Following an audit process in 2015, the then year-old Ohio University OneCard office decided to make changes to the way it secures and logs ID card production.
The issuance security upgrades at the Ohio OneCard office were outlined in a presentation given at NACCU 2017 by Joshua Bodnar, director of Access, Transaction, and Video Services at Ohio University. In the presentation, Bodnar describes the changes made to the card production process, as well as the susceptibilities uncovered by the initial system audit.
One of the major concerns raised was that the OneCard office was not tracking the reproduction of ID cards. “We were not tracking when the ID was printed, what cards were printed, and what staff members were printing them,” Bodnar says.
This exposed the risk of employees making copies of ID cards without anyone knowing. “We wouldn’t have any way to know if a large number of IDs were printed when they shouldn’t have been,” Bodnar adds.
Office staff were also not keeping track of card stock and printing supplies. Unlocked boxes of cards and ribbons would be left out next to printers. When these issues came to light, Bodnar and the OneCard team realized that they needed to better secure both materials and the card production process.
The first step was to secure the office’s workstations, taking away shared windows accounts, and instead requiring staff needing access to IDWorks to be put in an Active Directory group managed by the OneCard office. Additionally, only those in the Active Directory can access the workstations. This was done to prevent the risk of unauthorized users accessing personal information stored on the machines.
Access to the Internet was also disabled at the workstations to avoid the risk of employees visiting potentially unsafe websites. Users are also logged out of the computers if they leave the machine idle for over five minutes.
Prior to the new security changes, users could stay logged in all day, and when the computers were restarted they would automatically log in using a worker’s credentials. This left personal information open for anyone to access, which Bodnar wanted to prevent.
With multiple machines, the OneCard office decided it was important for all of the print logs to be stored together. To accomplish this, the OneCard team decided to leverage software that the university already had, nxlog and Kibana.
Ohio University was already using nxlog to send logging data to the campus’ central logstash system. The print logs are installed on each machine and are written on the machines’ text files and a shared network, and then stored in the centralized logging system. Meanwhile, Kibana makes it easier to search the logs and provide a visual for the collected data.