Schools are increasingly complex organisations with a multitude of IT systems in use to support teaching, learning and the back-office administration that keeps your school running. Whether it be student addresses, medical details or banking information, school databases hold a vast amount of sensitive data.
In January 2021, over 60% of cyber security threats occurred within the education industry. This live interactive map from Microsoft shows which sectors are most attacked across the globe. So, it’s no surprise that security has never been more important to busy school IT teams.
Luckily, there are some easy approaches to improve the security of your school’s systems.
Single Sign-On with Two-Factor Authentication
There are many ways to authenticate your users to your systems. Security researchers classify these as:
- What you know: a password or passphrase
- What you have: a token/authenticator device, text message, phone call
- What you are: biometric details or facts about you
A simple username and password is no longer enough; passwords get forgotten, written down on sticky notes, or guessed by others. To maximise your security profile, consider implementing two-factor authentication; which requires users to provide at least two pieces of evidence before they are logged in – usually a password accompanied by an email or SMS confirmation.
This simple step adds an extra layer to your security and prevents your accounts from being compromised. With a range of different authentication methods available, it's easy to choose a setup that works for your entire school community.
In conjunction with this, single sign-on using a protocol like SAML makes it easy to manage who has access to what. When you use the same credentials for all systems, you ensure users have a secure way to access all school services. A consistent sign-on experience also means users know what to expect when signing in and when it is safe to authenticate. We recommend that you enable single sign-on for all your systems and make it a requirement for all new systems your school deploys to support it too.
Audit Logs – keep track of who did what
Security does not stop once the user has been authenticated. Once a user has logged in, you need to be able to keep track of their footprint. Audit and changelogs in your systems are the best tools to keep a record of this type of activity. Typical logs should include when and how a user logged in, what they accessed, and whether they added, modified, or removed any data.
In the case of suspected misuse of a system or a data breach, these logs will be your first point of reference and can help you understand the scope of an incident and address it quickly. It is therefore good practice to keep these types of logs for a suitable period of time and include them in your backup procedure.
Role-Based Access Control – a structure for who can access what
Prevention is always better than a cure, and careful management of access and permissions are critical to keeping your systems and data safe. To do this, it is best to only give users access to what they need – think about the bare necessities.
Trevor Ciminelli, Information Systems Coordinator from Chairo Christian School, mentioned that staff often ask for access to something without fully understanding what they are asking for.
"That doesn’t mean they aren’t allowed to have it, but they should have it in a sustainable method that doesn’t mean giving free rein of the entire student database,” says Trevor in our ‘Who Owns a School Management System’ blog.
He went on to say that not even everyone in their IT Team has access to everything.
“An Information Systems Administrator is an important role to have - someone who understands the system, has the access and can interpret what people are asking for. You don’t want all staff (including in IT) sitting there with full database access."
We recommend managing access using role-based permissions, where you define roles for the different types of users within your school and apply permissions to the data and programs that are required for that role.
From there, users can be mapped to one or more roles, negating the need to manually manage and keep track of individual users and what they have access to.
These might come in the form of security groups and are ideally centrally managed by your identity management system, reducing your administrative overhead.
Look at how access is granted at your school and see if you have roles or groups configured.
If this is a method that your school already uses, a regular review process of roles and memberships is recommended, and like Trevor said, limit those with full administrative access or the ability to change permissions to a select group of trusted staff.
Data encryption – keeping your data safe
Your school's data can reside in many places, and an easy way to keep it safe from prying eyes is to apply encryption at transit and rest. For encryption in transit, any web application should enforce the use of HTTPS with strong modern encryption methodologies such as TLS 1.2. Simple online tools such as SSL Labs make it easy to check how your web applications are encrypting your data over the internet.
At rest, it is best to enable full disk encryption on your servers (on-premises and cloud), and end-user devices like laptops, tablets, and desktop PCs. Encrypt your backups and consider discouraging the use of USB sticks and external hard drives as they can too easily fall into the wrong hands.
Finally, it is important to check that your system vendors also follow best practices internally to keep your data safe.
Any system you have, or are considering putting in place, must have stringent measures to protect your data and the privacy of your students and staff. Consider asking your vendor what procedures and policies they have in place– and for any documentation they have outlining these.
Check out our blog on Choosing a School Management System for more detail on what to look out for.
APIs – managing third party access and ownership of data
More and more, school technology stacks are becoming vaster and more complex environments.
With the need to share common information across systems, the question of how integration is achieved to ensure both security and data integrity is paramount.
Direct database connections are surprisingly, still widely used in the education sector but can expose a lot more information than what a third-party solution may need, leaving your systems and data vulnerable to unwanted access/breaches.
Deploying a RESTful API integration methodology can be a much more effective way of keeping your data safe, ensuring that the third-party only receives the information that they need and restricting access to the types and volume of data that they do not need access to.
API technology also guarantees that data is encrypted as it is sent/received between the client and server, ensuring data remains safe from interception attacks.
Complex Family Situations – protect the privacy of your students.
Families come in all shapes and sizes, often making it difficult to manage them within your identity management and authentication system. However, it is important to ensure your systems understand that families may not have just one mother and one father.
These days, blended families are becoming the norm rather than the exception, and to keep data secure while being sensitive to the requirements of your community, all your school’s systems should be able to accommodate the linking of caregivers to the relevant students with granular permissions. Not only does it help target communication effectively, but it also ensures that confidential information is only visible to those that need it.
Where to next?
Security best practices continue to evolve as new technologies develop and threats arise, so it's important to stay on top of your data security and review your processes regularly. The Australian Cyber Security Centre has a list of security practices they call the Essential Eight, which provide a great starting point for you to review your school’s security posture.