Higher Education Case Study

Graduate Research Center at a Southeast Asian Research UniversityCatching Research Data Exfiltration That USB Controls Miss

When a PhD student was caught uploading unpublished thesis research data to a personal Google Drive from a shared lab computer — six weeks of files before the supervisor noticed — the center's IT administrator realized their USB blocklist couldn't see what was leaving through the browser. PrivateDLP's AI screen auditing gave them the screenshot evidence and the rule set to catch the next one.

Research Center
Graduate School of Applied Sciences
~80
Lab Workstations
Research Data
AI-Detected Cloud Upload

Executive Summary

The client is a research center within a mid-size Southeast Asian research university — a graduate school of applied sciences running roughly 80 lab workstations across two floors of a shared research building. The center's researchers — doctoral students, postdoctoral fellows, and junior faculty — work on shared lab computers that rotate multiple users per day. Their research includes unpublished experimental datasets, thesis chapters, and grant proposals that represent years of work and competitive advantage for the research group.

The center's group policy was strict: no removable USB storage on research workstations. None of that stopped a PhD student from opening Google Drive in Chrome on a shared lab computer and uploading unpublished thesis data to a personal account — every day for six weeks before the supervisor noticed unusual file activity in the shared research folder.

The center's IT administrator chose PrivateDLP for the one capability the existing stack didn't have — visibility into what was happening on the screen, with screenshot evidence captured at the moment of a policy violation. The deployment covered the 80 lab workstations, managed from a single Windows server, with rules written by the center's research coordinator in plain English and deployed by the IT administrator the same afternoon.

AI screen auditing with plain-English rule definition
Screenshot evidence at the moment of research data violations
Time-based policies for after-hours lab access
Research coordinator-owned rules for research data boundaries

Client Profile

The client is the graduate school of applied sciences within a mid-size research university in Southeast Asia — a research center running a handful of specialized labs focused on materials science, energy systems, and biomedical engineering. The center operates roughly 80 shared workstations distributed across two floors of a shared research building. Doctoral students, postdoctoral researchers, and junior faculty share these workstations on rotating schedules, with each person using a generic login account rather than a personal one — a common arrangement in shared lab environments where hardware access is tied to physical presence, not user accounts.

The research being produced at the center is at an early stage — experimental datasets, thesis chapters in progress, conference submissions, and grant proposals. This is pre-publication research that represents years of work and significant competitive advantage for the research group. A USB blocklist addresses physical device transfer but says nothing about what a researcher can do through a browser on a shared computer.

Research Focus

Materials science, energy systems, and biomedical engineering — pre-publication datasets

Research Stage

Experimental data, thesis chapters, conference submissions, grant proposals

Community

~80 shared lab workstations; rotating users across doctoral students, postdocs, and junior faculty

Infrastructure

Shared generic login accounts on lab computers; no per-user authentication on workstations

The Challenges

A research center running shared lab computers, rotating users, and a USB blocklist that couldn't see browser-based data movement

USB Controls Can't Catch Browser-Based Research Data Exfiltration — And That's How Unpublished Data Was Actually Leaving

The center's group policy was strict: no removable USB storage on research workstations. None of that stopped a PhD student from opening Google Drive in Chrome on a shared lab computer and uploading unpublished thesis data to a personal account — every day for six weeks before anyone noticed. The USB blocklist had no visibility into the browser window.

Shared Workstations With Rotating Users Meant No Per-User Accountability

The lab computers ran generic login accounts — a practical necessity in a shared research environment, but one that meant there was no audit trail for who had been on a particular machine at a particular time. When the supervisor discovered the unauthorized uploads, the IT administrator couldn't identify which researcher was responsible without cross-referencing physical access logs with the build server's last-modified timestamps.

After-Hours Lab Access Was Unmonitored — And Some Researcher's Personal Cloud Habit Started There

The center's research coordinator had noticed something she couldn't explain: a cluster of after-hours login sessions on the lab computers, always in the same terminal, always followed by network activity she couldn't account for. Without screen-level visibility, she had no way to know whether it was a researcher finishing an experiment at midnight or someone running an automated sync to a personal Google Drive.

