How to Protect Sensitive Data in SaaS Applications

Student data should have the same safeguards as financial or healthcare information.

More professionals and students use Software as a Service (SaaS) on a daily basis. It’s not a question of whether to use cloud storage to back up information so much as it is to determine which solution will provide the safely guarded flexibility users expect. 

SaaS adoption is growing for a wide range of industries. In January 2018, a Forrester report predicted “that the SaaS market will grow to $157 billion in 2020; some providers have more than $1 billion in revenue and are growing strongly.”

The information from SaaS applications is stored on the cloud. Due to this convenience, use of these apps is growing at K–12 schools for both administrative and education purposes. 

“SaaS adoption, while not the norm, is gaining consistent popularity,” says Robert Ayoub, program director for security products at IDC. “Two years ago, the surveys we conducted showed users cited security and privacy as the No. 1 inhibitor from implementing SaaS. Today we find, while it is a top concern, it no longer headlines as an inhibiting fear.”

Ayoub attributes the shift in perception to daily app use. “People do their banking through financial apps, check health records or send private information using email apps regularly,” he says. “So as a parent, it is convenient to receive notices directly to a phone, for example.” 

In the convenience of the cloud, however, Ayoub says the vulnerability of the data being handled at the K–12 level must not be overlooked. 

“SaaS information should be held to the same industry-regulated standards as finances or healthcare. Just as banking records or medical diagnoses are deemed sensitive information, so too are student identities, including Social Security numbers, birthdates, grades, etc.,” he says.

SIGN UP: Get more news from the EdTech newsletter in your inbox every two weeks!

Strategies to Protect Vulnerable Student Data

Cloud providers such as Microsoft or Google guarantee the security of their platforms. School districts can mitigate risk by asking questions and understanding policies upfront. However, users are expected to manage their own SaaS configurations. This is where security issues are most likely to occur. 

“If I were advising a school district today, I’d recommend that they audit and make sure the right people have access to all data, and also ensure outside parties are routinely monitoring and evaluating to make sure information is not left open by accident,” says Ayoub. “A lot of the security breaches today are a simple matter of accidentally leaving storage buckets open.”

Additionally, widely known precautions such as not using common passwords or logging onto an unsecure, public Wi-Fi network seem like common sense, but they’re not always practiced. 

“On the IT side of things, there are tools emerging from standard vendors, including cloud access security brokers, that are designed to help look for and set alerts for data going onto the cloud,” Ayoub says. “These tools are really great, and I know a lot of school districts tend to be behind the curve when it comes to IT and security.”

Ayoub advises districts to think of schools as small doctor’s offices or banks. “What controls would you put in place? Schools are even more limited in what they will allow their students to access. Teachers and parents alike need [instruction] — like not to use your child’s birthday as a password.”

School districts also need to adopt better built-in controls to help protect against hackers, Ayoub says. “The challenge is that hackers don’t care who they attack; they’re out for a data grab. But if you’re protected, you can maintain peace of mind.”

cybrain/Getty Images
Jun 13 2018