Desktop Security Initiatives

In this article, we'll discuss the different ways we're securing the SJU desktop computing environment.

 

Full Disk Encryption

What can I expect during the encryption process?

To encrypt your laptop, OIT will utilize the encryption software already installed on your machine. This will NOT impact the performance of your device. We will install a multi-platform management application called Workspace One (previously known as AirWatch) on your SJU issued device to facilitate the encryption process. Going forward, you will continue to unlock your computer with your SJU username and password.

For all Mac devices, encryption using Apple FileVault will be enabled automatically, and there will be no need for an OIT technician to configure your laptop. Beginning July 31st, 2019, all outgoing faculty/staff and single-user devices are now encrypted.

For Windows laptops, OIT uses the native BitLocker application for encryption, and all faculty/staff and single-user devices will be encrypted when they are assigned to a user.  Some existing computers will have the WorkSpace One application deployed to their computer remotely, which may cause notifications that your computer is being encrypted.  This is normal behavior and requires no manual intervention. 

OIT staff will securely store the recovery keys for your encrypted computer in the event that there is a need to decrypt and recover data.

 

How does this affect files that I move from my encrypted computer to another location (Google Drive, USB drives, etc)?

Full Disk Encryption works by encrypting all of the data on the drive contained in your computer. If a laptop with an encrypted hard drive is stolen, all the files are safe. If you copy a file to another location, it is no longer being stored on the encrypted hard drive, so it will be stored in an unencrypted fashion unless the target location is also running Full Disk Encryption. Your files are only as safe as the drive they are stored on.

The goal of this project is to remove the risk of confidential or sensitive data being accessed from a stolen laptop. However, if you store confidential/sensitive data on your USB drives, we recommend that you either delete this type of data from your USB drive and instead store it on Google Drive or that you encrypt your USB drive. If you would like assistance in encrypting a USB drive, please contact the Technology Service Center at 610-660-2920. Be aware that if you lose the password and recovery key associated with your USB drive, neither you, nor OIT, will be able to recover your data. If you have questions about confidential or sensitive data, please refer to our Data Classification Policy.

 

Additional Security Requirements

Timeouts and Lockouts

Several security changes have been introduced to coincide with the encryption initiative:

First, OIT is now required to activate a setting on University computers that places a computer in a locked state after a certain amount of inactivity. When your computer is not used for 20 minutes (while plugged into an outlet), the inactivity threshold will be exceeded, and your computer will be locked. You will not lose any work in progress, however, you will be required to re-enter your SJU username and password to resume any work.

Note: if you are using a laptop and running on battery power, you will see more aggressive system timeouts that will put your laptop to sleep. Upon "waking up" the laptop, you will also be required to enter your password again.

The second security change that will be implemented pertains to University accounts. These accounts will be locked for 10 minutes after there have been 10 failed login attempts. This is an important security measure that will help prevent unauthorized access to SJU computers, your account, and your data, where a hacker uses an automated process to try thousands of passwords to gain access. This security measure has also been strongly recommended by our security auditors.

Please see our article here that provides the security settings in greater detail.

 

Windows Updates

Patch Management & Automatic Reboots

The University is required to manage the deployment of Windows Updates using Microsoft System Center Configuration Manager (SCCM) that allows us to more securely deploy applications, security updates and patches to Windows computers.  If your computer has not been rebooted and patches are not installed within a reasonable time, Windows will forcefully reboot your computer.  It is important to reboot your computer at least once a week and allow any pending updates to be installed so that it does not interfere with anything you might be working on during normal business hours.  

Windows users have always taken advantage of using Windows Update to keep their SJU-issued computers up to date, but this will further ensure they are being routinely patched to mitigate security vulnerabilities.

For more information, please see this article.

Endpoint Data Backup Solution

How we used to back up data

Each user that received an SJU issued computer was also given an external hard drive to be used for backing up their data.  On both macOS and Windows, we would use the native data backup applications to run periodic data backups.  Some users also used cloud backup services such as OneDrive, DropBox, and iCloud.  

Why did we change how data is backed up?

External hard drives, USB drives, or any other media that is used to store data is a big security risk.  Many of these devices are portable and are taken with a user and their laptop when they travel.  If these devices were lost or stolen, any sensitive or confidential data would be compromised.  While we are now encrypting University laptops, the data that is backed up to these external devices is no longer encrypted like the data residing on the computer. 

Non-University supported cloud-storage solutions such as OneDrive, DropBox, and iCloud allow sensitive and confidential data to be stored outside of University supported and allowed services.  These cloud solutions also allow the user to sign in with a personal, non-SJU account that could become compromised, allowing for a data breach into these accounts.  

How are data backups handled now?

In order to have all data securely backed up, encrypted, and eliminate possible theft due to a device being lost or a non-University account becoming compromised, we will be mandating an automated data backup solution.  The application that the University will be using is called, Code42.  Through an RFP process, the University selected Code42 based on their extensive experience with Higher Ed.  For more information about Code42, please visit some of our help articles here.


Find My Mac

Some macOS users have previously enabled and configured Find My Mac on their SJU-issued Mac. Find My Mac uses a personal, non-SJU iCloud account to track the location of your Mac. As we are now using our management tool, Workspace One, to manage encryption and the security of each SJU-issued Mac, we now require Find My Mac to be disabled. This will add an additional layer of security so that University data is not being stored in non-University locations, and will allow the University to ensure devices are not being remotely tracked, locked, or wiped from a compromised iCloud account.  Workspace One will allow SJU to provide the same level of security as Find My Mac, and allow OIT to remotely lock and wipe a compromised, lost, or stolen Mac. 

 

Who should I contact with questions about any of the initiatives outlined above?

Please contact the Technology Service Center at 610-660-2920.

Details

Article ID: 79290
Created
Wed 5/29/19 12:24 PM
Modified
Wed 9/15/21 12:42 PM