Feb 18 2020

Best Practices for Ensuring Data Security in the Cloud

Effective security and privacy measures are a must for K–12 schools migrating to the cloud.

Cloud solutions offer virtually limitless potential to educators. From interactive learning management systems to parent communication portals, cloud-based technologies provide state-of-the-art educational tools without the large investments required to build and maintain technical infrastructure. It’s no surprise that schools and districts around the nation are quickly embracing these tools as the future of educational technology.

These benefits do come with risks, however. Faculty and administrators often embrace the educational advantages offered by the cloud but remain wary of the security and privacy implications of using cloud-based platforms. To ensure their use of technology doesn’t create security or privacy headaches, here are five best practices that educators should follow.

1. Know Where Your Data Resides

One of the major benefits of cloud platforms is that they are simple to adopt. With a few keystrokes, teachers get immediate access to cutting-edge tools that improve the classroom experience. However, they often do so after clicking through legal agreements that may impact the ownership, privacy and security of student records.

That’s why it’s imperative for administrators and IT leaders to understand the diverse set of solutions used in classrooms and the data implications of those choices. Teachers should know the importance of clearing new cloud solutions with technology and legal experts before using them to store or process student records.

This is a delicate balancing act and requires prompt attention to faculty requests. Teachers who find themselves facing a bureaucratic approval process will either abandon the use of innovative technology or simply bypass administrative review, possibly putting student privacy at risk.

2. Understand Vendor Security Mechanisms

When reviewing a cloud service, IT leaders should explore the security mechanisms put in place by the vendor. At a minimum, the vendor should be implementing the same level of security controls around student data that the school would implement itself if it were building the same system onsite.

This process usually begins with a review of security materials prepared by the cloud vendor. Most vendors are now used to answering questions about their security controls and often have white papers explaining them. These documents serve as an excellent starting point for a security review and the basis for follow-up conversations to probe specific details.

One of the best ways to conduct these reviews is to use a standardized checklist, such as the one offered by the Cloud Security Alliance. This checklist covers the major security controls that vendors should implement and provides a structured approach for covering your security bases.

MORE ON EDTECH: Read about how cloud computing can increase student access to educational technology while saving school districts time, space and money.

3. Require Periodic Security Assessments

The initial review that you perform when engaging a new vendor lets you establish a security relationship with them. It ensures that they meet your security requirements and creates a baseline for ongoing compliance monitoring.

That’s crucial to maintaining the security of student information — it verifies that the vendor continues to live up to their security and privacy obligations. However, control effectiveness may fade over time, and ongoing security requires a continuous improvement process. Security assessments offer a point-in-time verification that the vendor is adequately protecting confidential information.

There’s also the Systems and Organization Controls (SOC) program, which allows cloud vendors to engage independent auditors to verify their security controls and then share the reporting with their clients. Check with your cloud vendors to see if they conduct SOC assessments and then ask for updated reports on an annual basis.

4. Remain Compliant with Regulatory Obligations

Questions about compliance with the Family Educational Rights and Privacy Act frequently stymie cloud efforts. Administrators worry that moving data to the cloud might bring new regulatory issues and often ask, “Is this vendor FERPA-compliant?”

The reality is that there’s no official seal of approval for FERPA compliance. Instead, educators are responsible for ensuring that they have reasonable security mechanisms in place to protect student records. Conducting initial and periodic reviews of vendor security controls should satisfy this requirement.

The remaining hurdle is making sure a contractual relationship is in place that ensures the cloud partnership meets FERPA requirements. Specifically, the contract must designate the cloud provider as a “school official” under FERPA to allow the transfer of student educational records. You’ll find more information on this topic in the FERPA cloud guidance available from the Department of Education.

5. Expect the Best but Prepare for the Worst

Schools enter into partnerships with cloud providers with the hope of achieving significant benefits and the expectation of strong, ongoing security controls. Unfortunately, things go wrong sometimes, and security breaches occur, both in on-premises environments and with cloud providers.

As you develop a new cloud partnership, make sure you have a framework in place to address security incidents that might arise in the future. Include language in your contracts that requires immediate notification of security issues and that implements an appropriate incident response framework for handling actual and potential breaches. If your district already has an incident response plan, confirm that the cloud vendor’s practices will easily integrate with that plan.

Thanks to cloud-based platforms, IT leaders and district administrators can implement the latest educational technology with efficiency and control over costs. By following these five best practices, they can ensure that they not only realize these benefits but also maintain the security and privacy of sensitive student records.

traffic_analyzer/Getty Images