Kent State University encompasses eight Ohio campuses with six other U.S. locations and four worldwide locations, supports more than 36,000 students, and has more than 257,000 alumni worldwide. The university also maintains partnerships with universities and businesses globally, including in Italy, Switzerland, India, China, and Brazil. Because of its complex environment — and increasingly stringent privacy regulations — the university faces significant challenges in terms of compliance.
By using Spirion in the file share space, Kent State now has visibility into file sharing and its personal and sensitive personal data footprint. Kent State’s IT team used the tool to investigate indicators of compromise for effected users working remotely.
Spirion reduced Kent State’s meantime-to-resolution by at least 30% after a security investigation, which is critical. Additionally, the tool provides excellent visibility into file sharing and data patterns, which was essential when the university moved classes to remote instruction during the 2020 Spring Semester due to the global pandemic. Because Spirion provides very few false positives, Kent State’s IT team now focuses only on the most significant security threats.
Industry Challenge: Develop a reliable and compliant higher-education privacy program across complex campus environments
Bob Eckman, chief information security officer at Kent State, says that from the higher education perspective, privacy refers to a three-pronged approach of data security, data compliance, and data governance. He says that for a higher education institution to maintain a robust privacy program, the school must implement those three parts in a complex environment that often spans multiple campuses and locations.
To develop a reliable privacy program, institutions must adhere to the many stringent privacy regulations related to education. The Family Educational Rights and Privacy Act (FERPA) strictly defines personal information and the process for managing and protecting this data. Additionally, higher education institutions are accountable for adherence to the Gramm-Leach-Bliley Act (GLBA) when collecting, storing, using and safeguarding sensitive financial records that contain personally identifiable information (PII) of students and their guardians, such as social security numbers, tuition payments, financial aid and bank accounts. Because schools provide health services to students and employees, the Health Insurance Portability and Accountability Act (HIPAA) also governs the safeguarding of PII and protected health information (PHI). Additionally, schools must follow state regulations for all states where students — and potential students — reside.
With several tools available for data protection, many universities struggle with choosing the best tools for the various facets of privacy in today’s data-driven world. As schools offer more remote classes, and many university staff work from home, the importance of tools to protect student, faculty, and staff privacy increases. In addition to finding the best tools for their specific needs, affordability is a high priority, especially with tight budgets.
The Need: A people-centric approach to data protection
Kent State has adopted a data governance approach that applies appropriate controls to data one time but allows for the re-use of these controls in many areas. Eckman explains that this means the university implements controls that help meet general data protection needs and then customizes them for the different uses throughout Kent State. The school needed a consistent way to discover and protect sensitive personal data across all departments and devices.
To understand and meet data protection needs and regulations, the university’s chief data officer implemented a data governance council to evaluate data classification standards for publicly available information, confidential information that is not public, regulated data not requiring notifications, and critical data. These types of data include personal data, sensitive personal data, PHI, and student financial information.
“It is often easy to overlook that data protection means going beyond just protecting regulated data,” Eckman says. “We also need to classify and protect intellectual property, patents, designs, and research. We turned to Spirion to help us derive the data classification standard and apply a governance structure. Because we aren’t going to be the data police handing out tickets, we are aiming for ‘supportable’ instead of ‘enforceable’ as a goal.”
Eckman explains that Kent State aims for people-centric security using the power of contextual information, which means that the university designs its approach and security posture around understanding people, understanding intent, and understanding context.
“In a people-centric model, the users understand how to interact within our security environment,” Eckman says. “We want everyone to understand how the guardrails function and when they are stepping outside those guardrails.”
“Large technology providers are starting to recognize the role that security plays in availability and architecture. It’s important to their customers, so they recognize it more. Spirion has been in this space working with Kent State as a partner for years. And, having a focus on the target, data, gives us a powerful tool in our toolbelt to ensure we are protecting our most important information appropriately.”
-Bob Eckman, Chief Information Security Officer at Kent State
The Solution: Forming a partnership for today and the future
As the cornerstone of its data protection and privacy initiative, Kent State turned to Spirion to help identify and protect personal and sensitive personal data. Eckman says his team started by using the tool in the forensic space for incident response on files and devices. He
plans to use Spirion for data protection in the cloud and discover personal data on endpoints.
“We have used Spirion to hunt malware before, and the remnants of malware,” Eckman says. “We have used Spirion to find particular data, and like a good hound dog, it finds it wherever it lives. We’re very pleased with it in the forensic space, and we’re very pleased with the changes that have come down the pipe relative to dashboard visuals.”
While Kent State was getting up to speed on the solution, Spirion representatives visited the university’s Kent Campus to help Eckman’s team understand its needs and show how to best use the tool in its environment.
“Spirion was exceptionally helpful, and I was incredibly encouraged when we incorporated ideas into our steering committee meeting discussion,” Eckman says. “You don’t often see vendors substantively engage with customers the way Spirion has partnered with Kent State — they invest time in customers, listen to feedback and then demonstrate how they are taking the ideas to improve the product.”
The Results: Spirion decreases incident resolution time by 30 percent
Eckman says that Spirion has given Kent State the visibility it needs to effectively manage its overall data protection processes and initiatives. The single-paneof-glass view to understanding what is happening in all spaces and devices in the environment is game-changing.
“For us, Spirion will provide Kent State the visibility into what we have in file shares, where it’s moving and who has access to it, allowing us to control access in the future,” Eckman explains. “Like many universities, the balance of security and privacy is critically important to us. Our core virtue and mission promote research and learning, which requires an open environment.”
MOVING 9,000 COURSES TO REMOTE INSTRUCTION
When the global pandemic struck in early 2020, the university quickly converted more than 9,000 courses to remote instruction and enabled staff and professors to work from home. Because the Division of Information Technology had already started a proof of concept with Spirion, it allowed our valuable security resources to focus on transitioning to remote work. In addition to adding protection to all endpoints, Kent State created a “Keep on Working, Keep on Teaching, Keep on Learning” website page dedicated to creating safe experiences for the entire university community.
By using Spirion, Eckman’s team was able to mitigate cyber risks by searching devices remotely. The team quickly identified the issue as malware, remediated the problem, and protected the data. Spirion’s cloudbased architecture enables issue resolution, while team members work from their home offices.
REDUCING FALSE POSITIVES
Eckman estimates that Spirion shortens the mean-timeto-resolution of malware incidents by at least 30%. His team also sees improvements in interacting with data and endpoints, especially as the university’s data becomes more cloud-based.
When he used other tools, Eckman encountered countless false positives, such as flagging any set of digits as credit card numbers. But he says Spirion reduces the false positives and “noise” so his team can better focus on the real issues.
“In the game of data science, false positives are the absolute evil of data science,” Eckman says. “Being able to trust the data we see on the dashboards has been pivotal with a direct impact on time and cost savings.”
“I see a lot of organizations try to police to the point where the protections become inflexible and restrictive to users. Our approach is different. We follow a methodology that ensures protection but does not limit academic freedom – data privacy training, reasonable monitoring, good detection, and response when necessary.”
-Bob Eckman, Chief Information Security Officer at Kent State