Deploying Tools for Cleaning Personal Information

University of Pennsylvania School of Arts and Sciences

Justin C. Klein KeaneSr. Information Security Spec.

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts and Sciences. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To

disseminate otherwise or to republish requires written permission from the author.

About SAS

University of Pennsylvania's School of Arts and Sciences is one of the largest schools

Spread over nearly 40 departments and centers, each with their own IT structure

Thousands of faculty and staff end points We have our own IT infrastructure, but each

school and center may have complementary structures

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

About SAS InfoSec

Consists of: One director of Information Security and Unix

Systems (ISUS) One full time information security specialist One full time co-op One part time project manager

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Need for Identity Finder

December 18, 2007 Penn implements new Social Security Number policy

Identify SSN's Remediate sensitive data

Drive to protect University data and to prevent costly, legally mandated, disclosures

Tied with the University Security and Privacy Impact Assessment (SPIA) initiative

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Initial Compliance Plan

Plan use open source Cornell Spider tool (v 2.9.5) Challenges Scalability Manageability Remediation Ease of use No central management

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Exploring Options

Penn SAS Information Security began a year long product evaluation

Tested products including Identity Finder, Proventsure, Vontu and Vericept

Talked with McAffee but at the time no solution was available

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Evaluation Criteria

Number of false positives Number of false negatives Number of files actually containing PII found Time to scan client Ease of marking false positives across systems

with checksums Number of file formats successfully read

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Evaluation Criteria (cont.)

Business objects analysis Ability to allow individual admin users to view

results from only a specific subset of machines Verify that agent does not require opening

incoming ports on the client machine Platforms supported for agent If software has both agent and install-less

versions, test capabilities of both

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Evaluation Criteria (cont.)

Test if software detects agent MIA Verify that we can turn off copying excerpts /

grabbing data / copying actual file Determine how infrastructure would mix with

existing infrastructure (can we auth using Active Directory?)

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Identifying Needs

Talking to vendors we quickly realized what we didn't want was a Data Loss Prevention (DLP) tool for several reasons:

Overly invasive Usually required infrastructure Needed vast customization Bad for InfoSec's image Contained features we weren't going to use Allowed InfoSec to act on end point data

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Identifying Needs (cont.)

We found that each product we looked at found SSN's with about the same degree of accuracy

This then made secondary factors weigh heavily in our decision:

Ease of management Total cost of ownership End user friendliness

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Why We Chose Identity Finder

Identity Finder allows end users to sort, search, and control their own scan results

Identity Finder presented the end user with remediation options within the tool itself

In tests, Identity Finder's ease of use meant users actually acted on data discovered

The product continued to mature significantly since we began evaluation

Imminent Mac clientCopyright 2009 Justin C. Klein Keane,

University of Pennsylvania, School of Arts and Sciences

Identity Finder Console

Allows central staff to track installations Allows queries for reports to upper management

We have two installers Quiet only reports installation Full only reports hits and remediation status, but

doesn't reproduce excerpts Console will allow us to build and push custom

installation parameters

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Deployment

Typically our SSN data is found in older data stores rather than being created

In part thanks to our SPIA efforts Identified 300 target faculty that have been at

Penn long enough to have produced SSN based student records

Also targeted key administrative staff offices

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Deployment (cont.)

Utilize Local Support Providers (LSP's) to install, train users, and help with remediation

Tracking deployments via our Console Using Console to identify and follow up with end

points that find large stores of sensitive data Console also allows us to collect a central list of

known false positives

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Remediation Strategies

If sensitive data is found: It is shredded using Identity Finder's

shredding functionality if possible If data must be retained it is quarantined to a

central file server using Identity Finder's quarantine functionality (other possible remediation as well)

We are discouraging encryption due to key escrow concerns

We don't allow sensitive data to be deleted via the Recycle BinCopyright 2009 Justin C. Klein Keane,

University of Pennsylvania, School of Arts and Sciences

Future Deployments

Deploy to server administrators for scanning central stores

Target central “quarantine” locations for file/folder level encryption

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Alternative Uses of Identity Finder

Incident response Allows us to quickly and accurately determine

if backup images contain sensitive data Not forensically sound, but on backups this is

OK

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Other Advantages of Identity Finder

Ease of results encryption Identity Finder uses encrypted connections to

the central server over port 80 – no firewall issues

Identity Finder doesn't require ports to be open on end points

Scheduled scans Automatic updates

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Other Advantages of Identity Finder (cont.)

Integration with our existing infrastructure Wizard for end users Checking for sensitive data stored from

browsers Integration with other client programs to open

secured files

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences

Thank you

Copyright 2009 Justin C. Klein Keane, University of Pennsylvania, School of Arts

and Sciences