By Mikala Vidal on Mar 6, 2019 11:59:01 AM
How Columbia University approaches cloud data security
When it comes to protecting data in the cloud, regulations and the fines associated with non-compliance drive most buying decisions. As a result, most cloud security tools focus on helping organizations secure personally identifiable information (PII), the most highly-regulated data. This type of data is often deemed “sensitive” as part of the classification process, and managed via various combinations of policies and technology tools. But what about “confidential” information that if lost would not result in fines, but in public embarrassment, loss of revenue and loss of trust? This data is often left vulnerable by most compliance-based cloud security approaches.
I recently sat down with Joel Rosenblatt, director of computer and network security at Columbia University to discuss his approach to cloud data security and what still keeps him up at night. Protecting PII is important (and required), but it is far from his only concern. For universities, protecting PII is of paramount importance due to regulations, from HIPAA, for those with hospitals, to FERPA for those with students. GDPR complicates matters if some of those students are citizens of the EU.
Currently, Columbia University has cloud security tools in place to protect backend systems, prevent exfiltration or emailing of PII that is properly categorized, monitor and regulate cloud access, scramble code and encrypt specific files. Additionally, microdomains are used to separate sensitive and confidential data from communicating with lower-tiered zones, and policies are in place to outline how employees are expected to handle both sensitive and confidential information.
Joel runs a tight ship – Columbia University is a very forward-thinking educational institution when it comes to data security. And yet, there are still gaps that keep Joel up at night: “Even with all the tools and policies we have in place, it’s hard not to worry about the things I don’t know, and even worse, the things I don’t know I don’t know.”
The factors that contribute to Joel’s worries are similar to what we hear from most organizations: disparate ownership of cloud security responsibilities, no ability to track data once it leaves the control of the organization and human error. “We have many different schools that collect and create various data that are considered sensitive and confidential. All regulated, sensitive data is protected by my team or a related IT team, but confidential data is largely expected to be secured by those who create it. One of the reasons for this is that unstructured, confidential data is almost impossible to define. Originators are much more qualified to distinguish between confidential and public data, so we rely on them to do so. The downside is that we have very little visibility into if this confidential information is mishandled, either accidentally or maliciously”
When it comes to protecting regulated data across schools, Joel has invested countless hours into employee education. “When we experience data loss, it is almost always do to carelessness or stupidity. A majority of my time is spent limiting human error. I always say ‘you can’t stop stupid, but you can slow it down.’ For example, we can’t lose what we do not collect. So we are very careful not to collect PII if it is not absolutely necessary, and we are constantly evaluating all of our forms to enforce the guidelines.”
Had this policy always been in place, it might have prevented an incident that resulted from files stored in the cloud years ago that did not become an issue until Google updated its indexing. Before there were so many regulations around PII, student social security numbers were used as the unique identifier when entering a housing lottery for securing a dorm room on campus. The files associated with this lottery where then stored in the cloud and forgotten…until Google’s indexing made the social security numbers public and searchable, creating an incident years after the files were stored and students had moved on from the university.
While human error is responsible for the majority of incidents Joel deals with regularly, Joel also has many precautions in place to prevent malicious hacking. “Access to sensitive and confidential information is tightly controlled, and multifactor authentication is strictly enforced. However, all of our technology and policies in place to manage access do require us to believe that there is a legitimate user on the end of the device requesting the access. This is the gap that first motivated us to explore using Allure’s technology.”
When there is a data loss incident, the immediate questions Joel wants answered are:
- What was lost?
- Who is affected?
- Who is responsible?
- How did it get lost?
- Can it be prevented from happening again?
Allure helps answer all of these questions faster and with more actionable insights by continuously monitoring cloud share risk, surfacing files at risk of data loss, tracking documents after they’re downloaded, copied or shared, detecting breach and leak activity early and revealing attackers.