Storage Wars: Choosing a Secure Student Data Solution
Legislators across all 50 states have introduced student data privacy laws. The move makes sense: As educators leverage the benefits of connected classroom technologies, student data is captured and used to personalize the experience.
But what happens to this data when lessons are over and students leave for the summer, or move on to college or the workforce? How do K–12 schools ensure they’re in compliance with local laws and minimize risk without hampering their ability to deliver high-quality, engaging classroom experiences?
MORE FROM EDTECH: Check out how FERPA has changed over the years and what updates mean for K–12 schools.
Storage Failure Has Consequences for K–12 Schools
Student data isn’t single source. It can include everything from names and birthdates to learning styles, social preferences, grades and even medical histories. Schools bear the burden of security for this data — even if they hire third-party providers to manage its collection, storage and distribution.
The impact of storage security failure is substantial. In a recent lawsuit, an Illinois woman and her daughter accuse Pearson, the multinational publishing and education company, of exposing the information of more than 1 million students when it failed to detect or respond to a 2018 data breach.
As noted by The Threat Report, use of an outdated and insecure MongoDB server led to the leak of more than 7 million student records — data that included students’ full names, school names and account authorization keys.
Failure to protect student data, even at arm’s length, could have serious consequences for schools. Lawsuits are one potential outcome, but educational institutions could also find their public reputations irreparably damaged.
Plus, malicious actors could also glean data from storage breaches to steal students’ identities or launch targeted attacks. As ZDNet reports, 69 percent of schools have been targets of phishing scams, and 30 percent have suffered malware infections.
3 Options for K–12 Student Data Storage
When it comes to securely storing student data, K–12 schools have three broad options: on-premises, cloud-based or a mix of both. Each choice comes with unique challenges and benefits. Here’s what educators need to know.
1. On-Premises Storage: Historically, K–12 schools have used on-premises storage to handle student data. But concerns around aging hardware — from end of life to firmware security flaws and limited storage capacity — are now forcing many organizations to choose: Should they stay onsite, or move data elsewhere?
The biggest benefit of keeping storage local is total control. IT staff members know exactly where data is kept. But location isn’t everything, notes Rob Clyde, former ISACA director and current executive chair of the board of directors for White Cloud Security. Schools need to ask, “What kind of data is it? Is it covered by compliance laws? Is it personal or sensitive?”
In-house storage requires both situational awareness and strong encryption, Clyde tells EdTech. “For any kind of data, always encrypt,” he says.
Clyde recommends strong off-the-shelf algorithms to help stay ahead of attack efforts and insider threats.
2. Cloud-Based Privacy: Cloud-based storage solutions offer another option for protecting student privacy. Clyde is a big fan of cloud for schools because it “allows more flexibility and lets you scale easier. It gets you out of the business of managing servers and scaling.”
For schools with smaller IT staffs or that lack administrators dedicated to IT, “the cloud is actually more secure than local servers,” Clyde says. But security doesn’t happen in a vacuum. To address key data privacy concerns in the cloud, Clyde recommends the following:
- Choose a Major Cloud Vendor. Offerings from industry leaders such Google are feature-rich and unlikely to suddenly close their doors and leave your data in limbo. These vendors also let you specify where data “lives” in the cloud, which is critical to satisfying new data privacy requirements such as GDPR.
- Keep the Keys Safe. Strong encryption reduces data risk, but accessing encrypted data requires a key. What happens if this key is compromised? Keys obfuscated and stored in Software as a Service (SaaS) applications aren’t secure, Clyde says, and “losing the key is just as dangerous.” He suggests keeping master keys on a flash drive and then securely storing this device in a physical vault or safe.
- Ask the Tough Questions. Third-party providers offer the benefit of scalable storage, easy access and secure key management, but they also introduce risk. If data is compromised, schools are ultimately responsible. Third-party risk assessment is critical, Clyde says. Schools need to ask where data is stored, what encryption methods are used and how cloud vendors are meeting key compliance requirements.
3. Hybrid Solutions: Moving to the cloud doesn’t mean abandoning physical servers. Hybrid solutions offer a way to transition from on-premises to SaaS as hardware ages out or becomes fundamentally insecure. One potential stumbling block is having IT staff who are familiar with local storage but uncertain about cloud offerings. “The red flag is talking about cheap hardware,” Clyde says. If technology pros can’t meet in the middle, “you may need to retrain them or hire different IT staff.”
MORE FROM EDTECH: See how schools can approach digital citizenship through a combination of curriculum and education technology.
Use a Data Risk Rubric to Evaluate Security Efficiency
As the volume and variety of student data increases, it’s easy for school officials to become overwhelmed. The solution is to go back to the basics.
No matter the storage option selected, five key rules apply:
- Minimize Data Collection. The less data collected, the lower your risk. If student data isn’t directly related to key school functions such as attendance, grading or enhanced learning activities, don’t ask for it on paper forms or store it digitally.
- Purge Wherever Possible. Don’t keep data any longer than necessary. Create standard retention policies that include destruction dates.
- Always Encrypt. Encrypt data in transit and data at rest to frustrate attacker efforts if systems are compromised.
- Prioritize Least Privilege. Not all users need access to school data. Limited privileges reduce total risk.
- Monitor User Activity. Who’s doing what on your system? Deploy monitoring solutions to detect potentially damaging behavior.
Cybersecurity in education is now top priority as students’ personal data is digitally stored to streamline administrative tasks and improve classroom engagement. Failure to protect this data has serious consequences — effective protection demands frank assessment of current storage methods, consideration of new cloud-based options and methodical application of data security best practices.