Google’s recent announcement of Drive for Education brings the benefits of Drive for Work to the education segment. What does this mean for schools?
- Unlimited Storage. Educational institutions no longer have to worry about the volume of users’ drives.
- Vault is Free. Vault, Google’s search and discovery tool, is now included at no-cost. This frees up IT budget to add complimentary security solutions to cloud infrastructure.
- New Audit APIs. The new APIs Google made available make it possible to access information about how your account’s users manage, modify, and share their Google Drive documents.
Most importantly, with the launch of Drive for Education, schools have the opportunity to reevaluate the merit of their on premise solutions and consider Drive as their one-stop file share, storage, and collaboration platform.
As educational institutions continue to standardize on cloud platforms, the volume of data moving into the cloud (and created in the cloud natively) is increasing. Additionally, the organizational perimeter is extending – and data security must extend in parallel.
Schools must secure an increased volume of information in the cloud – where users have unprecedented levels of control over the creation and distribution of sensitive data. This is of particular importance in academia, where institutions face stringent data security and compliance concerns.
The Higher Education Angle
Higher education institutions face a particular set of concerns when it comes to securing their sensitive information assets, including:
- Domain Compliance. Schools are concerned with the detection, remediation, and control of structured information within public cloud environments. Typical types of regulated data include FERPA protected data, PCI, PII and PHI.
- Data Sprawl. The expansion of the data perimeter through sharing capabilities creates a challenge for universities. Examples include exposure of files through publicly shared folders, re-sharing of files from external contacts who have edit permissions on documents, and the over- or mis-use of social media feeds, such as Google+.
- Cybersecurity and Data Privacy. The protection of data assets from both malware and crimeware, often capable of accessing information from within SaaS applications via technologies such as OAUTH, is of concern to higher education organizations.
- Crown Jewel Protection. The protection of non-regulated but sensitive information that exists within an organization. Most often, this is research data (e.g. ITAR) or intellectual property (IP).
The K-12 Viewpoint
Meanwhile, K-12 schools face their own concerns regarding public cloud information security, such as:
- Student Welfare. Concerns relevant to cyber bullying, self-harm, violence in schools, and other behavior that may put students in harms way.
- Objectionable Content and Language. Obscene content shared with students, external users, or published to the web and reverses sharing.
- Over Sharing. Students sharing content outside the school’s domain (external sharing) or across the entire domain.
- Public or Domain-Wide Sharing of Student Records. The public or domain-wide exposure of assets that contain sensitive student records or related information.
- Staff Sharing Student Info Externally. Documents that contain student personal identifiable information (PII) or other sensitive information.
- IEP Policies. Inappropriate sharing of sensitive IEP (Individualized Education Program) information.
To improve the security posture of your educational institution, consider the following steps.
- First, determine who in the institution is using Google Apps, and how so. Get a sense of all the files that live in users’ drives as well as users’ self-provisioned 3rd party apps to understand the sharing and access points.
- Second, develop risk-appropriate policy for both students and faculty and monitor the environment accordingly. Establish policy to address sensitive information within shared documents, incorporating FERPA and HIPAA compliance concerns (as well as CIPA and CORPA in K-12 environments). Create a policy users can easily understand.
- Third, address policy violation and implement an approach that incorporates continuous monitoring, making the substantial task of patrolling an entire educational institution’s cloud environment much more feasible.
- Finally, in the spirit of education, educate your users. Engage data owners in securing the information they own. Are users, including students, faculty, and staff, aware of what constitutes risky behavior? Do they understand the security implications of their behavior?
Proactively educate users through dialogue, rather than relying on paper policy to encourage secure behavior. Treat policy violation incidents as teachable moments by notifying users when their actions violate established policy. Enable users to self-remediate, reinforcing correct behavior and resolving the security issue at hand – all without draining limited IT resources.
Don’t Take Our Word For It
Want to learn what IT professionals in the educational segment think about CloudLock? Check out these videos of Joel Rosenblatt, Director Network & Computer Security for Columbia University, and John Krull, Information Technology Officer for Oakland Unified School District.
Ready For More?