Data encryption is now a necessity for many higher education IT departments.
All colleges and universities work hard to protect students' private information, but when a university boasts dozens of famous alumni and sits four blocks from the White House, data privacy is even more essential.
That's the case at The George Washington University, a Washington, D.C., institution with about 25,000 students. Several years ago, the university's Division of Information Technology deployed full-disk encryption on the notebooks and desktops of its most critical personnel. Today, about 3,000 of its 9,000 staff and faculty use Sophos SafeGuard Easy, a full-disk encryption solution for notebooks and PCs.
“We targeted the hardware of users who were most likely to have access to personal information, like the executive vice president's office, the treasurer's office and human resources,” says senior analyst Brian Chan.
GW is taking the right approach, says Michael Spinney, senior privacy analyst with the Ponemon Institute, a security research group. In fact, a recent report on encryption by the institute found that more than 90 percent of organizations now believe that data protection is either a “very important” or “important” part of their risk management efforts, rising significantly from previous surveys.
“There was a point in time when device encryption may have been good enough, but that time has passed,” Spinney says. “With devices getting so small, people becoming so mobile, electronic communications so pervasive and hackers becoming so good at what they do, encryption at the data level is a critical piece of the security solution.”
For the users at GW, the data encryption product had to be easy to use and transparent to the users, says Blaine D'Amico, GW's systems security architect.
“We determined early on that if the system required power-on authentication, we would have had a revolt and people would find workarounds,” he says. “And we had to make sure that it didn't interfere with their day-to-day work while we still got the benefits of full-disk encryption.”
Next up is encryption of e-mail with sensitive information that is sent to recipients outside of the university's intranet. It's a work in progress, Chan says, but it is in the long-term plan.
The University of Phoenix, a for-profit college with about 300 locations and 20,000 staff and faculty members, has a slightly different challenge from other universities. In addition to keeping all student data confidential and secure, it also has the privacy concerns of a publicly traded company.
“Because we are a large corporate entity and a university, we hold private shareholder data and corporate financials as well as student loan data and personal student information,” says Scott Carlson, principal security engineer at Apollo Group, which owns the University of Phoenix.
The average cost of a breached data record in the United States
Source: Ponemon Institute
Both of those requirements lead to a multipronged security approach. At the notebook PC level, about 5,000 staffers use McAfee Endpoint for Devices, a full-disk encryption product that protects data if units are lost or stolen. The IT department set the software for preboot authentication, which means that users must enter a password before the operating system will boot up. And for data that might be physically carried from one piece of hardware to another, Carlson says the organization also plans to start using McAfee USB encrypted drives.
Carlson's group has selected two types of encryption for data sent through external networks. For data extracted from its Oracle databases, it uses Oracle Database Vault, which encrypts only secure information, such as Social Security numbers, while leaving other parts of the data unencrypted. And for secure e-mail, the University of Phoenix is testing Cisco's IronPort Email Bundle, which automatically encrypts e-mail containing confidential data.
“Our goal is to be secure at every level,” Carlson says. “We owe our students and our shareholders that much.”
5 Data Encryption Tips
- Encrypt throughout the organization. Don't rely on encrypting data just at the department level, or just on one type of system. Make sure encryption is deployed consistently throughout the organization and across all e-mail and mobile device platforms used within the organization.
- Build in flexibility. Create policies for disabling access for any user quickly if the need should arise. That includes procedures for making sure data has not been copied to another device.
- Understand encryption's importance. Don't consider other forms of security, such as firewalls, as a substitute for data encryption.
- Be thorough. For data that will be transmitted electronically, make sure the technology you use incorporates some of the following: Secure Sockets Layer certificate for message encryption, PGP encryption to secure e-mails, a digital certificate to ensure data authentication and e-mail encryption for digitally signing electronic documents.
- Take new media seriously. Don't ignore the data encryption of new media, such as tablets and smartphones.