Best Practices for Protecting Student Data in the Cloud
For some institutions, data security remains a lingering concern when considering a transition to cloud-based services. Student privacy, in particular, requires careful and secure data handling to meet the requirements of the Family Educational Rights and Privacy Act (FERPA).
Most of this concern centers on cloud-based student information systems. However, experts point out that when institutions support a move to the cloud with the right policies, such a move generally increases security over the most sensitive data.
“We have not found a single higher education-focused app with a data leak,” says Jeff Alderson, principal analyst for enterprise software at Eduventures.
CDW’s own research on secure cloud computing suggests that active user measures serve to maintain the security built into the system. Most often, data breaches result from improper handling of data rather than a failure of the system itself. Student data privacy policies, like any other data privacy policy, should at minimum require that the institution define security policies for various levels of organizational data, apply controls for tracking data, manage access and credentials, and protect remote and mobile endpoints.
Additional measures that CDW recommends include encrypting transmitted and sensitive data; managing access, authentication and identity for cloud-based applications; requiring password changes every 90 days; certifying the security measures taken by the cloud vendor; and holding annual security training for individuals.
Keep in mind, too, that FERPA applies even when a staff member or instructor is taking advantage of a free trial of a cloud-based service, a practice Alderson refers to as “rogue IT.” Monitoring downloads and conducting regular surveys of faculty and students can help alert IT departments to potential headaches in the realm of privacy. Alderson also recommends that CIOs conduct awareness campaigns, aimed at faculty members, to help them understand the potential risks of putting data in the cloud outside of the enterprise framework.
Institutions that remain concerned about security in the cloud can look for products that carry FedRAMP or Internet 2 NET+ certifications, Alderson says. Both certifications ensure a high standard of security in the cloud and can offer additional peace of mind to universities accustomed to managing their own local data centers.