Key Takeaways: An AWS Expert on Best Practices for Securing Student Data
It’s not to say that people are distrustful. It’s just to say more along the lines that people are people; we’re humans and we all make mistakes. And so, therefore, you have to really take a look at the stuff to ask, do I really need people touching that data?
Larry Kiger, Sr. Industry Specialist, IT Security and Compliance, Amazon Web Services (AWS)
Protecting student data is more critical than ever due to the rapid shift to online learning in 2020-2021. And even without the pandemic, the shift to online learning and digital educational technologies is rapidly increasing.
Education is a US $6 trillion industry projected to increase to historic levels and reach $10 trillion by 2030. And though the education sector has traditionally seen less capital investment, especially when it comes to digitalization, this is changing, according to EdTech research firm and consultancy HolonIQ.
Education providers are expected to increase spending on digitalization and technology, in tandem with the edtech industry becoming one of the most active sectors for investors. In 2018, education spent $142 billion on digital and this is forecasted to grow to $342 billion by 2025. At the same time, venture capital invested $8 billion in 2018 in the educational technology market, up from $2 billion in 2014.
So while schools, academic institutions, and educational technology providers have always sought to implement best practices to secure student data, many are finding the challenges have increased several-fold with the massive increase in demand and users’ needs. Furthermore, some educators and school technology experts may not know where to start when it comes to ensuring the digital security of students’ information.
To better guide and inform educators on the subject, Amazon Web Services (AWS) recently included a session called “Securing student data in the age of virtual learning” at its re:Invent 2020 digital conference, addressing common security questions surrounding educational technology.
An AWS security and compliance expert shares how educators and schools can best meet their data security objectives, reduce risk, and automate tasks with tools.
Meet the Expert: Larry Kiger, Amazon Web Services
Larry Kiger, Sr. Industry Specialist, IT Security and Compliance, Amazon Web Services (AWS)
Larry Kiger is a Sr. Industry Specialist with expertise in IT security and compliance in the cloud. He aims to help educate and inform technologists, executives, and educators on technology and related risks.
Kiger joined Amazon Web Services (AWS) in 2019 as a security and compliance leader on the company’s Worldwide Public Sector team. The clients he works with include national and federal governments, academic institutions, and non-profits from North to South America.
Kiger has held several notable leadership positions prior to AWS, such as Senior Manager, Cyber Security and Compliance, First American Payment System; Global Lead, Security Operations for Alcon Corporation; and Deputy Chief Information Security Officer and Privacy Officer for the Department of Interior’s Office of Surface Mining Reclamation Enforcement.
What Qualifies as Student Data?
Before educators can secure student data, it’s important to first know what qualifies as student data?
Generally, student data refers to any information that educators, schools, districts, and state agencies collect on individual students. This data can include things like:
- Personal information (age, gender, race, living address)
- Enrollment information (school of attendance, current grade level, years of enrollment, attendance record)
- Academic information (courses a student completed, test scores, grades earned, academic requirements fulfilled)
- Various other data forms collected and used by educators and educational institutions (disciplinary records, learning disabilities, medical and health issues, etc.)
New educational technologies are expanding the catchment of what qualifies as “student data.” Educational software and online learning programs, for example, can collect an enormous amount of information and metadata about students that use those programs and services, which was not previously accessible. This can include information such as the geographic location of the computer a student is using and the amount of time it took a student to answer various questions or solve certain problems.
Furthermore, online learning apps and programs routinely collect thousands of data points while students are using the systems. This data can be used for both educational and non-educational purposes to support personalized learning, inform academic and business studies on education, improve software, or market a product to potential buyers.
The aim overall is to create a structure of best practices to manage student data most easily via privacy by design.
Security Responsibilities and Infrastructure Fundamentals
When it comes to security, it’s important to have a discussion on shared responsibility and the duty of educators and educational institutions to protect students’ information.
“You can’t go through a security discussion without having some sort of touch on the shared responsibility model,” said Larry Kiger, a Sr. Industry Specialist for IT Security and Compliance at AWS, as he introduced the concept early in the session.
