April 15, 2009

Protect Yourself, Protect Your Data

Location: Hartley Conference Room, Mitchell Earth Sciences Building

Meeting Schedule

8:00 - 8:30 am

Informal networking over refreshments.

8:30 - 8:40

Welcome, Announcements
Elizabeth Lasensky, TIPS Chair

8:40 - 9:10

SWDE - Stanford Whole Disc Encryption,
Ammy Hill, IT Services

9:15 - 9:45

File Drawers - A Place to Store Sensitive Data Files
Jon Pilat, IT Services

---

Meeting Notes

Protect Your Data, Protect Yourself

Announcements

Elizabeth Lasensky, Chair of TIPS, started the meeting welcoming everyone and had everyone introduce themselves, stating their name and department.

Elizabeth announced that this is "TIPS Co-Chair Nomination Time." The TIPS Co-chair works closely with the TIPS Chair and the TIPS Coordinator to suggest topics, invite guest speakers, help with minutes, and represent TIPS wherever and whenever possible.If you would like to be considered for Co-chair, and eventually Chair, you can nominate yourself or if you know of a TIPS Core Representative that would be great in that role, you may nominate that person. Please email your nominations to all three addresses:

lasensky@stanford.edu
susanpm@stanford.edu
jocuevas@stanford.edu

If we vote, we will forward ballots to all TIPS Core Reps and the announcement of the 2009/2010 Co-Chair will happen at the June 17th Meeting.

Elizabeth then announced that the upcoming meeting on May 20th will bring the following topics to TIPS:

• Jennifer Sexton - Be Well at Stanford
- Jennifer will talk about the Be Well program at Stanford through the Health Improvement Program.
• Katharine Ku - Office of Technology Licensing - Katharine will talk about the licensing of technology - how research gets licensed, what other things get licensed, and how that produces revenue for Stanford.

Elizabeth also reminded everyone that the next TIPS Meeting is scheduled for Wednesday, May 20th at a different location: Gates 104

Nancy Baumann announced that the IT Services Tech Training program is hosting a briefing on "Working in Second Life" on Friday, May 8th at 2pm.

Second Life is a free 3D virtual world where users can socialize, connect and create using voice and text chat. Many people are discovering that Second Life is not only a great place for social interaction and creating virtual content, but provides an effective platform for meetings and training. Glenn Fisher, Director of Business Programs, Linden Lab, will be the presenter. Come check this out, it is very cool.

Jo-Ann Cuevas reminded everyone of the Administrative Associates Conference: Embracing Your Role During Times of Change. The conference will be held on June 17th from 9am - 3pm in the Arrillaga Alumni Center. You must register for the conference through Axess. The fee of $125 includes materials and lunch and a portion of the training instruction. (STAP or departmental funds can be used). For more information, visit the Learning and Development Website.

Elizabeth then introduced Ammy Hill, Campus Readiness Specialist from IT Services to talk about SWDE.

Stanford Whole Disk Encryption

- Ammy Hill, IT Services Presentation: SWDE

Ammy began her presentation explaining that the University is spending a lot of money in recovery due to loss of laptops that contained sensitive data. Last year, 2008, a car got broken into, a laptop was stolen, and credit card information was available to the thief of which it cost the University over one million dollars to recover. The bottom line is that the data should not have been on the computer and because it was, the user of that computer was let go and is no longer employed at Stanford. There, you have to protect yourself.

The Information Security Office (ISO) recently redefined the definitions of Prohibited, Restricted, and Confidential Data. Further details can be found at: http://www.stanford.edu/group/security/securecomputing/dataclass_chart.html

Prohibited Data - credit card numbers, ssn, drivers license numbers, health ins. policy id, etc. These are protected by federal legislation.
If this type of data is found on your computer, and the computer goes missing, we have to report this to federal government. This information absolutely can NOT be on your computer, in a file, on a note, in a letter, etc. If you need this type of data on your computer, you must get permission from the Data Governance Board (DGB). The DGB will determine if there's a better way to get access to the data.

Restricted Data - this type of data is the next level down. Student records, Protected Health Information (PHI), passport and student visa numbers, research and other information covered by a non-disclosure agreement, are some examples of Restricted Data.

For those that work on grants, the agency that is giving you the grant will not allow you to have this information on your computer. If you have to have it on your computer, you have to have it encrypted.

Confidential Data - Faculty and staff employment applications, Donor contact information and non-public gift amounts, admission applications, Privileged attorney-client communications. This information should be encrypted.
If it is not and released, you could still be liable for the misuse of the information and eventually be fired if this information is found to be on your computer.

