Click here to receive your FREE subscription to Campus Technology
Data Security
Who Knows What Evil Lurks in the Cyber Heart?
The Hackers Know. (Apologies to The Shadow.)
7/13/2007
So what should an IT security administrator do? One of the problems is that the commercially available tools are designed for structured and centralized corporate environments and are awkward to use in the highly decentralized environment that characterizes higher education and a growing number of today's businesses. While a number of organizations made use of the university's home-grown tool, it still required substantial support from the author of the software to install, run, and interpret the results.
That was the genesis of small spin-off company, Proventsure. They have taken the concept of using computational biology techniques to create a commercial product, Asarium, focused on managing risk in a distributed environment. (Their methodology is described in a white paper available here.) Asarium does two things. First it locates confidential data both inside and outside the data center. It determines what, where, and how much sensitive data is on an individual computer. Unfortunately, most operational personnel have found that by itself, that information isn't particularly useful because of the time it takes to analyze and then scrub sensitive data from thousands of individual machines. (It took me a couple of hours to scrub the three computers and associated backup hard drives that I regularly use. But I must confess I didn't correct all of the backup CDs and DVDs that I have generated over the years. Imagine doing that for thousands of distributed computers on a college or university campus.)
The second thing that Asarium does is to look at hardware and software characteristics of individual computers and calculates the risk of compromise and the probability of sensitive data being lost. This information is combined with the type and quantity of sensitive information on the computer to compute a numerical "risk" score for each computer. Remember the 80/20 rule and focus on the 20 percent of the effort that generates 80 percent of the results.
For example, a computer containing a lot of sensitive information that does not have anti-virus software, is unpatched, and has programs running on it that are structurally similar to backdoors might be ranked "0." Think of it as "tomorrow's headline." Deal with it today. Machines that appear to contain no sensitive data and are well protected might rank as high as 100. Worry about them later.
Rankings for individual machines can be aggregated for a "departmental" risk rank. Departments can be aggregated for a "business unit" risk rank. Again, this allows IT security staff to concentrate on those areas that present the most risk to the organization.
What I like about this approach is that it treats the information and not the equipment as the asset. You don't make headlines by losing a $2,000 laptop; you make headlines by losing a few thousand SSNs. It also works well in higher education's distributed environment.
Doug Gale is president of Information Technology Associates, LLC (www.it associates.org) an IT consultancy specializing in higher education. He has more than 30 years of experience in higher education as a faculty member, CIO, and research administrator.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Cedarville U Sets Up SonicWall Firewalls
Cedarville University in southwestern Ohio has implemented SonicWALL firewalls to provide high-speed gateway firewall protection for its 3,000 students.
- Data Breach Strikes U North Dakota Alumni Association
The alumni association for the University of North Dakota has gone public with a data breach that occurred when a laptop belonging to a software vendor was stolen from a vehicle. The computer contained the names of 84,000 university alumni, donors, and others, according to coverage by the Grand Forks Herald.
- Tips for Selecting a Campus CRM tool
As competition for students increases, colleges and universities are looking more and more to customer (or constituent) relationship management software for help in remaining competitive.
- Intercast Networks Goes into Beta with Kazam Video Service at Internet2 Universities
Intercast Networks has redesigned Kazam, its student Internet TV and video service based on the company's VideoXpress platform. Following a spring semester alpha trial at Columbia and Purdue University, the company redesigned Kazam's interface based on student feedback and added additional content that caters to a student audience.
- Michigan State Managing MRI Images from Africa with Acuo Tech DICOM Services Grid
Doctors at Michigan State University have begun using the Digital Imaging and Communications in Medicine (DICOM) Services Grid from Acuo Technologies to transport and manage magnetic resonance imaging (MRI) results from a hospital in Malawi, Africa in order to monitor the impact of malaria on children.
- IIT Delhi Delivers Services with Ingres Open Source
Administrators at the Indian Institute of Technology Delhi (IIT Delhi) have gone public with their installation of open source database management software from Ingres. IIT Delhi, one of seven leading institutes of technology in India, adopted Ingres Database to support administration functions such as grading, finance, human resources, procurement, and hospital administration.
