Welcome!

@CloudExpo Authors: Yeshim Deniz, Pat Romanski, Liz McMillan, Zakia Bouachraoui, Elizabeth White

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Machine Learning , Agile Computing, Cloud Security

@CloudExpo: Article

Five Tips for Securing Student Data in the Cloud

... and on premises

There are a few absolutes when it comes to school. First, lunches will always be terrible. Second, your locker will be too small to fit your oversized textbooks. Finally, there's a high likelihood that some of your student data will be stored in the cloud.

This student data includes demographic information, test results, transcripts, email exchanges, grades, attendance history, contact information and more. It's a sensitive mix of detail that, if exposed, could prove damaging to the affected students and the educational institution. According to privacyrights.org, more than 1.8 million student records have been breached in the last 18 months. In one frightening incident earlier this year at the University of Tampa, a breach exposed the social security numbers, photo IDs and dates of birth of thousands of students and faculty members.

Keeping sensitive data firewalled in your on-premises data center doesn't eliminate the threat of exposure. Consider that tens of thousands of student records are breached each year because someone lost a laptop, smart phone or thumb drive containing information. Device theft is especially common in the healthcare industry.

Here are a few tips to help you secure student data in the cloud or your on-premises datacenter:

  • Backup your data - If you're storing data in the cloud, make sure you have a copy of the data stored locally or in another cloud. This won't prevent data theft or breach obviously, but it will ensure data integrity in the case of a loss.
  • Require multi-factor authentication - While not an absolute failsafe, requiring an extra step in the authentication process is a good way to keep password theft from resulting in a full scale attack. Multi-factor auth requires a user to provide something they know (a password for example) with something they have (a smart card, security token or third-party authorization via email).
  • Use FERPA as your starting point - The Family Educational Rights and Privacy Act states that any identifiable student data should be properly collected, maintained and safe from improper disclosure. This is a fairly vague policy and should be looked at as the minimum an institution should do when it comes to security.
  • Encrypt your data at rest and in transmission - FERPA actually recommends using encrypted email to transfer student data, but true data security must go a step further to cover data on disk. Think of encryption as your last line of defense; the free safeties on your high school football team that prevent a running back, who's already broken through your first and second protection layers, from getting into the end zone. Encrypted data is absolutely useless to someone with malicious intent, just as long as you follow this last tip.
  • Secure your keys - In the same way you don't store the keys to your car in the ignition, you should never keep your encryption keys on the server along with your encrypted data. Instead, keep them in a separate server on premises or in the cloud, and set up access policies that control who (or in some cases, what) can access those keys.

Securing student data means adding multiple layers of protection. If you're using the cloud, be sure to understand your provider's security policies, and ask tough questions.

Following the above guidelines can help you maintain the privacy and confidentiality of student data, but it won't solve all your problems. You're still going to be stuck with Mystery Meat Monday.

More Stories By David Tishgart

David Tishgart is a Director of Product Marketing at Cloudera, focused on the company's cloud products, strategy, and partnerships. Prior to joining Cloudera, he ran business development and marketing at Gazzang, an enterprise security software company that was eventually acquired by Cloudera. He brings nearly two decades of experience in enterprise software, hardware, and services marketing to Cloudera. He holds a bachelor's degree in journalism from the University of Texas at Austin.

CloudEXPO Stories
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. SD-WAN helps enterprises to take advantage of the exploding landscape of cloud applications and services, due to its unique capability to support all things cloud related.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. IoT Now explores the evolving opportunities and challenges facing CSPs, and it passes on some lessons learned from those who have taken the first steps in next-gen IoT services.
In this presentation, you will learn first hand what works and what doesn't while architecting and deploying OpenStack. Some of the topics will include:- best practices for creating repeatable deployments of OpenStack- multi-site considerations- how to customize OpenStack to integrate with your existing systems and security best practices.