Re: IdentityFinder - Data Discovery Software

["Volz, Donald D" <don.volz () TXSTATE EDU>]

We've licensed Identity Finder for campus wide use for several years.  I don't disagree with Vern's points about 
challenges regarding centralized use across a disparate or diverse environment.  In other words, the more a user knows 
about the data environment being scanned, the more efficiently the tool can be applied.

That said, I contend that the challenges are not so much a function of the tool itself as they are a function of the 
diversity of data types being scanned, especially data types with formats identical to SSNs, payment card numbers, etc. 
 Every scanning tool will have these same challenges, and in our experience, Identity Finder generates fewer false 
positives than any other tool we've used.

We've incorporated Identity Finder within our annual risk assessment process such that departmental technical support 
staff must use Identity Finder to discover if the systems they manage contain any confidential information.  If so, the 
assessment become more intensive and extensive, unnecessary storage of confidential data is eliminated, and protection 
is maximized for those locations where it must reside.

Don
______________________________________________

Don Volz
Special Asst to the VPIT
Texas State University
Email: don.volz () txstate edu
Voice: 512-245-9650
FAX: 512-245-1226

From: Wilkins, Vern W [mailto:vwilkins () INDIANA EDU]
Sent: Wednesday, August 28, 2013 4:01 PM
Subject: Re: IdentityFinder - Data Discovery Software

We've found Identity Finder to be a very difficult tool to use efficiently, in a large enterprise environment.  I'll 
keep my response short and just say that I would not consider this tool enterprise-ready.  It's typical of software 
that is designed with the assumption that it will be installed and run by a single user, on their own machine.  If a 
single user is going to use the tool, to scan data they are familiar with, and they have a lot of IT assistance, the 
tool works reasonably well.  I would expect that most IT professionals would rather use the tool in a way that is more 
centralized and IT-managed, which in my opinion is where the software falls short.

In our environment (an academic library), the number of false positives we are seeing is very high.  We have a 
tremendous number of documents containing numbers that have the same format as social security numbers and various 
credit card numbers.  It's very labor intensive, either on the part of IT staff, users, or both, depending on how you 
want to split the workload of installing and running the tool, dealing with results, and adjusting the configuration.  
Aggregating or separating results (depending on how you perform the scans and what is scanned) of a large number of 
scans is especially time intensive, as is managing exceptions.  Although not necessarily a weakness of the tool itself, 
managing scans for multi-user resources has also been somewhat labor intensive for us.  Examples include scanning 
workstations or departmental shares used by many people.

Because of the large number of difficulties we have encountered trying to have IT staff run and manage this centrally, 
we are now leaning more towards having users run the scans, and running our own scans from IT only as confirmation that 
the users are appropriately using the tool and taking action as needed.  Obviously this still requires a great deal of 
user education and training, and IT staff will still need to provide a lot of assistance.

The Penn State case study seemed to indicate that IT staff was going around and installing the software, and running 
the scans, which just seems to reinforce our experience that there's not a very efficient way to use this tool in a 
large, complex, environment.  I don't see any mention in the Penn State study of how results were handled, how 
exceptions were managed, etc.  I assume that this would all be done with the help of IT staff, at the time of the first 
scan, which would add tremendously to the time commitment.

Vern Wilkins
Manager Library Technologies Core Services
Indiana University Libraries
Bloomington, IN

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () listserv educause edu] On Behalf Of Carlos 
Lobato
Sent: Monday, August 19, 2013 3:47 PM
To: SECURITY () listserv educause edu<mailto:SECURITY () listserv educause edu>
Subject: [SECURITY] IdentityFinder - Data Discovery Software


Hello All,



Here at New Mexico State University we are thinking in evaluating IdentityFinder, but we would like to hear from those 
of you who are using another similar tool.



If you are using a tool similar to IdentityFinder please let us know the name of the tool, how long you have had it and 
if you are satisfied.



Thanks in advance,


Carlos S. Lobato, CISA, CIA
IT Compliance Officer

New Mexico State University
Information and Communication Technologies
MSC 3AT PO Box 30001
Las Cruces, NM  88003-8001

Phone: 575-646-5902
Fax: 575-646-5278

Email: clobato () nmsu edu<mailto:clobato () nmsu edu>