Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security Spec. Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

About SAS University of Pennsylvania's School of Arts and Sciences is one of the largest schools Spread over nearly 40 departments and centers, each with their own IT structure Thousands of faculty and staff end points We have our own IT infrastructure, but each school and center may have complementary structures Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

About SAS InfoSec Consists of:  One director of Information Security and Unix Systems (ISUS)  One full time information security specialist  One full time co-op  One part time project manager Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Need for Identity Finder December 18, 2007 Penn implements new Social Security Number policy  Identify SSN's  Remediate sensitive data Drive to protect University data and to prevent costly, legally mandated, disclosures Tied with the University Security and Privacy Impact Assessment (SPIA) initiative Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Initial Compliance Plan Plan  use open source Cornell Spider tool (v 2.9.5) Challenges  Scalability  Manageability  Remediation  Ease of use  No central management Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Exploring Options Penn SAS Information Security began a year long product evaluation Tested products including Identity Finder, Proventsure, Vontu and Vericept  Talked with McAffee but at the time no solution was available Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Evaluation Criteria Number of false positives Number of false negatives Number of files actually containing PII found Time to scan client Ease of marking false positives across systems with checksums Number of file formats successfully read Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Evaluation Criteria (cont.) Business objects analysis Ability to allow individual admin users to view results from only a specific subset of machines Verify that agent does not require opening incoming ports on the client machine Platforms supported for agent If software has both agent and install-less versions, test capabilities of both Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Evaluation Criteria (cont.) Test if software detects agent MIA Verify that we can turn off copying excerpts / grabbing data / copying actual file Determine how infrastructure would mix with existing infrastructure (can we auth using Active Directory?) Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Identifying Needs Talking to vendors we quickly realized what we didn't want was a Data Loss Prevention (DLP) tool for several reasons:  Overly invasive  Usually required infrastructure  Needed vast customization  Bad for InfoSec's image  Contained features we weren't going to use  Allowed InfoSec to act on end point data Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Identifying Needs (cont.) We found that each product we looked at found SSN's with about the same degree of accuracy This then made secondary factors weigh heavily in our decision:  Ease of management  Total cost of ownership  End user friendliness Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Why We Chose Identity Finder Identity Finder allows end users to sort, search, and control their own scan results Identity Finder presented the end user with remediation options within the tool itself In tests, Identity Finder's ease of use meant users actually acted on data discovered The product continued to mature significantly since we began evaluation Imminent Mac client Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Identity Finder Console Allows central staff to track installations  Allows queries for reports to upper management We have two installers  Quiet only reports installation  Full only reports hits and remediation status, but doesn't reproduce excerpts Console will allow us to build and push custom installation parameters Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Deployment Typically our SSN data is found in older data stores rather than being created  In part thanks to our SPIA efforts Identified 300 target faculty that have been at Penn long enough to have produced SSN based student records Also targeted key administrative staff offices Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Deployment (cont.) Utilize Local Support Providers (LSP's) to install, train users, and help with remediation Tracking deployments via our Console Using Console to identify and follow up with end points that find large stores of sensitive data Console also allows us to collect a central list of known false positives Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Remediation Strategies If sensitive data is found:  It is shredded using Identity Finder's shredding functionality if possible  If data must be retained it is quarantined to a central file server using Identity Finder's quarantine functionality (other possible remediation as well)  We are discouraging encryption due to key escrow concerns  We don't allow sensitive data to be deleted via the Recycle Bin Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Future Deployments Deploy to server administrators for scanning central stores Target central “quarantine” locations for file/folder level encryption Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Alternative Uses of Identity Finder Incident response  Allows us to quickly and accurately determine if backup images contain sensitive data  Not forensically sound, but on backups this is OK Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Other Advantages of Identity Finder Ease of results encryption Identity Finder uses encrypted connections to the central server over port 80 – no firewall issues Identity Finder doesn't require ports to be open on end points Scheduled scans Automatic updates Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Other Advantages of Identity Finder (cont.) Integration with our existing infrastructure Wizard for end users Checking for sensitive data stored from browsers Integration with other client programs to open secured files Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences

Thank you Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences