Penn State Better Protects Data by Greatly Reducing False Positives

To protect student and faculty private information, the Penn State central security team began a search for a sensitive data management solution. They tried a data management tool that returned results to a central server, which had the drawback of requiring the central information security staff to run the reports. The tool searched through data looking for Social Security numbers and provided a giant CSV file with millions of results, which was difficult to decipher.

“The tool did scan personally identifiable information, but accuracy became an issue,” says Kyle Crain, Systems and Network Security Analyst at Penn State. “Whenever it found a nine-digit number, it marked it as a Social Security number. We knew we had to cut back on false positives.”

The security teams were also asking for more granular control. Each department wanted the ability to log in to a data management application, see their own results, and set their own policies. The central security team, which acts as a governing body for the college and helps define the overall security strategy and best practices, started looking for a better solution.

They specifically looked for a data-at-rest management solution, which makes controlling endpoint security easier than a data-in-motion solution. “It’s easier to get teams to use data-at-rest solutions because data-in-motion is tapping into a wire,” says Crain. “We do things more efficiently at the endpoint than on the wire.”

They also wanted a solution they could easily configure to fit their environment and find multiple identity types with high accuracy to reduce their false positives.

The search led to Spirion’s Data Platform, which seemed to meet all their requirements for a solution that would discover, classify, monitor, and protect sensitive data across the data lifecycle. The project started slowly. The central security team asked for volunteers from across academic and administrative users and remote commonwealth campuses to try out the product. From this mix, the team gathered questions and listened to feedback as it began to formulate policies. To increase user adoption, the team held regular calls and participated in forums to explain and answer questions about the product.

“We installed the Spirion Data Platform in less than half a day,” says Crain. Within two months, the central security team had implemented Sensitive Data Manager across 50 IT departments and about 24,000 endpoints and agents. Now, approximately 100 IT departments use it and are running it on multiple platforms, including Mac OS X, Windows, and Linux clients.

The team uses Spirion’s technology to probe a wide range of sources within its infrastructure to find structured and unstructured data such as Social Security numbers, financial information, protected health information (PHI) and intellectual property (IP). They also run a quarterly scan to find Payment Card Industry (PCI) data and remediate it. “We expected to find sensitive data in places such as our curriculum vitae but did not expect to find sensitive data going back as far as it did—in some files that date to 1996,” says Crain. “With Spirion’s Data Platform, we have found and remediated a lot of data. It’s helped us understand the data we have.”

By employing contextual search technology that goes beyond fingerprint and pattern or regex-style searching, Spirion discovers and verifies results automatically using proprietary validation and advanced data logic. It also enables the team to search everywhere, including within email servers, images, cloud storage, and websites. “Spirion’s Data Platform is a very powerful forensic analysis tool. It goes beyond PII,” says Crain. The team has even used its dictionary and keyword searches to look for documents with specific words. The Spirion Data Platform granular permission capabilities allow each department to set their own roles, giving some users the ability to access certain tags, while others simply see results and cannot define policies.

“The centralized management console is easy to use and navigate but is also powerful— specifically when setting policies. It provides detailed and useful information about the endpoint itself. Seeing the context of the discovered data helps analyze what is a false positive and what isn’t,” says Crain. The team feels that the tool delivers on accuracy when you configure it for your environment. “Spirion’s engine captures a lot of false positives, so we don’t have to,” Crain added.

Going forward, Penn State plans to improve the process of data classification within the university. They will use Spirion’s Data Platform intuitive data classification workflow capability to mirror classifications across departments to ensure consistency. They have also begun looking into Data-in-Motion technologies to discover sensitive data that is in motion. “Data-at-Rest is where you deal with a lot of data quickly,” Crain says. “First, you need to figure out where the sensitive data resides on your machines and remediate it, and then worry about the data that is going in and out.”

The Penn State security team approaches the security process from the top down and sees Spirion’s Data Platform as part of a bigger picture. Crain recommends that security leaders lay out a plan for their security initiatives. “Spirion is a really good solution, but you need to understand that you’re not just buying software, you’re buying a solution that fits into your overall security strategy,” he concluded.