Data Center

How Schools Can Securely Back Up And Recover Private Data Now

These proven best practices protect K–12 data from bad actors, bad weather and other tragedies.

Tom Henderson is principal researcher for ExtremeLabs and researches and tests enterprise-level hardware and virtual/cloud environments.

Many K–12 organizations and districts lose essential data due to ineffective planning. They suffer when unexpected malware, ransomware, weather events and other mishaps occur that require a cogent data restoration procedure.

It is critical that school data from diverse sources be successfully stored, easy to locate and recover, and quickly restored — all while maintaining policies, data security and, ultimately, compliance.

Schools must comply with regulations from federal, state and other jurisdictions on where data can be stored, the kind of communication that happens between source and storage, and how data must be deleted.

For example, according to the federal Family Educational Rights and Privacy Act, data in place and data in transit containing students’ personally identifiable information must be encrypted. Additionally, under FERPA, when schools delete data, it must be completely destroyed.

Below are some best practices and important techniques schools should use for day-to-day operations to ensure their backup and recovery processes are compliant.

Click the banner below to learn about the benefits of a hybrid cloud environment.

How to Know What Backup Framework Your School Needs?

Most organizations use the hub and spoke method of data storage, in which satellites (classrooms, schools and facilities) transfer backup data to a central administrative site. Schools are no different. Off-premises devices may or may not require backing up. A mixture of on-premises and off-premises or cloud storage is typical.

Administrative data backup requirements may dictate the framework used for both administrative and classroom backups. Third-party computing providers, often web and email hosts, may offer their own backup and restoration services. A best practice is to know and log how your school’s third-party providers and their contractors store their data. You’ll need to know whether they use encryption, how often backups are done and the data handling practices of their contractors.

General guidelines will vary, but compliance with data handling policies is the top priority.

How to Effectively Manage Backup Data Sets

Backup data sets may be used for restoration and/or for archiving. However, once data sets are retired, best practices dictate more than a simple file deletion. In some jurisdictions, the area once occupied by a pertinent deleted data set must be overwritten numerous times once the media has been marked for recycling or disposal.

Each target storage facility must comply with data destruction procedures where applicable. These can include network attached storage devices, storage servers at primary data centers or externally-hosted storage arrays.

Consider graduating data set elements that require backup and possible restoration or archiving. The lowest level is the device, such as a PC, Chromebook-like laptop, tablet or off-premises devices. Devices may contain personally identifiable information, which could be subject to compliance restrictions. A best practice is to have a working encryption system transparent to users for theft protection in the event of a device breach.

Each operating system type has its own file, folder and directory storage metadata. This must be backed up to a storage device, which can support restoring the data set with the metadata intact.

Backup software applications must be checked to confirm that backed-up data is encrypted in storage and that the file metadata can be restored correctly when needed. Once deployed, encryption can be administratively managed across an entire organization.

1.38 Million

The number of records affected by 2022 school data breaches in the U.S.

Source: comparitech.com, “U.S. schools leaked 32 million records in 2,691 data breaches since 2005,” April 3, 2023

Make Frequent Testing and Reviewing Logs a Habit

For most organizations, the value of the data in the backup domain determines the frequency of testing and log queries. However, the worst time to discover that procedures have failed and data is missing or not recoverable is when a data restoration is required. This is why I strongly recommend that schools periodically test at least one sample of every deployed device.

All backup applications log what they do. Logs will dutifully reveal problems encountered, however, if no one reviews the logs, schools can’t discover the problems. To narrow the chance for errors and data loss, make reviewing your logs a habit.

Finally, it is important that schools have someone on staff who understands the increasing and evolving need for data safety and compliance. That person can then communicate organizational policies clearly and give everyone a chance for successful data recovery in the event of trouble.

UP NEXT: Here’s how school districts can successfully shift to the cloud.

Here Are 8 Tips for a Flexible Backup Plan

Make sure your backup and recovery plan is flexible enough to meet changing circumstances. Here are some best practices for planning or rethinking your school’s backup and recovery efforts.

1) Take Responsibility. School administrators must watch over their entire data backup domains and all the devices in them. This includes all required applications.

2) Understand Compliance and Deploy Encryption. Schools must meet encryption compliance, then institute and maintain encryption of the data in transit and in place to meet compliance standards.

3) Institute Role-based Use Policy. Assign and document role-based administration and attestation to secure data through backups and restoration cycles.

4) Start Backup and Restoration Implementations. After deploying backup and restoration software capable of rapid and discernible use by the software’s users, begin a series of tests.

5) Start Data Destruction Compliance. Automate destruction of deleted data sets.

6) Implement Regular Reviews. Begin software activity logging and/or attestation of activities for possible forensic analysis — and make it a habit.

7) Build a Quality Assurance Feedback Loop. Plan long-term viability that suits organizational needs. This should include planning for growth in device diversity, storage capacity and alternate storage sites.

8) Emergency Resource Planning. Develop clear instructions, logging review, transparency and accessibility in case of emergencies.

Juan Moyano/Stocksy