Announcing Stanford’s File Storage Security Plan
Sharing files is foundational to collaboration, and the university’s many file storage systems are heavily used, including Google Drive, Box, Medicine Box, OneDrive, AFS, and departmental file servers. We learned from recent incidents that some files are shared more broadly than they should be, leading to potential breaches of sensitive information.
In consultation with the Board of Trustees, Provost Drell, the Faculty Committee on IT Privacy, the University Privacy Office, and the CIO Council, University IT (UIT) has developed a plan to address this complex and widespread problem. The effort will span several years and involve campus-wide participation. The overarching program is sponsored by the CIO Council, a governance board comprised of our senior-most IT leaders at the schools and major units. The high level plan is to:
- Scan all major university file storage systems for broadly shared files containing sensitive data, beginning with publicly accessible files. Coordinate with file owners to validate and remediate each flagged file.
- Automatically notify individuals when sensitive data is detected in their broadly shared files, then track remediation.
- Archive or remove unneeded data in consultation with file owners in order to reduce the volume of sensitive data not detectable via automated scans.
- Establish brief annual online security training for all employees.
Given the vast scale of the university’s file storage systems, automation is key to achieving the necessary scalability and sustainability. To that end, UIT recently evaluated and deployed a new file scanning tool that automatically discovers, monitors, and protects sensitive data.
“The tool will generate greater awareness of exposed file shares which we can then not only remediate, but also use to inform future training and automated security controls,” said Mike Takahashi, the program manager for UIT’s File Storage Security program.
How You Can Help
Sensitive information exposed by misconfigured file permissions is a preventable problem. Below are a few ways you can help keep sensitive data private:
- When sharing files, share with the minimum number of individuals necessary. Only use public sharing or a “shareable link” when truly intended for public access.
- Double-check the file permissions on all file sharing repositories that you manage to ensure that they match your intention and expectation.
- If you discover sensitive data that might have been exposed, promptly report it to the Privacy Office.