[liberationtech] Concerns with new Stanford University security mandate
taltman1 at stanford.edu
taltman1 at stanford.edu
Tue Jan 28 01:42:48 PST 2014
Thank you for your reply Michele,
I think I should point out that their interpretation of 'employee'
includes faculty and students. As an example, here is the implementation
page for the School of Medicine:
https://med.stanford.edu/datasecurity/
Notice the flow-chart of who must adhere to the new policy. It
explicitly mentions faculty and students.
All School of Medicine affiliates (faculty, employees, students, etc.)
are being forced to fill out a device attestation that provides
information on whether people access PHI/PII, what kind of devices they
use (whether Stanford owns them or not), external hard drives, thumb
drives, etc.
I tried to fill out the form, claiming that I was exempt. The form said
that my answers were not correct, and that I faced administrative action
if I didn't fix them.
Technically I can apply for a variance, which I have. I have not
received any reply in a week.
Even if the official instructions make this sound like it only applies
to employees that work with PHI/PII, don't be fooled. *Everyone* is
being asked to do this, receiving emails from the administration to make
sure that our attestations are up-to-date, and then sending follow-up
emails to get our attested machines into compliance.
As an engineer, my reaction to needing tighter security around PHI/PII
would be to create a separate network for personnel which have a
need-to-know. Tight security protocols like installing MDM and BigFix
could be implemented on that restricted network only. Taking the entire
university's network and enforcing that level of security, when the vast
majority of the affected machines will never touch PHI/PII, is just
ludicrous. Saying that those wanting to avoid these kinds of invasions
of privacy can just go on to the guest network is like being forced off
the interstate and only being allowed on side roads.
I am all for Stanford improving its security practices. They are
definitely justified in tightening controls on employees and their own
equipment. But personal property of faculty and students should be left
alone. That crosses the line.
My $0.02,
~Tomer
"Mrs. Y." <networksecurityprincess at gmail.com> writes:
> I worked in academia for 13 years. We were already doing most of this in
> 2010. We were one of the universities that proactively removed SSNs from
> general use and every administrative system except where necessary.
> Please note that the following provisions apply in the new policy:
>
> 1. requirement applies to university employees
> 2. equipment is university-owned
> 3. OR personal equipment touching PII/PHI
>
> I applaud Standford's efforts toward protecting students' private data:
> their customers. This is probably a reaction to the reported breach this
> past summer:
>
> http://www.stanforddaily.com/2013/09/23/online-security-breach-prompts-further-security-measures-amidst-uncertain-details/
>
> They're actually being pretty fair, by allowing BYOD at all for
> employees and a guest network for personal devices. Many non-profits
> don't. There's also no requirement to meet these mandates if the
> personal device only uses the guest network, which is probably sandboxed
> with no access to PII/PHI and other confidential data. In the past,
> universities have been notoriously poor in protecting customer data and
> in the current climate could face large HIPAA or PCI-DSS fines/penalties
> if customer data is breached. Considering they also administer an FFRDC,
> the SLAC National Accelerator Laboratory, I'm surprised they haven't
> been stricter prior to this.
>
> The answer is pretty simple. If you feel these measures could violate
> your privacy, then don't use your personal equipment to access
> Stanford-classified PII/PHI. And don't put your personal data on
> university-owned equipment. As an employee using Stanford's equipment or
> accessing customer data, you do not have the same expectation of privacy
> as a student.
>
> Michele Chubirka
>
> On 1/26/14 5:36 AM, Rich Kulawiec wrote:
>> On Sun, Jan 26, 2014 at 01:20:20AM -0800, Tomer Altman wrote:
>>> To Liberation Tech:
>>>
>>> Stanford is implementing a new security policy detailed here:
>>>
>>> http://ucomm.stanford.edu/computersecurity/
>>
>> First, if they were serious about security, they wouldn't be using
>> Microsoft products.
>>
>> Second, backdooring end-user systems en masse provides one-stop shopping
>> to an attacker.
>>
>> Third, "locating PII on systems" is not a solved problem in computing,
>> and for anyone to pretend otherwise is, at best, disengenuous. Not
>> only that, but anyone who's been paying attention to the re-identification
>> problem knows that non-PII is quite often just as sensitive.
>>
>> Fourth, the simultaneous requirement that systems be backdoored
>> and searchable while their disks are encrypted strongly suggests
>> that they intend to have a central repository of encryption keys.
>>
>> Fifth, the requirement for use of centralized backup also provides
>> one-stop shopping to an attacker.
>>
>> Bottom line: this isn't about security, it's about control and monitoring.
>>
>> ---rsk
>>
More information about the liberationtech
mailing list