Providing Insight Into the Cloud Computing Security, Privacy and Related Threats

Cloud Security Journal

Subscribe to Cloud Security Journal : eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Cloud Security Journal : homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Cloud Security Authors: Ravi Rajamiyer, Liz McMillan, Elizabeth White, Shelly Palmer, Shelley Perry

Related Topics: Cloud Computing, Security Journal, Cloud Security Journal

Article

Five Tips for Securing Student Data in the Cloud

... and on premises

There are a few absolutes when it comes to school. First, lunches will always be terrible. Second, your locker will be too small to fit your oversized textbooks. Finally, there's a high likelihood that some of your student data will be stored in the cloud.

This student data includes demographic information, test results, transcripts, email exchanges, grades, attendance history, contact information and more. It's a sensitive mix of detail that, if exposed, could prove damaging to the affected students and the educational institution. According to privacyrights.org, more than 1.8 million student records have been breached in the last 18 months. In one frightening incident earlier this year at the University of Tampa, a breach exposed the social security numbers, photo IDs and dates of birth of thousands of students and faculty members.

Keeping sensitive data firewalled in your on-premises data center doesn't eliminate the threat of exposure. Consider that tens of thousands of student records are breached each year because someone lost a laptop, smart phone or thumb drive containing information. Device theft is especially common in the healthcare industry.

Here are a few tips to help you secure student data in the cloud or your on-premises datacenter:

  • Backup your data - If you're storing data in the cloud, make sure you have a copy of the data stored locally or in another cloud. This won't prevent data theft or breach obviously, but it will ensure data integrity in the case of a loss.
  • Require multi-factor authentication - While not an absolute failsafe, requiring an extra step in the authentication process is a good way to keep password theft from resulting in a full scale attack. Multi-factor auth requires a user to provide something they know (a password for example) with something they have (a smart card, security token or third-party authorization via email).
  • Use FERPA as your starting point - The Family Educational Rights and Privacy Act states that any identifiable student data should be properly collected, maintained and safe from improper disclosure. This is a fairly vague policy and should be looked at as the minimum an institution should do when it comes to security.
  • Encrypt your data at rest and in transmission - FERPA actually recommends using encrypted email to transfer student data, but true data security must go a step further to cover data on disk. Think of encryption as your last line of defense; the free safeties on your high school football team that prevent a running back, who's already broken through your first and second protection layers, from getting into the end zone. Encrypted data is absolutely useless to someone with malicious intent, just as long as you follow this last tip.
  • Secure your keys - In the same way you don't store the keys to your car in the ignition, you should never keep your encryption keys on the server along with your encrypted data. Instead, keep them in a separate server on premises or in the cloud, and set up access policies that control who (or in some cases, what) can access those keys.

Securing student data means adding multiple layers of protection. If you're using the cloud, be sure to understand your provider's security policies, and ask tough questions.

Following the above guidelines can help you maintain the privacy and confidentiality of student data, but it won't solve all your problems. You're still going to be stuck with Mystery Meat Monday.

More Stories By David Tishgart

David Tishgart is a Director of Product Marketing at Cloudera, focused on the company's cloud products, strategy, and partnerships. Prior to joining Cloudera, he ran business development and marketing at Gazzang, an enterprise security software company that was eventually acquired by Cloudera. He brings nearly two decades of experience in enterprise software, hardware, and services marketing to Cloudera. He holds a bachelor's degree in journalism from the University of Texas at Austin.