Bengio has launched LawZero, a new nonprofit aimed at developing AI systems that prioritize safety and truthfulness over autonomy.
1EdTech Partners with DXtera to Support Ed Tech Interoperability

1EdTech Consortium and DXtera Institute have announced a partnership aimed at improving access to learning data in postsecondary and higher education.