Source: 
With the rise of BYOD and 1:1 computing, schools are now processing a surge of data everyday. Here are some ways to protect that info and maintain privacy.
By Ralph Armijo, CEO Aegis Identity Software, Inc.
A decade ago, K-12 data security meant storing information on an SIS in a school district’s computer department with tapes to back up crucial files. The pressing need for data security was securing it from loss, either mechanical or by natural disaster.
How times have changed.
With the advent of the iPad and other mobile devices—and a rapid rise in 1:1, BYOD, educational apps and technological advances in general—K12 institutions process a surge of data every day. Today, edtech is interactive with a flow of personal identifiable information (P.I.I.), requiring data to be stored securely and efficiently to help in performance assessment and personalized learning.
All of this P.I.I.—student transcripts, health records, electronic test scores, staff records, planning documents, digital curricula, academic progress reports—are all part of the data tsunami that has hit K-12 districts with full force.
This storm of information raises the question of how best to handle and store that data. Like banks, corporations and universities before them, school districts have leapt on to the cloud-computing bandwagon, with nearly all K-12 institutions in the U.S. using some form of this technology to store their data.
In fact, the cloud is fast becoming indispensable in the K-12 realm for its potential to save districts time, money and manpower. The use of cloud-based technologies in K-12 schools is also becoming increasingly complex and expansive, with low-cost data storage sites and hosting companies driving the administration cost of those services down even further.
District administrators—principals, superintendents, etc.—and especially K12 CIO/CTOs certainly realize these risks and are no doubt reminded by concerned parents wanting to protect their children when they learn that their child’s data is in someone else’s hand.
Cloud-based solutions are still suspect in many people’s minds, even educators who have been dealing with it for a few years now. Storing data in the cloud isn’t wrong; it’s the right, economically sound thing for districts to do moving forward. It’s how you’re storing it, how you’re protecting students’ information, who is allowed to access it, and how you’re backing it up that’s the key to the cloud computing puzzle.
That’s why information security has to go beyond basic login credentials (authentication or “you are who you say you are”) to a more granular, situation-based authentication (“this is what you are allowed to see and do right now”). And data needing protection must go beyond the student information system.
Most CTOs already have a plan to ensure that data is backed up properly and stored to avoid risk of loss. Now, Cloud backup and DR solutions are a good option to extend and often improve this plan. What many technology leaders are now struggling with, is providing the privacy and information security demanded by the times: internet accessible and cloud based applications that store district data. This sensitive information must be secured in the Cloud while still providing accessibility for active needs and applications. Furthermore, technology leaders have to manage security of data that is stored in applications that are not under the control of the district, but instead protected by some “agreement.”
CTOs have to take strategic steps to ensure that this accessible data is secured as effectively as their backup plans protect them from data loss.
• Assess the risk. With the advent of all these new technologies we put a lot of power in the hands of the students with iPads and mobile devices. Combine that with the concern for personal information and the desire to use that personal information for the good of the student. So now we have to assess risk: What is the risk of storing and sharing personal information against the benefit of having that information shared?
• Implement an information security infrastructure. Identity and access management infrastructure maintains access control, audits who has access and when, and removes access immediately as the authorized community changes.
• Utilize federation technology. By adding federation to apps that also need to store sensitive data, agreements on the care and keeping of that data allow districts to maintain control and parents to provide consent.
• Make information security part of all data storage agreements. Each application or Cloud agreement should take into consideration the access control requirements and agreements to use and store district data. What the application provider can do with the data is paramount and should be specifically addressed. Furthermore, these agreements should be specific about the minimum level of data required for the application to perform the function desired by the district and agree that is the limit of the data that will be stored and used. Furthermore, the length of time the data will be stored should also be clearly agreed to and that length of time should be limited to the needs of the district.
• Balance encryption with performance requirements. Encrypted data can prevent unauthorized users from gaining access and minimize exposure of students’ P.I.I. However, encryption limits some technology and slows processing. Perform an extensive study of what can be encrypted and count on your information security measures (identity and access management) to protect the rest.
• Store data in a secure cloud. Many districts are constructing private clouds to store their data and handle backup and disaster recovery. Public school cloud consortia also are an economic and secure option. BOCES that can offer private cloud and collaboratives, such as IlliniCloud, are an outstanding resource. By linking these consortia via a K-12 Federation, the benefits are multiplied. The K-12 Federation then has the bargaining power to affect and attract vendors on its terms and can assist with information and negotiate security policies.
• Educate students & parents. The first place to start protecting student P.I.I. is making students cognizant of the exposure points created either on a shared device, their own and the multiple applications and sites they’re on so they’re not inadvertently exposing their information or giving their access information to anyone except those who need to know.
In the end, back up is all about the value of your data and the cost to replace it. Security is about protecting your data from misuse. Both are equally important. It’s not possible to grant people guarantees that nothing will happen to the data or that a data breach can be avoided, no matter how securely you store it and back it up. But with responsible practices to back up and protect data and sensitive information, including P.I.I., CTOs can rest a bit easier, even if that data is in the cloud.
Learn More about Aegis Identity Software, Inc.
Aegis Identity is the provider of TridentK12, an identity management solution for K-12 education. It provides provisioning,password management and identity synchronization. Trident K-12 is designed to be an affordable, open standards-based identity solution that provides out-of-the-box integration for K-12 education environments.
Click on the logo to check out Aegis Identity’s K-12 webinar series