In the shared responsibility model, both the individual and institution have responsibilities to support the protection of that individual’s data. The responsibilities will vary based on institutions and programs, but in most cases, the individual will be responsible for entering specific personal data into a system and may have to update it throughout their academic career. Meanwhile, educators and academic institutions are responsible for the infrastructure, the underlying services, and all the data once it has been entered into the system.
“I have talked to a lot of teachers, and have family [members] that are teachers, and they all say, ‘I’m not a technologist, right?’” Kiger commented, addressing the intimidating nature of data security for those unfamiliar with the practice.
With this in mind, a great way to approach data security is to focus on creating a strong infrastructure to support and automate data. By doing this, managing and protecting data is easier to achieve.
Kiger outlined seven fundamental principles to securing student data that should be kept in mind when designing a strong security infrastructure, including:
- Proactive not reactive and preventive not remedial
- Privacy as the default
- Privacy embedded into the design
- Full functionality
- End-to-end security (protection over the life cycle)
- Visibility and transparency
- Respect for user privacy
By really doing the work behind the scenes to define privacy controls and what your security needs to be, you can set a strong governance standard and implement a strong, automated foundation to protect student data, Kiger explained.
Then the question becomes, how do I actually do that? And Kiger helped show educators how to do that through some actionable steps to securing student data.
Steps to Securing Student Data
1. Discover Student Data
Now you know what the data is and have a goal in mind of a structure to create. But where is the data?
“One of the things that I thought was really funny back in the 80s in New York was that people would often say, ‘It’s 10 o’clock. Do you know where your kids are?’ Well, now it’s 10 o’clock, do you know where your data is?” Kiger laughed. “So you really have to ask yourself, Do I know where my student data is?”
The first thing is determining what the boundaries are defining student data. Then consider the ingress and regress (or inflow and outflow) of data collected and accessed related to students by the educational institution.
Identify the locations of this data, as well as the types of data that are being collected. Once you have done a repository scan of this data, you can begin to outline the best practices and infrastructure types needed to develop, support, and manage student data moving forward.
2. Assess the Current State of Controls
In order to move forward, educators and institutions need to address the true state of existing data pools and infrastructures. This step is critical to troubleshooting issues that may arise if otherwise unaddressed.
For example, with higher demand, many educational institutions participating in online learning are seeing students and teachers who have their own personal computers, and they’re all connected to one network. In this case, many online learning providers may be expanding the horizon of what they would typically classify as security needs, and now have to secure these different machines coming from different places.
By establishing a comprehensive perspective of the situation and the goal, the organization and educators can identify flows of data, data access, and power controls. This creates a foundation on which to shape governance controls, automate functions, mitigate risk, and increase security through privacy-based design.
3. Implement Security Principles
“So how does this work all feed into the big picture?” Kiger posited.
While privacy is important to enabling security functions, it is ultimately critical to implement the best security design principles into a framework. These principles will allow educators and learning institutions to mitigate the gaps in protection and create a strong, easily manageable system.
Kiger highlighted several security design principles to focus on in framework design:
- Implement a strong identify foundation
- Enable traceability
- Apply security at all layers
- Automate security best practices
- Protect data in transit and at rest
- Keep people away from data
- Prepare for security events
“The big takeaway that I’m trying to tell you is to automate, automate, automate,” Kiger emphasized. “Automate your security best practices. Why do it 100 times when you can only do it once? We only need to do it once, and you can actually go back if necessary to make changes.”
Then, it is important to keep people away from the data in the database. This can be included in the framework of a program’s infrastructure through automated application program interfaces (APIs) to enable approved data movement, search, and queries without constantly letting people put their hands in personal data.
“And it’s not to say that people are distrustful,” Kiger said. “It’s just to say more along the lines that people are people; we’re humans and we all make mistakes. And so, therefore, you have to really take a look at the stuff to ask, do I really need people touching that data?”
Lastly, preparing for security in emergency events by practicing incident responses is critical. This way, if something happens you will be prepared, Kiger noted.
By layering security throughout an infrastructure’s framework, educators and learning institutions can be best prepared to meet the increasing usage and demand for online learning, while still ensuring the safety of student’s data as they participate in educational programs.