Research Data Rules Written by Non-Technical Research Coordinators — Not by Security Consultants

The research coordinator needed a way to define research data boundaries in language her team understood — not regex patterns or DLP policy languages. What she needed was to write a rule like 'flag any screenshot showing a Google Drive upload window alongside an open research data folder' and have the security team deploy it that same afternoon. Her previous vendor couldn't support a rule written in plain English.

The Solution: PrivateDLP

The center's IT administrator chose PrivateDLP for the one capability the existing stack didn't have — visibility into what was happening on the screen, with screenshot evidence captured at the moment of a policy violation

Windows Audit Client on Lab Workstations

PrivateDLP's Windows audit client was deployed to the 80 lab workstations via group policy. The agent captures periodic screenshots and transmits them securely to the analysis engine — with all images deleted immediately after AI analysis unless a policy rule is triggered. The research coordinator defines the rules in plain English; the IT administrator deploys them from the Windows server console.

AI Screen Auditing With Natural Language Rules

The capability the center was buying: AI analysis of periodic screenshots, with rules that the research coordinator can write in plain English and the security team can deploy in minutes. Example rule: "flag any screenshot showing a personal cloud upload window alongside an open research data folder" — written by the research coordinator, not a DLP consultant.

Center Deployment: The deployment covered the 80 lab workstations across two floors, managed from a single Windows server. The research coordinator owns the rule definitions; the IT administrator handles deployment. No vendor consultant required — the center was running new rules within the first week of deployment.

Implementation & Key Capabilities

PrivateDLP gave the research center the screen-level visibility it needed — with rules written by research coordinators, not security consultants

AI Screen Auditing With Plain-English Rules Written By Research Coordinators

The capability the center's IT administrator was buying: AI analysis of periodic screenshots, with rules that line managers can write in plain English and the security team can deploy in minutes:

  • Plain-language rule definition: A research coordinator writes a rule like 'flag any screenshot showing a personal cloud upload window alongside an open research data folder' — no regex, no DLP consultant
  • Screenshot evidence on demand: When a rule fires, the triggering screenshot is preserved as evidence — timestamped, linked to the workstation, available for supervisor review
  • Natural language refinement: Rules are written by the research coordinator, not by the IT team. When a new workflow emerges, the rule is updated the same day, by the person who understands the research process
  • Cross-reference with time logs: When combined with lab access time logs, screenshot evidence can narrow a data exfiltration incident to a specific researcher during a specific after-hours session

Research Data Protection — USB Controls and Personal Cloud Detection

The center's USB blocklist was already in place. What PrivateDLP added was the missing layer: detection of research data movement through the browser, where USB controls had no visibility:

  • USB device write controls: All USB write operations are blocked unless the device is on an approved whitelist — preventing physical data transfer to removable media
  • Browser-based personal cloud detection: Screenshots capture what windows are open at periodic intervals — a personal Google Drive or OneDrive window alongside a research data folder triggers a rule match
  • Screenshot evidence for investigations: When an incident is reported, the IT administrator can retrieve the triggering screenshot with evidence of what data was visible on screen at the moment of violation
  • Privacy-first design: All screenshots are deleted immediately after AI analysis unless a rule is triggered — no continuous surveillance, no storage of research data in transit

Time-Based Policies for After-Hours Lab Access Monitoring

The research coordinator had noticed clusters of after-hours logins on specific workstations but had no way to know what was happening on those machines. Time-based policies with screen auditing changed that:

  • After-hours screenshot rules: A rule that applies only between 10pm and 6am — capturing what research workstations are being used for during off-hours and whether personal cloud uploads are occurring
  • IT administrator alerts: When a time-based rule fires, the IT administrator receives a notification with the triggering screenshot — enabling same-day follow-up with the research group
  • Physical access log cross-reference: When combined with the center's badge access logs, after-hours screenshot evidence can identify the researcher responsible
  • No continuous surveillance during business hours: The time-based rule only activates during off-hours, so daytime research work is unmonitored — only anomalous after-hours activity triggers review

