Student data privacy is an important, and broad, topic for school districts. It ranges from protecting student data from improper use by companies to securing personally identifiable information from accidental exposure and cyber attacks. As you know, securing student data is a challenge, especially when that data is stored in cloud apps like G Suite and Office 365. There are four main threats to your student data in the cloud.
Protecting students from manipulation and identity theft are just two reasons why student data privacy is important. Contrary to popular belief, traditional cybersecurity infrastructure that relies on a firewall—even a next gen firewall—won’t provide the security you need to secure data stored in G Suite and Office 365. And content filtering certainly isn’t doing anything to protect data stored in your district’s cloud apps—that’s just not what it’s made for.
Here are tips on how to secure student data from these four big threats in G Suite and Office 365.
No one in your district wants to expose sensitive data, but accidents are unavoidable. That makes data loss prevention an important topic. Accidental data exposure typically results when an employee sets document sharing settings improperly or accidentally emails information to the wrong people. For example, if a document setting allows sharing with the public, anyone can access it. If the document contains sensitive information, hackers can easily steal the data. Additionally, when a device is lost or stolen, data can quickly get into the wrong hands.
Google has incorporated a number of G Suite data loss prevention features into the Admin Console. Your role is to establish best practices using the tools Google provides, and make sure that cloud app security settings are properly configured.
Data loss prevention for Office 365 can be a bit less straightforward. Microsoft’s tools vary depending on the subscription level you maintain. Often, third-party tools are available that are less expensive, easier to use, and more flexible.
It’s important that you set up internal policies to govern document sharing. You’ll also need to educate your staff on the subject and set up automatic alerts when a policy is broken. Those alerts will remind users that they need to do something different to maintain security.
Phishing emails are still the biggest threat vector to any organization, and schools are no exception. Most ransomware, malware, or other type of cyber attack that happens today still begins with a phishing email. While advancements in phishing and malware threat protection technology are getting better at filtering these out of inboxes, criminals have an uncanny ability to stay one step ahead.
What many people don’t realize is that, when you’re working with cloud applications, hackers can get around traditional cybersecurity tools in different ways. For example, a seemingly legitimate email can easily get past the network perimeter because it looks like authorized activity. But, if that email distributes a document containing phishing or malware links, your data can be compromised.
Phishing and malware tools and technology are important, and must properly match your district’s IT infrastructure. But training and awareness is still the best way to secure student data and protect school information from these types of attacks. Train everyone in your district to think before they click, even if an email seems legitimate.
An excellent example of the need to think before you click was reported in 2017. Hackers distributed emails that contained a Google Doc link. There was no malware or fake website associated with the email for traditional cybersecurity tools to find. Anyone who clicked the link gave hackers access to their contact lists and control over their email account.
Make sure that the people in your district understand that even emails from trusted sources could be dangerous. Encourage them to think twice before they click.
Account takeovers are much more challenging to prevent and detect in cloud applications. Like phishing and malware attacks, when a hacker is inside your network perimeter, the activity looks legitimate to traditional cybersecurity tools. Once a hacker has taken over an account, they can gain access to sensitive information. They can also send lateral phishing emails to take over other accounts in the cloud.
A cloud security platform can help with account takeover prevention and detection. Not only will it protect your district’s Gmail and/or Outlook accounts from phishing and malware threats, it will also monitor for attacks hidden within trusted links, like shared docs and drives.
A good cloud security platform will also monitor your accounts for irregular behavior that could signal an account takeover attempt (or success). These behaviors might include login attempts from another country or an unfamiliar IP address. It’ll detect lateral phishing emails originating from within your district’s accounts, and lockdown sensitive documents from being improperly shared, emailed or downloaded.
With the proliferation of EdTech applications, your IT department may not even be aware of all the apps that are connected to your district’s Google and Microsoft environments through OAuth. This is what we mean by “Shadow EdTech”.
OAuth makes it easy for users to login to applications. For example, they can login to an EdTech application using their existing school Google or Microsoft credentials. The user likes it because it limits the number of usernames and passwords they must keep track of.
But, when a teacher, student, or employee logs in to an EdTech application with OAuth, they can easily be sharing their school credentials with a hacker. This risk happens in one of two ways. Most commonly, the app developer means well, but has not sufficiently secured the app infrastructure from attack. So, if their application is compromised, it can also create openings to your district’s cloud environment and/or expose student data. Less common, but still a concern, are malicious SaaS apps that are created to look like a trusted app, a fun game, or a helpful tool but are used to take over the user’s Google or Microsoft account.
You can manage EdTech security risks and OAuth security risks (which are closely related) by using tools to monitor and flag risky applications. It’s also a good idea to create an app policy to govern new EdTech providers. In addition, create an internal policy to inform all teachers, students, and employees of approved EdTech providers, the process for evaluating new apps, and the risks of using providers that haven’t been vetted.
Student data privacy laws have not kept pace with the impressive digital transformation taking place in school districts today. Admin and faculty are on the cutting edge of embracing technology to improve classroom experiences and student outcomes. School districts are transitioning to cloud computing, mainly through the use of G Suite, Office 365, and other EdTech SaaS apps, at an impressive rate. But these cloud apps require security tools designed for the cloud.
Cloud data security tools provide 24x7x365 continuous monitoring, run periodic audit reports, and set up automatic data security remediation. Advanced cloud security will provide you with the tools you need to stop accidental data leaks, outwit hackers, and make your systems secure.