Major universities look to prevent identity theft and data breaches by deploying data loss prevention software.
Play It Safe with DLP
At Georgia State University in Atlanta, Chief Information Security Officer Tammy Clark is on a "seek and educate" mission about sensitive data. Although her focus is a holistic approach involving people, process and technology, one technical weapon of choice is host data loss prevention (DLP) software.
GSU must comply with numerous laws and mandates, including HIPAA, the Payment Card Industry's Data Security Standard, and the Federal Information Security Management Act. A challenge that is always present is figuring out where sensitive data lies on the university's 40,000 network connections across campus.
"As a university, we have to maintain an open and sharing network. We have large data repositories, and we are planning on utilizing host DLP to help us find and protect our most critical and sensitive data," Clark says.
DLP is software that can be deployed at the endpoint, such as a notebook or desktop, or within the network to detect and manage sensitive data, both at rest and in motion. Based on predetermined settings, the data can either be erased or quarantined as the IT staff and users are notified.
“In the past, DLP technology was targeted at very well-funded financial, government and healthcare institutions because it was considered cutting-edge security,” says Phil Hochmuth, program manager for security products at research group IDC. “That has changed as the technology has become more affordable and more organizations need this granular level of protection.”
Hochmuth considers the growing number of federal, state and industry compliance mandates an equally important driver for increased interest in DLP among higher education institutions.
“Almost every organization now has to be careful about inadvertent transmission via e-mail or file transfers of sensitive data [for which] they may face fines, legal repercussions or reputational damage,” he says.
It's a concept that Clark knows well. She plans to use McAfee host DLP software to scan endpoints for high-risk data such as Social Security numbers or credit card information and considers this job as important, if not more so, than finding malware infections on university systems. "If you get malware on a system, you can always re-image or 'fix' the machine. You'll have a harder time recovering if critical data escapes or lands in the wrong hands," she says.
Clark plans to integrate host DLP software with McAfee ePolicy Orchestrator to satisfy legal requirements for protecting research and development and personal information about the school's students, faculty and staff. She couples the technology with user education, policies and standards that inform campus users about their responsibilities to protect sensitive data.
"If we find sensitive data on university-owned systems – and we will – this will present us with opportunities to explain the risks to our users, as well as let them know how they can assist us in protecting the data they handle in their day-to-day duties at the university," she says.
North Carolina State University in Raleigh hopes to roll out a similar strategy, but is still in the risk assessment phase.
Mardecia Bell, director of security and compliance in the Office of Information Technology, and John Baines, assistant director for security standards and compliance, have been working on a framework that defines sensitive data across campus. What's driving them, they say, is the move to the cloud and the disappearance of the network perimeter. “We have a much bigger security issue to deal with now that data is flowing in and out of cloud-based applications and smartphones,” Bell says.
The amount the U.S. Veterans Affairs Department paid to settle a class-action lawsuit that stemmed from the 2006 theft of a notebook containing data about more than 26 million veterans
They closely examined more than a half-dozen regulations and came up with data classifications that match them, separating information into red, yellow and green groupings. “If leaked data would result in fines or notification costs, it is considered highly sensitive, or â€˜red,' and should be closely monitored by a DLP solution,” Baines says.
The “red” category is producing a large list of sensitive data for the university to handle, so a fourth category of “red hot” is being created. “These items constitute the lightning rods of identity theft and have to be dealt with immediately to avoid breaches and protect the reputation of the university,” Baines adds.
Bell believes taking time to do this upfront work will narrow the field of data that has to be protected by DLP and, therefore, reduce the software's overall licensing and management costs. “You don't want to pay the same price to protect less-sensitive data,” she says. They plan to pair this deep dive with the potential cost of a leak to eventually gain approval for DLP funding.
DLP on the Rise
Industry analysts expect increased interest in data loss prevention software in the months ahead.
“There are enough breaches and exposures across industries to warrant consideration of DLP solutions, not to mention compliance requirements,” says Rich Mogull, analyst and CEO at Securosis, a security consultancy in Phoenix.
DLP software can be sold in stand-alone or appliance form, depending on where it is being deployed in an organization. McAfee, Symantec and Trend Micro all offer endpoint DLP solutions. Whether bundled into existing endpoint products or rolled out separately, endpoint DLP ensures that sensitive data is either banned from being stored locally, properly encrypted or deleted in accordance with retention requirements.
Network DLP, offered by Cisco, McAfee and RSA among others, protects sensitive data in motion. For instance, such tools would prevent employee financial data from being sent outside of an organization. The parameters for DLP monitoring are set by an organization based on its own definition of sensitive data.
DLP from McAfee also can be used to discover the sensitive data in an organization, according to Phil Hochmuth, program manager for security products at research group IDC. “Rather than taking a hair-on-fire approach and encrypting everything, you can locate sensitive data and strategically protect it,” Hochmuth says.