Rassco - Fotolia

How UCAS uses Splunk to protect students’ sensitive data

Universities and Colleges Admissions Service’s enterprise security architect describes how the organisation uses Splunk to keep user data secure, and how it copes with its yearly spike in traffic

Every year, thousands of students use the Universities and Colleges Admissions Service (UCAS) to search and apply for university places, and at the same time hand over some of their most sensitive personal data.

Not only does UCAS have to keep this data secure, but the information also has to be processed in a short amount of time as about 800,000 new “learners” each year await their A-level results to see how their future will unfold.

Andy Gibbs, enterprise security architect for UCAS, describes how a combination of Splunk and Amazon Web Services (AWS) technology helps the organisation deal with students in its summer peak, and its other customer groups across the rest of the year.

“We’ve got three main customer groups – we’ve got the learners themselves, who obviously want to further their education, but we’ve also got the education providers, who want to place people on courses, and we’ve got advisers – schools, colleges, parents – who are hopefully trying to help students through this process,” says Gibbs.

“We’ve got interested parties from a data and analytics viewpoint who are interested in the aggregated data we have produced to help guide the development of courses.”

Commercially, UCAS also provides focused advertising for particular organisations, such as accommodation services, that want to target their advertising towards the students UCAS works with.

Keeping student data secure

As the UK’s national “clearing house for courses”, most people are probably most aware of the work UCAS does when the A-level results are released each year.

With that comes not only the students’ sensitive personal data such as ethnicity, gender or religion, but also exam results data, which UCAS receives six to eight weeks before the students do.

UCAS uses this data to give universities an idea of how many students they should expect, but also to predict how many students will have to go through the clearing process if they are not matched with the courses they had hoped for.

Gibbs says: “It’s highly confidential data, and for a particular time of year, very very confidential. We have to demonstrate both to our customers and to various authorities that we are treating that with the due care that it requires.”

When Gibbs joined UCAS four years ago, the organisation had some anti-virus and threat detection in place, but Gibbs says it was “a bit fragmented”.

With Splunk now tying these disparate systems together, the big data software plays a huge part in UCAS’s security initiatives, acting as a “nervous system” for the various areas across the business that security data may be coming from.

Read more about big data

  • Data analytics could help Mercedes-AMG Petronas Motorsport team gain an edge on rival Ferrari during the 2017 and 2018 Grand Prix season. Its head of IT, Matt Harris, reveals the team’s plans.
  • In a Q&A interview, the “father” of Hadoop, Doug Cutting, talks about the cyber security applications of the stack, as well as Hadoop’s evolution.

Gibbs says: “Splunk takes all of these disparate alerts and notifications of security events and provides them in a consistent way so they can be analysed, correlated so we can gain a much deeper understanding of what’s going on across our systems networks.”

Collecting this information in one Splunk dashboard makes it easier to assess whether UCAS’s systems are properly patched, the “health state” of its various systems and the likelihood of a cyber attack, he says.

During the high volume time of year for UCAS, when students are receiving their exam results and securing their university places, operational functions are also vitally important.

Gibbs explains: “When we are going through the confirmation and clearing process, it is absolutely key that we can see that we’re in a good health state, both from a security and an operational viewpoint. Splunk also provides us with operational information.”

It also uses the platform for things such as monitoring social media – which can be important when dealing with the younger, tech-savvy user base that UCAS has.

“We do take particular care to track what’s happening with our user base,” says Gibbs. “We monitor things like social websites and look for any chatter around UCAS.”

This can help the organisation to respond more quickly to issues it may not have been aware of previously, but has picked up on by monitoring social media mentions.

Better data analysis

Before adopting Splunk, UCAS had difficulty in identifying security events. Because data came from so many different systems and was not displayed in one place, it was difficult to pinpoint exactly where a problem had arisen.

Gibbs describes an incident in 2016, when Splunk identified the actions of one of UCAS’s learner users as being suspicious, but using Splunk and with advice from that user’s school, it was able to “categorically demonstrate” that this user was not the culprit.

“Equally, if there were a major breach, we would need to be able to provide people like the Information Commissioner’s Office with the analysis and forensics, and we’ve got the ability to do that now,” says Gibbs.

As organisations collect more and more data, legacy systems can stand in the way of properly analysing it because of internal silos. By breaking down data silos using Splunk, UCAS can now behave both reactively and proactively to security threats, using Splunk dashboards and analytics so spot trends that may lead to a breach, or to pin down the cause of an incident should one arise.

Gibbs says: “There’s the proactive stuff like the dashboarding to pre-empt, to see if we’re in a good state of play; there’s the reactive, so when something kicks off, being able to be quickly alerted to it and react to it; and then there’s the post-event forensics and investigative-type work – those are the main three prongs of the value of the tool to us.”

Scaling systems for busy periods

As well as focusing on data security during its peak time, UCAS has to ensure its services can scale to match the increased traffic that comes with the confirmation and clearing period.

Hits on its website can increase 20- or 30-fold during this period compared with the rest of the year, and it can be even busier in the weeks leading up to exam results.

To cope with this increase in demand, UCAS has also adopted AWS, which can be scaled up or down depending on capacity and demand.

Gibbs says: “It’s the only way that, commercially, it’s a realistic prospect; otherwise you have to massively oversubscribe in your computing facilities in order to have sufficient bandwidth and processing power.”

When UCAS expands its use of AWS servers, Splunk is already configured to receive data from it, acting as an “ally to the operational stack” that the organisation needs during this busy period, says Gibbs.

Read more on Business applications