Protecting Your Data from the Inside Out

p>from School CIO

Today’s networked environment brings tremendous value to our students and employees, yet it has also created significant risks—from identity theft to distribution of inappropriate content.

According to Gartner Group, 70 percent of security incidents that cause loss to enterprises—rather than mere annoyance—involve insiders. Yet, most security tools to date, such as firewalls and intrusion prevention, have focused on external threats.

Given these realities, how should school districts deal with internal threats? The answer lies in extrusion prevention—the process of stopping data leakage. Extrusion prevention protects digital assets, prevents the leaking of sensitive information (such as unique attributes about student and employees), and thwarts network misuse (such as illegal peer-to-peer file sharing). In short, extrusion prevention helps school systems guard against significant losses and liabilities.

Addressing the Threat

At the Orange County Public School System (OCPS), we continuously evaluate our network infrastructure to ensure we’re maximizing value—especially for instruction—while maintaining security. We have adopted industry best practices to manage identity information of approximately 181,000 students and 23,000 employees. And we comply with the Child Internet Protection Act, the Health Insurance Portability and Accountability Act, and the Family Educational Rights and Privacy Act by, for example, making sure we have auditable release forms on file.

Until recently, however, we had not leveraged technology to help us monitor and control the information that leaves our network. Even with our current Acceptable Use Policy and a range of best-in-class security tools such as a firewall, intrusion prevention, virus detection, and spam/content filtering on inbound traffic, concerns about sensitive data leaking from our network lingered.

We decided to test drive and purchase an extrusion prevention system (EPS), the Fidelis XPS from Fidelis Security Systems. Using key-word filtering, the EPS allows us to monitor and identify questionable network sessions, from inappropriate instant messaging to cyber bullying. The technology also monitors files leaving the district, searching for specific patterns such as social security numbers, students IDs, and payroll information being sent out to the Internet from specific confidential systems.

The Three A’s of Deployment

As any technologist knows, the human factor can often make or break a successful deployment. Deploying an extrusion prevention system is no different—it isn’t simply a technology change, but a cultural shift as well. Based on our experience at OCPS, following are clear steps to a successful implementation. To be sure, it’s a cyclical process that’s always ongoing, but it is a solid process nonetheless.

Phase 0: The Amnesty Period
Time period: 60-90 days

During the initial deployment of an EPS, communication is essential. Remind educators, students, and administrators of the policies in place and make them aware of the new technology being deployed, the benefits it provides, and the penalties for policy violation. At OCPS we use a variety of newsletters, e-mail updates, and our Intranet to get the word out. Because this is a cultural change and a policy change, prepare yourself for numerous and lengthy discussions around accountability and enforcement with your human resource, legal, and/or employee relations departments, not to mention your union. Keep in mind you will probably need to reassess your policies, and in some cases, you might have to change job descriptions. Although penalties aren’t assessed in this phase, simply through education you will already begin to deter violations and increase security.

Phase 1: The Action Period
Time period: 3-9 months

This is when large-scale rollout occurs. Amnesty is removed, all violations are identified, with the most egregious are public, and offenders are punished. The punishment for students should be part of the student code of conduct, which, in our case (www.ocps.k12.fl.us/pdf/code0607.en.pdf) is signed by students and their parents. The punishment for employees should be part of your employee code of ethics, the next level above an AUP, which should be signed at the time of employment and be part of an annual process. Remember, prior to deploying an EPS even the best IT organization could only speculate about violations. With an EPS, you have digital evidence you can take to leadership to deal with violations such as inappropriate instant messaging content or sending out sensitive employee or student information in a manner that could lead to identity theft. During this phase, the IT department works closely with human resources and/or employee relations in training their staff on the use of the tool and refining the filters used to capture information.

Phase 2: The Automation Period
Time period: 9 months and beyond

Phase 2 marks the period when you’ve fully tested the system for your environment, you’ve finalized and implemented policies, and you’ve put in place automatic policy enforcement and the ability to take action. At this point the EPS is much like a closed-circuit television system. But instead of having cameras programmed to automatically call the local authorities if someone is in a hallway in your school in the middle of the night, an EPS lets you know when there’s data where it shouldn’t be and automatically takes action. During this phase, the tool will be firmly in the hands of your human resources and/or employee relations department, who monitor incidents and take actions based on policy. The technology department plays a supportive role in the background. (Note: this is a process that formally or informally happens in most districts today). The goal: to prevent the IT department from playing the “police” role and ensure its focus remains on supporting teaching and learning with technology.

Trust but Verify

As CIO the guiding principle I set forth for my team is “trust but verify.” We absolutely trust the people we protect, but as we’ve seen first hand, even those with the best intentions can mistakenly violate a policy and put themselves and others at risk. It is our responsibility to keep them safe.

Charles Thompson is CIO of the Orange County Public Schools, the 11th largest public school system in the nation. If you would like more details about extrusion prevention, drop Charles a line at charles.thompson@ocps.net.

FAQ: Extrusion Prevention

Q. Is this an invasion of privacy?
A. No. Any data that is used within an organization belongs to that organization.

Q. Should IT departments have the ability to view confidential data that is transmitted over the network?
A. Confidential data can be protected with encryption technologies to ensure only the sender and receiver can view it.

Q. Is e-mail included in the monitoring?
A. E-mail viewing depends on the district policies.

Q. What is the IT department’s role in enforcement?
A. To collect information. Enforcement should be left to the departments that are accountable for employees’ and students’ actions.

CT