Initative

Owned by Rebecca.Dewey
Last updated: Oct 12, 2012Version comment

Identity Finder at Tufts University

Background

Usage of Identity Finder began almost two years ago, after a major push for critical university business units to install and self-monitor for obsolete caches of sensitive information. While Identity Finder is still installed on almost all managed workstations and laptops, usage and self-monitoring has dropped over time.

As the technology to support centralized monitoring has developed, several groups (advancement, student services) have requested this new model in order provide comprehensive coverage while reducing the burden on individual users.

Audience

  • Office of the CIO
  • Information Stewards
  • UIT Client Support Center
  • UIT Enterprise Systems and Infrastructure
  • UIT Information Technology

Initiative

We intend to deploy, support, and begin using the Identity Finder DLP Console, offering organizational units centralized scanning and monitoring capabilities for sensitive information on workstations.

Benefits

The Identity Finder DLP Console allows a single administrator to schedule, scan, and review results for a large group of workstations from a single interface. Benefits include:

  • Alleviates the need for individual users to run or report on scans on their devices.
  • Allows an administrator to verify the reduction of stored sensitive information across their entire organizational unit, rather than on a case-by-case basis.
  • Allows an administrator to review results in batch at any point in time, enabling scheduled and systematic business processes for reducing the risk of stored sensitive information ‘falling through the cracks.’
  • Management can verify that the risk of accidentally exposing sensitive information is reduced over time.
  • An administrator would be able to see the filenames that contain sensitive information on the user’s machine, potentially conveying what the user was doing on the computer (such as personal taxes).
  • An administrator (information steward or delegate) could fall behind in examining results.
  • The scheduled scans could have noticeable impact on workstation performance. Scans would be scheduled for non-peak hours.
  • Should the centralized Identity Finder Console go offline, the individual clients would continue to scan and operate uninterrupted, attempting to upload results periodically until the console is back online.
  • The centralized console does not receive or record any of the sensitive information itself, preventing the console server from becoming a major archive of sensitive information, or administrators from viewing personal information.

Costs and Risks

Mitigated Risks

Implementation

In order to mitigate risk and allow time to respond to feedback, we propose the following phased rollout.

In order to introduce the new features slowly to an organization unit, Information Security would follow these steps:

  1. Notify the designated group Information Steward that there is a new version of Identity Finder with the capability of reporting to a central console. Advertise the benefits and seek approval.
  2. Work with the group Information Steward to identify who will administer and manage the verification and tracking of sensitive information for that group.
  3. Notify the directors and major stakeholders for each group, advertising the benefits of managing the Identity Finder client via LANDesk and data via the console. Provide a contact to confirm their interest and involvement, bring up concerns and questions, and view a demo of the service.
  4. Notify all impacted staff and faculty who will receive the updated Identity Finder client about the proposed changes. Provide a contact to bring up concerns and questions or opt out.

The order in which we’d target deployment, one group at a time, would be:

  1. UIT
  2. DCA
  3. Advancement
  4. Student Services
  5. Arts and Sciences
  6. (more TBD)

Technology

In order to effectively manage this initiative from the technical perspective, we’d need a commitment for the following resources:

  • The Information Security team would agree to provide documentation and demonstrations pertaining to the Identity Finder client and console applications. This would include the relevant documentation needed for the following teams and services provided.
  • The ESAI team would agree to monitor and maintain the tftmvmidfind.tufts.ad.tufts.edu server at the OS and hardware/virtualization level.
  • The UITSC team (particularly Mike MacDonald) would agree to manage the Identity Finder Console, Identity Finder Clients, and LANDesk services. This includes keeping such services up to date, packaging and deploying new clients via LANDesk when needed, and maintaining the Identity Finder Console service and application.
  • The FSP community would agree to provide support for users who may have questions about the functioning and potential failure modes of the Identity Finder client and service.

Business Practices

In order to effectively manage the initiative and continue to benefit from deployment, we’d propose the following new business practices.

  • The designated Information Steward (or delegate) for each organizational unit would review the results of Identity Finder scans for their colleagues on a quarterly basis (or more frequently, by choice).
  • The Information Steward or delegate would contact users directly, investigating the potential need for the users to maintain sensitive information on their workstation. The information steward and faculty or staff member would be encouraged to identify potential changes to existing business practices such that large caches of sensitive information would no longer be required.
  • The Information Steward would remind the user of the potential danger of archiving sensitive information, and provide documentation or assistance (from a FSP) to securely destroy that data.

Support

In order to properly support this initiative, we’d propose that faculty and staff reach out to their representative Frontline Support Provider (FSP). The FSP could escalate issues to the UITSC or Information Security office on a case by case basis.

Stakeholders with questions or concerns about Identity Finder in general could contact Ben Walther in Information Security.

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.