Q. What part of a grant proposal is considered confidential data?
A. Anything that is not covered by a non-disclosure agreement. If someone got a hold of this, would they be able to do something malicious with it. It should be encrypted.

Q. What does it all mean?
A. It means the information needs to be protected.

Ammy also stated that it is not a problem if you access this type of information via Oracle Financials, PeopleSoft, or whatever Grant systems you are using because the data you are viewing is not on your hard drive. It resides within the database of the system you are using and those databases reside on a secure server.

Needs Protection

What you need to encrypt your data is one of two different encryption programs. You can encrypt individual files by way of either one of the following:

• Windows: Encrypted File System - individual files


• Mac: File Vault -protects files stored in your personal home directory.

Q. I believe you have to encrypt the entire folder. Is this true?
A Yes, with File Vault, you have to encrypt an entire folder. So if you have a smaller number of files that need encryption and know where they all are, place all files into one folder. Then on the web, go to: http://encrypt.stanford.edu and click on File Vault.

Or, even better, you can encrypt your entire computer using SWDE which is coming out this month.

If you think you need to encrypt your entire hard disk, go to encryption.stanford.edu. On the left margin, click on Sign In and it takes you to a special HelpSU form with some fields already populated. In the Request Description, answer the questions accordingly and submit the ticket. Go back to the encryption website and on the left margin, click the Agreement link. Read the Agreement completely as it lists:

• How SWDE Works
  
• Required Software and Automatic Check-ins
  
• Software License Considerations
  
• Passphrase Security and Token Recovery
  
• Prohibitions and Incompatibility
  

Big Fix and Sophos

There's one thing you need to know. You have to have Big Fix and Sophos Anti-virus installed. For more information, go to:

• Windows: http://www.stanford.edu/services/encryption/wholedisk/pc_requirements.html


• Mac: http://www.stanford.edu/services/encryption/wholedisk/mac_requirements.html

Don't forget, you need to "sign up" for this service.

When you have this installed, you can view your data normally. When your computer is in sleep mode, and you come back to it, you have to type the PGP passphrase. When your computer is rebooting, you have to type the PGP and your computer's password.

You can encrypt up to three machines. You can encrypt the usb memory sticks. You can encrypt three machines for free.

Passprhases - SWDE passphrases are not recoverable ut SWDE Recovery Token services are provided 24 x 7.

Passwords are short. Passphrase is going to be more common. Passphrases, when entered, can be toggled to let you see what you are typing (instead of *'s), so you won't misspell your passphrase.

Not gonna work if you use Windows 2000 or MacOS 10.3 or older.

Q. Would you say that professors are required to encrypt their machines because they work with students?
A. If they are dealing with information that they are storing on the machine. Yes, they should encrypt their hard disk.

Q. If I encrypt now with the machine's encryption, will SWDE work?
A. yes.

Q. If my system is asleep for backup, will this work if my machine is expecting a PGP?
A. This may not work best for you. The other encryption methods may work better.

Q. Can I send files with prohibited data to others.
A. You should not be sending restricted or confidential data.

How Does SWDE Work?

The installation will check to see if you have Sophos or Big Fix installed. If you don't , it will install it because it requires it. Then the encryption installation will start. It takes an awful long time, so do it before you leave for work.

Q. Why do you have to have BigFix?
A. Because it is what SWDE uses for check-in purposes.

After installation, type the passphrase you chose then hit Enter/Return.
Type your ID and password to log in to your computer.

Operate as normal.

Q. If you have a fingerprint swipe, does SWDE come before or after?
A. Before.

If you have a wireless keyboard, it comes after so that's a little problem.

Q. What if I don't want the data on my computer?!
A. Get the files off the computer. Securely delete the files.

Secure delete for the mac: Finder Menu>secure empty trash

Q. If you do this, will it delete what hasn't been securely deleted?
A. No, but disc utility will allow you to securely delete things you deleted from your trash, non-securely.

Eraser for Windows: http://www.stanford.edu/dept/its/projects/descktop/eraser/install_eraser32.exe

Move the files to a server:
Use a dept'l server
Usefor-fee services like Sharepoint
Use the centrally provided AFS service with WebAFS

Q. Seems easier to just encrypt the whole disk. Wouldn't that be the recommendation?
A. Yes.

WebAFS

- Jon Pilat, IT Services

We have a new product called WebAFS. We wanted to make AFS easier to use. It has some information security implications. WebAFS was developed at the University of Michigan. Stanford will be deploying this service in May. Added features will be implemented this summer.

