While colleges and universities would love a silver bullet, there is no single technology that can protect them from all data breaches. Instead, data security must use a layered approach, with each technology playing an important role.
According to Symantec’s 2016 Internet Security Threat Report, in the education sector in 2016 there were 20 data breaches that exposed roughly 5 million identities. With the amount of data collected by higher ed institutions only increasing, it seems likely that the number of breaches will only rise as well.
In a recent interview with MeriTalk, Shawn Ryan, director of marketing and client relations for Camouflage, a provider of data masking solutions, said it’s not a matter of if, but when a higher ed institution will be breached. More important than when an institution is breached is what level of exposure the institution’s sensitive data has. In a seperate interview, Adam Cason, director of product marketing for Futurex, a provider of provider of cryptographic solutions, agreed with Ryan and said, “A data breach in the academic sphere is not only a possibility, but is a reality.”
Both Ryan and his colleague Steve Pomroy, Camouflage’s chief technology officer, advocate that there is no silver bullet when it comes to data security for higher ed institutions, but rather a layered approach is necessary–complete with firewalls, data encryption, and data masking–among other technologies.
Threats Higher Ed is Facing
Colleges are dealing with numerous threats on a daily basis. Cason explained, “A campus is essentially its own little town, with restaurants, medical services, and financial transactions occurring every day. All of this information, in addition to personally identifiable information, academic records, and academic research, needs to be protected. Data theft is a lucrative business, and higher education has sensitive information in stockpiles.”
Ryan and Pomroy also stressed the importance of not only prioritizing the external threat, which they said gets more focus from the media, but also prioritizing the possibility of internal threats–both malicious and accidental.
“The inside threat is quite significant, either malicious or accidental. You have a contractor or employee who takes a copy of data home with them on a laptop and the laptop gets stolen and suddenly there’s a breach,” explained Pomroy.
All three experts interviewed agree that schools are dealing with an overconfidence in their understanding of their data and their current protection methods.
“Schools believe they know what sensitive data they have, but what we consistently tell clients is that there is a difference between a manual search for data and a belief that you know what sensitive data you have and a purpose-built solution that looks for all sensitive data available. We consistently find more sensitive data that many in the higher ed organization thought was eliminated or controlled,” Ryan cautioned.
While there are government regulations in place and compliance measures schools have to follow, both Ryan and Pomroy say it’s a mixed bag as to how well schools understand the regulations themselves and their obligations.
Cason argued that “schools are not adequately aware of the security risks they face. This can be due to a number of different things, but one of the most dangerous is a lack of funding for data security infrastructure and, even when the technology is there, a ‘checkbox compliance’ mentality on the part of IT decision-makers. Implementing enterprise-grade data security technology is critically important, but only when best practices-driven policies and controls govern its use.”
Data Masking Unmasked
Both Ryan and Pomroy are adamant that data masking must be a part of the security protocol for colleges and universities. Data masking is a method of anonymizing data that can be used for purposes such as application developing and testing, as well as user training and research.
Simply explained, if a school had two students, John Doe and Jane Smith, data masking would mix their names together forming Joe Smith and Jane Doe, but leave the rest of the identifiable data as is. This allows any research or analysis being conducted on student data to proceed as normal–no demographic data was changed. However, if a school were to have a data breach, Joe and Jane would be safe, because their identities were concealed.
Why Should Schools Use Data Masking?
Pomroy explained that many times schools are doing a far better job of protecting their production data, but leave data used for testing and research unprotected. And hackers are aware of this and are targeting testing data. When using data masking, it doesn’t matter if a breach occurs, because hackers will get no valuable data.
“I’m waiting for the headline that says, ‘Yes, there was a breach, but the data was all anonymized so nothing was stolen.’ What a sigh of relief the CTO, CIO, or CISO will feel,” Pomroy said.
A top concern for universities is budget, and Pomroy explains that data masking gets universities the best bang for their buck. Pomroy said typically there is only one copy of any given personally identifiable data file on the production side, but there are numerous copies on the testing and development side, because different groups and contractors are working on separate projects. Using data masking protects a huge swath of this vulnerable data–giving universities good value for their IT spend.
Pomroy also explained that data masking isn’t a one-size-fits-all investment. Rather, universities can choose what works for their budget. Universities can either purchase software from a provider like Camouflage or hire a company to deliver data masking as-a-service. Being able to tailor the investment to their budgets should help universities afford the technology.
Cason argues that schools need to use hardened cryptographic solutions as part of their data security plan. Cason argues that if cryptographic solutions are implemented properly is the best way to protect sensitive data. According to Cason, there are a range of products and solutions available to educational institutions. Three key areas where cryptographic solutions can be used are protecting secure records storage with tokenization technology, securing research data with digital signage services, and prepaid and identification cards issuance which provides institutions with fast, convenient, and secure means of producing both open and closed-loop prepaid and identification cards.
Cason explains, “Data in the clear, once stolen, is invaluable to criminals. Encrypted data, if stolen, yields nothing.”
Why Should Schools Use Hardened Cryptographic Solutions?
As with data masking, schools have a range of options with cryptographic solutions to meet their budget. Cason explains that schools can use a cloud-based solution to help reduce direct and indirect security costs, including hardware, staffing, training, compliance audits, data center space, bandwidth needs, and more. With a cloud-based solution, Cason explains, “The significant majority of this expense can be moved to operational instead of capital budgets, or even eliminated altogether.”
There might not be a silver bullet for higher ed data security, but by examining all technologies available and by protecting data across its whole life span, universities can keep students and staff safe.