In the classroom, both students and teachers are taking advantage of the unfounded levels of collaboration possible via Google Apps for Education. Meanwhile, school administrative staff leverage the SaaS platform in a similar manner as businesses. Moving to the cloud allows educational institutions to be more cost efficient, as it reduces reliance on on-premises infrastructure and encourages a lean and effective IT organization while maintaining security and control.
If you’re looking to fast forward to the final exam, get started with CloudLock for Google Apps, free for 14 days, or simply contact us for a free security assessment of your domain. Otherwise, let’s consider the unique set of security challenges the educational space presents:
- Changing Environment. IT environments in schools are constantly changing, with application needs evolving rapidly based on ever-changing curriculum.
- Compliance. Regulations idiosyncratic to the educational space, as well as broad business regulations, impact schools. Compliance mandates, including FERPA, CIPA, HIPAA, and additional state regulations impact security strategy.
- Limited Resources. The ratio of users to IT staff is very high – substantially greater than in private sector environments. Though resources for schools are limited, security must remain a top priority.
- User Behavior. Users may be sharing documents containing sensitive data domain-wide, or even externally. Third-party apps and add-ons connected to the domain increase the value of the Google platform in the educational segment, but the users enabling the apps are students and teachers – individuals that aren’t focused on, or qualified in, IT security. As such, there are a number of security concerns of particular relevance to the educational space.
School Security 101
- Student Records. Educational institutions must ensure only appropriate parties have access to student records, and public disclosure must be avoided. Student record security is governed by compliance regulations, including FERPA and HIPAA.
- Objectionable Content and Language. Students may circumvent conventional monitoring techniques by using Google
Docs rather than email. Ensure students don’t add and share vulgar or objectionable content within Drive. CIPA, as well as school policies, dictate that schools must enforce restrictions on objectionable content and language.
- Student Welfare. Bullying and harassment have, unfortunately, evolved alongside society into the digital age. A customer of ours offered her observation: “Unregulated or unmonitored cloud files are the new bathroom wall.” Violence and harassment prevention is a top priority in K-12 schools. Extend the scope of policy enforcement to the cloud to protect students against bullying – regardless of the medium.
- Privacy and Disclosure. FERPA, HIPAA, and state regulations strictly govern the disclosure of student information. Inappropriate sharing of Individualized Education Program (IEP) information. Staff members may unintentionally share this information with more users than intended.
- Student Sharing. Student users may share files domain-wide or even externally, raising concerns regarding behavior issues, privacy issues, and COPPA compliance. Prevent data sprawl by understanding which documents are exposed domain-wide or externally.
Put Theory Into Practice
1) Conduct a discovery to determine who is using Google Apps, and how they are using the platform. Get a sense of all the files that live in users’ drives and all the applications connected to the domain in order to understand the sharing and access points.
2) Develop risk-appropriate policy for both students and faculty and monitor the environment accordingly. Establish policy to address sensitive information within shared documents, incorporating FERPA and CIPA compliance concerns. Create a policy people understand on what apps they can and can’t attach to the domain.
3) Exercise control and address policy violation. Implementing an approach that incorporates continuous monitoring makes the substantial task of patrolling an entire educational institution’s cloud environment much more feasible.
4) In the spirit of education, educate your users. Engage data owners in securing the information they own. Are users, including students, faculty, and staff, aware of what behavior is risky? Are they aware of the potential security implications of their behavior?
Proactively educate users through dialogue rather than relying on paper policy to encourage secure behavior. Treat policy violation incidents as teachable moments by notifying users when their actions violate established policy. Enable users to self-remediate, reinforcing correct behavior and resolving the security issue – all without draining limited IT resources.
Ready for More?
In our eBook, you will learn strategy and tactics every organization can leverage to complement Google’s data protection capabilities, with a specific focus on behavioral security.
The eBook discusses data security and compliance within Drive, dives into the power of securely enabling collaboration, speaks to the value, risk, and potential controls around 3rd party SaaS apps, examines the benefits of file-level encryption, and finishes with actionable tips to make it all happen.