Windows Server Management — No Cloud Dependency, No Vendor Lock-In

The center runs its IT infrastructure on-premises. PrivateDLP's Windows server architecture fit directly into the existing setup without requiring cloud connectivity or a subscription management service:

  • On-premises Windows server management: All policy configuration and screenshot storage runs on the center's existing Windows server infrastructure — no cloud dependency
  • Centrally managed policies: The IT administrator manages all 80 workstations from a single console — deploying new rules, reviewing triggered events, and generating reports without visiting individual machines
  • No per-user licensing complexity: The center licenses by workstation count, not by user count — appropriate for a shared lab environment where the same machine serves multiple researchers per day
  • Research coordinator-owned rules: The research coordinator defines and maintains the rule set without requiring IT involvement for every rule update — a workflow that works without vendor consultants

What Changed At The Research Center

Three months after deployment, the research coordinator is writing her own rules, the IT administrator has screenshot evidence on demand, and after-hours lab activity is no longer a blind spot

Metric / ObjectiveBefore PrivateDLPAfter PrivateDLP
Research Data Exfiltration Incidents Caught
USB blocklist showed nothing; the Google Drive uploads were caught six weeks later from shared folder activity logs, not from any internal alert3 confirmed policy violations flagged in the first 60 days — including a postdoc uploading thesis data to personal OneDrive after hours
After-Hours Lab Activity Visibility
The research coordinator noticed clusters of after-hours logins on specific workstations but had no way to see what was happening on those machinesTime-based rules flag any after-hours personal cloud upload from a research workstation — with screenshot evidence linked to the specific machine and time window
Research Coordinator Rule Ownership
Rule definitions required a DLP consultant or regex expertise — the research coordinator couldn't write or update rules without vendor supportThe research coordinator writes rules in plain English; the IT administrator deploys them the same afternoon. First rule was written and deployed within the first week
Per-Researcher Accountability on Shared Workstations
Shared generic login accounts meant no per-user audit trail — the IT administrator couldn't identify which researcher was responsible without cross-referencing badge logsScreenshot evidence combined with badge access logs can identify the researcher responsible for a specific workstation session — closing the accountability gap on shared machines
Research Data Exfiltration Incidents Caught
3 in 60 days
After-Hours Lab Activity Visibility
Same-day follow-up
Research Coordinator Rule Ownership
Self-sufficient
Per-Researcher Accountability on Shared Workstations
Accountability restored

"I'd been noticing something odd for months — a workstation that always seemed to be logged in after midnight, followed by network activity I couldn't account for. But without screen-level visibility, I couldn't tell if it was someone running an experiment at 2am or uploading thesis data to their personal Google Drive. The first time a time-based rule fired and I had a screenshot of a personal cloud upload window alongside an open research data folder, I knew we had the evidence we needed. The screenshot is what made the conversation with the research group actually go somewhere."

— Research Coordinator
Graduate School of Applied Sciences, Southeast Asian research university

"The part that actually worked for us was that the research coordinator could write her own rules. I didn't have to schedule a vendor consultant to write a regex pattern every time a new research workflow emerged. She wrote the first rule herself — 'flag any screenshot showing a personal cloud window alongside a research data folder' — and I deployed it from the server console in about fifteen minutes. That workflow alone was worth the deployment. Three months in, she's on her fifth rule and hasn't needed me once."

— IT Administrator

The research center's deployment is intentionally scoped to the shared lab workstation environment — roughly 80 machines across two floors. The research coordinator owns the rule definitions; the IT administrator manages deployment and incident review. The arrangement is self-sustaining: when a new research workflow creates a new data boundary concern, the research coordinator writes the rule and the IT administrator deploys it the same day.

What the center bought wasn't a university-wide DLP rollout. It was a tool that fit a specific gap — screen-level visibility on shared lab computers, with rules that research coordinators can write — and a deployment that stayed within the research center's own budget cycle.