Since January 2013, 48 data breaches have occurred in the education sector, including K-12 and higher education institutions, according to a database maintained by the Privacy Rights Clearinghouse in California. With the wealth of personal student financial and health records routinely stored on these networks, it’s not surprising that hackers are targeting these databases. High-profile data breaches such as the University of Maryland’s recent leak, demonstrate that education IT environments have some significant, but not unique, challenges.
Data-centric approach to protection
In most education IT infrastructures, there are three main groups of users at different trust levels: IT and support staff, teaching staff/faculty and students. In addition, multiple external entities require access to these networks and systems as part of support contracts, and often data is shared with other education and research organizations. To better protect sensitive data from either accidental or intentional breaches, each group of users should only have access to the systems and data that is appropriate for their role. This is commonly called the data-centric security approach, and it controls access to all files, applications and databases based on user permission levels and business policies set by the IT administrator.
For example, using data-centric security policies, a teacher can access his faculty’s research data, student records and general administration information from a computer on the LAN, but not on a BYOD device in a café due to the lower trust level of the device and the network.
This data-centric approach, combined with physical and/or logical network zoning and security monitoring, greatly increases the visibility and awareness of unusual or malicious activity by creating ‘choke points’, where sensitive data can be controlled and protection applied.
Key considerations to ensure data security:
– Learn where sensitive data is stored. It’s amazing how many institutions have personally identifiable information lying around in test databases or legacy systems that do not have any security controls.
– Be a traffic cop. Educational institutions should spend more time analyzing data traffic for anomalies and suspicious events.
– Encryption of sensitive data is a must. A database activity monitor ensures that security policies are enforced at the database level. This approach safeguards data when an insider with access privileges to the records attempts to upload more than a pre-determined amount of information at once.
– Let a security pro handle it. Avoid the cost of hiring hard-to-find security talent by employing a managed services approach: outsourcing log management and network monitoring functions. Some companies offer a policy-driven security architecture assessment to help institutions plan and execute a holistic data-centric security strategy.
– Don’t forget the basics. Simple steps such as enforcing strong passwords, limiting privileged access and regularly performing systems tests for vulnerability and penetration.
If a comprehensive, policy-driven security architecture is implemented throughout the education sector, future security breaches will be prevented, allowing institutions to confidently embrace the variety of enabling and cost saving technologies in the marketplace, such as enterprise mobility, Cloud and collaboration tools for information exchange among education and research organizations.
About the author
Jason Harris, CISSP, is principal consultant for the Advanced Security and Mobility business unit of Dimension Data, a $5.8 billion global information and communications technology (ICT) provider. For more information, visit http://www.dimensiondata.com/en-US/Solutions/Security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.