Desktop Security Initiatives

In this article, we'll discuss the different ways we're securing the SJU desktop computing environment.

 

Full Disk Encryption

What can I expect during the encryption process?

To encrypt your laptop, OIT will utilize the encryption software already installed on your machine. This will NOT impact the performance of your device. We will install a multi-platform management application called Workspace One (also known as AirWatch) on your device to facilitate the encryption process. Going forward, you will continue to unlock your computer with your SJU username and password.

For all Mac devices, encryption using Apple FileVault will be enabled automatically, and there will be no need for an OIT technician to touch your laptop. On July 31st, 2019, users will be prompted in Managed Software Center to perform a reboot, which will start the encryption process.

For Windows laptops, OIT will use the native BitLocker application for encryption. There will be a few steps that you will need to follow in order to begin the encryption process, which we will be assisting with.

OIT staff will securely store the recovery keys for your encrypted computer in the event that there is a need to decrypt and recover data.

 

I have a desktop, what does this mean for me?

For Windows desktops, nothing will happen to your machine at this time. Laptops are a greater risk to be stolen or lost, so OIT will focus on mitigating this risk first. Once all laptops are encrypted, OIT will turn attention to desktop encryption and we will communicate this plan to faculty and staff.

As all Mac desktops and laptops are already enrolled in Workspace One, we will encrypt all MacBook Pros, iMacs, Mac Minis, and Mac Pros starting on July 31st, 2019.

 

How does this affect files that I move from my encrypted computer to another location (Google Drive, USB drives, etc)?

Full Disk Encryption works by encrypting all of the data on the drive contained in your computer. If a laptop with an encrypted hard drive is stolen, all the files are safe. If you copy a file to another location, it is no longer being stored on the encrypted hard drive, so it will be stored in an unencrypted fashion unless the target location is also running Full Disk Encryption. Your files are only as safe as the drive they are stored on.

The goal of this project is to remove the risk of confidential or sensitive data being accessed from a stolen laptop. However, if you store confidential/sensitive data on your USB drives, we recommend that you either delete this type of data from your USB drive and instead store it on Google Drive or that you encrypt your USB drive. If you would like assistance in encrypting a USB drive, please contact the Technology Service Center at 610-660-2920. Be aware that if you lose the password and recovery key associated with your USB drive, neither you, nor OIT, will be able to recover your data. If you have questions about confidential or sensitive data, please refer to our Data Classification Policy.

 

Additional Security Changes

Timeouts and Lockouts

Several security changes will be introduced to coincide with the encryption initiative:

First, OIT is now required to activate a setting on University computers that places a computer in a locked state after a certain amount of inactivity. When your computer is not used for 20 minutes (while plugged into an outlet), the inactivity threshold will be exceeded, and your computer will be locked. You will not lose any work in progress, however, you will be required to re-enter your SJU username and password to resume any work.

Note: if you are using a laptop and running on battery power, you will see more aggressive system timeouts that will put your laptop to sleep. Upon "waking up" the laptop, you will also be required to enter your password again.

The second security change that will be implemented pertains to University accounts. These accounts will be locked for 10 minutes after there have been 10 failed login attempts. This is an important security measure that will help prevent unauthorized access to SJU computers, your account, and your data, where a hacker uses an automated process to try thousands of passwords to gain access. This security measure has also been strongly recommended by our security auditors.

Please see our article here that provides the security settings in greater detail.

 

Windows Software Center

Patch Management & Automatic Reboots

We will be introducing a new comprehensive tool called Microsoft System Center Configuration Manager (SCCM) that will allow us to better deploy applications, security updates and patches to Windows computers.

Windows users already take advantage of using tools like Windows Update to keep their SJU-issued computers up to date, and this will further ensure they are being routinely patched to mitigate security vulnerabilities.

Another advantage of using SCCM will be the Software Center, which will serve as a type of self-service portal, allowing users to select University-licensed applications and install them on their own without the need to submit a ticket. For more information, please see this article.

Endpoint Data Backup Solution

How we used to back up data

Each user that received an SJU issued computer was also given an external hard drive to be used for backing up their data.  On both macOS and Windows, we would use the native data backup applications to run periodic data backups.  Some users also used cloud backup services such as OneDrive, DropBox, and iCloud.  

Why are we changing how data is backed up?

External hard drives, USB drives, or any other media that is used to store data is a big security risk.  Many of these devices are portable and are taken with a user and their laptop when they travel.  If these devices were lost or stolen, any sensitive or confidential data would be compromised.  While we are now encrypting University laptops, the data that is backed up to these external devices is no longer encrypted like the data residing on the computer. 

Non-University supported cloud-storage solutions such as OneDrive, DropBox, and iCloud allow sensitive and confidential data to be stored outside of University supported and allowed services.  These cloud solutions also allow the user to sign in with a personal, non-SJU account that could become compromised, allowing for a data breach into these accounts.  

How we will be backing up data going forward

In order to have all data securely backed up, encrypted, and eliminate possible theft due to a device being lost or a non-University account becoming compromised, we will be mandating an automated data backup solution.  The application that the University will be using is called, Code42.  Through an extensive RFP process, the University selected Code42 based on their extensive experience with Higher Ed.  For more information about Code42, please visit some of our help articles here.


Find My Mac

Some macOS users have previously enabled and configured Find My Mac on their SJU-issued Mac. Find My Mac uses a personal, non-SJU iCloud account to track the location of your Mac. As we are now using our management tool, Workspace One, to manage encryption and the security of each SJU-issued Mac, we now require Find My Mac to be disabled. This will add an additional layer of security so that University data is not being stored in non-University locations, and will allow the University to ensure devices are not being remotely tracked, locked, or wiped from a compromised iCloud account.  Workspace One will allow SJU to provide the same level of security as Find My Mac, and allow OIT to remotely lock and wipe a compromised, lost, or stolen Mac. 

 

Who should I contact with questions about any of the initiatives outlined above?

Please contact the Technology Service Center at 610-660-2920.

Was this helpful?
0 reviews

Details

Article ID: 79290
Created
Wed 5/29/19 12:24 PM
Modified
Tue 4/28/20 2:57 PM