Making the Grade: 6 Data Protection Best Practices for Universities and Colleges
By Todd Thiemann
Data breaches have become commonplace in colleges and universities. Simply visit http://www.datalossdb.org or read front-page news about the latest breaches at institutions including the University of South Carolina (34,000 records), the University of Georgia (8,500 victims), or the University of Nebraska (650,000 student records). According to one college IT manager I spoke with, "We have implemented numerous security policies but we wanted to make sure that even if someone got through, they would not be able to view the data. I was literally not sleeping some nights and worrying about getting hacked."
Like many things in life, security is a balancing act. Usually this involves making data available to knowledge workers and protecting the information they are using. Although disconnecting the data center from the campus network might secure information, campus operations would quickly grind to a halt. The goal is to mitigate the major risks while minimizing the burden of data-access restrictions.
Any good data protection strategy involves defense in depth. There is no cure-all or single solution that enables an organization to ensure its data is 100 percent safe and at the same time usable. Most campuses have well-developed perimeter defenses include firewalls, network intrusion detection systems/intrusion prevention systems (IPS/IPS), and gateway antivirus.
What is frequently overlooked is that most sensitive data sits on servers in the data center. The 2012 Verizon Data Breach Investigations Report showed that the majority of breaches (64 percent) involved servers, and those breaches accounted for 94 percent of all records. As a result, paying a disproportionate amount of attention to securing server assets is a best practice. Here are some of the other best practices we have seen in university and college IT environments.
Best Practice #1: Understand your compliance regime and what is required
Each institution operates under its own set of compliance regulations. Understanding the compliance regime that governs your organization makes it easier to justify specific IT investments. Whether it's a state data breach law, HIPAA/HITECH for healthcare information that your institution holds, or a Federal grant that requires specific data security measures -- know what's required of your institution.
Best Practice #2: When it comes to data discovery and classification, know what you need to protect and know where it is located
Data discovery and classification are typically manual processes, although there are some tools to ease processes for databases. Remember to pay attention to structured data inside of databases, as well as unstructured data outside of the database. Unstructured data can include faxed images, student ID pictures, and personal records on digital microfiche. One college campus system we encountered had 20 million records in flat files that needed protection. Also consider university-specific applications that use databases and inputs coming from other storage locations that are in unstructured formats. If you simply focus on securing the database, you may miss some big security gaps.
Best Practice #3: Consider your entire environment including disaster recovery
Hurricane Sandy was a painful reminder to have a disaster recovery (DR) plan. Most universities include DR sites that need to be included in security architecture planning. Understand how data is replicated to the DR site and Distributed File System (DFS) -- and make sure to protect that information.
Best Practice #4: Remember defense in depth
Build on the infrastructure that's already in place and defend sensitive information stored there. Although silver bullets do not exist, avoid reworking existing solutions and focus on data-centric protection rather than augmenting existing perimeter defenses.
Best Practice #5: Manage privileged users
Separation of duties (SoD, sometimes called segregation of duties) should not be overlooked. Layered database protection includes encryption for data at rest along with database activity monitoring (DAM, also referred to as Database Audit & Protection (DAP). DAM/DAP monitors privileged users, such as database administrators (DBAs), inside the database, while encryption establishes SoD for privileged system users outside of the database (system administrators). DAM/DAP also provides evidence, after a breach, on how many records may have been compromised. Note that file-level encryption secures the data at rest and provides SoD, while storage-level encryption (SAN encryption via a switch) typically does not provide SoD.
Best Practice #6: Remember reporting/auditing
After you have put security around the data, consider deploying security information and event management (SIEM) technology to gather data from layered security systems and detect suspicious activity/problems.
Putting the Guidelines to Work
Using these guidelines can help minimize the risk of your institution being in the headlines and will allow for a quicker recovery in the event of a security breach.
Todd Thiemann is senior director of product marketing for enterprise encryption vendor Vormetric and co-chair of the Cloud Security Alliance (CSA) Solution Provider Advisory Council. You can contact the author at firstname.lastname@example.org.