[liberationtech] Concerns with new Stanford University security mandate

Sun Jan 26 05:15:51 PST 2014

I worked in academia for 13 years. We were already doing most of this in
2010. We were one of the universities that proactively removed SSNs from
general use and every administrative system except where necessary.
Please note that the following provisions apply in the new policy:

1. requirement applies to university employees
2. equipment is university-owned
3. OR personal equipment touching PII/PHI

I applaud Standford's efforts toward protecting students' private data:
their customers. This is probably a reaction to the reported breach this
past summer:

http://www.stanforddaily.com/2013/09/23/online-security-breach-prompts-further-security-measures-amidst-uncertain-details/

They're actually being pretty fair, by allowing BYOD at all for
employees and a guest network for personal devices. Many non-profits
don't. There's also no requirement to meet these mandates if the
personal device only uses the guest network, which is probably sandboxed
with no access to PII/PHI and other confidential data. In the past,
universities have been notoriously poor in protecting customer data and
in the current climate could face large HIPAA or PCI-DSS fines/penalties
if customer data is breached. Considering they also administer an FFRDC,
the SLAC National Accelerator Laboratory, I'm surprised they haven't
been stricter prior to this.

The answer is pretty simple. If you feel these measures could violate
your privacy, then don't use your personal equipment to access
Stanford-classified PII/PHI. And don't put your personal data on
university-owned equipment. As an employee using Stanford's equipment or
accessing customer data, you do not have the same expectation of privacy
as a student.

Michele Chubirka

On 1/26/14 5:36 AM, Rich Kulawiec wrote:
> On Sun, Jan 26, 2014 at 01:20:20AM -0800, Tomer Altman wrote:
>> To Liberation Tech:
>>
>> Stanford is implementing a new security policy detailed here:
>>
>> http://ucomm.stanford.edu/computersecurity/
> 
> First, if they were serious about security, they wouldn't be using 
> Microsoft products.
> 
> Second, backdooring end-user systems en masse provides one-stop shopping
> to an attacker.
> 
> Third, "locating PII on systems" is not a solved problem in computing,
> and for anyone to pretend otherwise is, at best, disengenuous.  Not
> only that, but anyone who's been paying attention to the re-identification
> problem knows that non-PII is quite often just as sensitive.
> 
> Fourth, the simultaneous requirement that systems be backdoored
> and searchable while their disks are encrypted strongly suggests
> that they intend to have a central repository of encryption keys.
> 
> Fifth, the requirement for use of centralized backup also provides
> one-stop shopping to an attacker.
> 
> Bottom line: this isn't about security, it's about control and monitoring.
> 
> ---rsk
> 