Q. What does AFS stand for?
A. AFS stands for Andrew File System which is derived from Andrew Carnegie.

AFS is free software. Everyone who has a SUNet ID has a home directory in AFS.

AFS is part of a distributed file system. WebAFS is a web interface to AFS which used to be command line driven. You can access files via a server with an easier to use web interface. Your WebAFS space is basically your central location for your files. To get to your WebAFS space, you go to afs.stanford.edu and login with your SUNet ID and password. It houses University web services, like a departmental web site.

WebAFS works on all platforms with Firefox3, IE6, IE7, and Safari.

The WebAFS site is web-authenticated (requires your SUNet ID and password). On a side note, at the time you are in the web-authentication screen, if you click on "Advanced," you can enable "single-sign on." When you configure this the first time, you will have to do this on each browser.

The documentation is currently being finalized. After you log in, you will see a list of all your documents. The left-hand margin shows you the actions you can take.

If you download a document to edit it, and you have "auto-save", after you work on the document, you have to secure-delete that document from your hard drive if it contains the sensitive data.

You can set your directory to open up in a "favorites" directory - on the left margin (under actions).

Keep in mind that:

• WebAFS is more strongly encrypted than a normal AFS transaction


• native AFS is not secure enough for non-Public data.

This means you can only use WebAFS to access your non-public data, using spaces in AFS dedicated to that purpose. Don't use your AFS home directory. Non-public AFS data storage will be available this summer. Feature releases of OpenAFS will include stronger encryption support.

Q. Is there an advantage to using this rather than a departmental server?
A. As long as your departmental server is secure, you can use that server. This service is centrally located and supported 24x7.

Q. What about grad students? Is this a good tool for them?
A. Yes. We have about 7,000 people using AFS each week. Students make up a huge part of that population.

Future releases of Open AFS will include stronger encryption support.

Q. So the main reason to use WebAFS is because you don't have a server?
A. If you have data that you need to access from home, or work, it gives you a little more flexibility and a lot more security.

You can share data through this service. You can set permissions to groups.

Ammy explained that this has come about as a result of the stolen laptop issue. Suddenly data security is becoming a bigger deal. So this is definitely overwhelming but extremely important.

User guide linked off of http://www.stanford.edu/services/afs .

The AFS page will be changing in two weeks. The future website will be afs.stanford.edu with instructions on how to use it. (since this meeting, the afs site has been activated. Go to: http://afs.stanford.edu )

WebAFS requires SecureFX or OpenAFS.

Ammy concluded with information about Secure Email and Stanford IM - new services that are encrypted communication methods.

Other announcements:

Conversion from Sundial - 4th of July Weekend - includes appointments, tasks, distribution lists. Sundial to Stanford Calendar classes are scheduled to begin in June. Visit: http://calendartraining.stanford.edu for details.

New Class: Cool Tips and Tricks for Stanford Email and Calendar.

If you manage other peoples' calendars, resources, rooms, locations - there will be a special class for that type of person.

Elizabeth announced that Ammy and Jo-Ann will be back to talk about the Stanford Calendar in June 2009.

Reminder: Unified Messaging goes live May 17th. On May 11th, one week before go live, you will get access to set up your voicemail outgoing message by going to 725-0000.

Debbie was concerned that she did not get an email confirmation on that. Ammy explained that she is waiting for the final blessing. If she gets it, an email should go out on April 24th. (since this meeting, a broadcast announcement has gone out to everyone).

Q. When you convert to Unified Messaging, will we dial the same number?
A. Yes. We're trying to get that to work. 30000 will continue to be used. The Med School will convert in August.

Statement: Users should get off of Eudora.

Q. What about Eudora users with folders...can they be moved over?
A. There is something called "Aid for mail" which is a tool available .

Q. What about those using MeetingMaker?
A. MeetingMaker can export the .ics file and upload to Stanford Calendar. All bugs in Stanford Calendar have been fixed.

Q. My office staff are still using Eudora. It's still working. So why change?
A. Because if something breaks, or if the operating system is upgraded and Eudora no longer works, we're out of luck. Qualcomm is no longer supporting Eudora.

Q. How do we move over? We have so much going on?
A. Decide on a cutoff date. Then go from there. Talk to your IT professionals. They can help with the move of data.

Elizabeth thanked everyone for coming then adjourned the meeting.