Protecting Digital Data
School administration make encrypting personal student digital data more important than ever
- By Richard Kanadjian
- June 01, 2021
While the debate regarding the opening of many
schools continues, it looks as if distance learning and
school administration will continue to some degree.
So, as we plow through the one-year anniversary of
schools closing across the country on account of the
COVID-19 pandemic, it is a good spot for a reminder of the necessity of
keeping student Personally Identifiable Information (PII), secure.
PII is data that could directly identify an individual. Be it by name,
address, social security number or identifying number or code, telephone
number, or email address. Any information that can lead to
the identity of a specific person falls under PII. A simple spreadsheet
of student information and grades could fall under the wide umbrella
of PII regulations.
The purpose of securing such data is twofold: 1. to fall in line with
the plethora of federal and state laws and regulations mandating it,
and 2. as a safeguard for the off-site use of and lack of oversight of
personal PCs and laptops in teaching and administrative duties during
the pandemic.
Whether it is stored or being transported, data protection is essential.
The costs in money and reputation on account of data breaches,
hacking and lost or stolen laptops/PCs are astronomical.
So, how do you make sure all your digital personal student data is
secure and meeting regulations? One way is to encrypt all your digital
files, whether they are on a USB drive or an SSD.
Before discussing those, let's take a brief look at a few of the prominent
laws and regulations dictating personal student digital-data
security, which would be enforced whether there was a pandemic
going on or not.
The Future of Privacy Forum (FPF), a Washington, DC-based
think tank that seeks to advance responsible data practices, says federal
and state security requirements oblige schools and companies to
use “reasonable” steps or methods to provide security regardless of
the technology in use.
Three of the requirements affecting school and school systems,
according to FPF, are:
FERPA. Family Educational Rights and Privacy Act (FERPA), a
federal law, applies to any school that receives funds from the Department
of Education and protects the privacy of a students’ school
records. “Education records” include those that contain the information
related to a student. Since its requirements are mandatory for
schools receiving Department of Education funds, it applies to most
K-12 schools and post-secondary institutions, both public and private.
Enacted in 1974, FERPA is still the main federal law governing
student privacy at educational institutions. While technology has
made a sea change in the way student records are kept since then,
Congress has made very few changes to the act.
COPPA. Children's Online Privacy Protection Act (COPPA) is
another federal law that covers information that can be obtained
from children under the age of 13, by companies on websites, games
and mobile applications. This applies to any online product that is
targeted at consumers under 13, and where the companies have
“actual knowledge” that the user is under the age of 12. COPPA has a
special provision allowing school officials and educators the ability to
provide consent on behalf of parents for their students to be able to
use online platforms in an educational setting at their school.
However, this consent is limited to the collection of a student’s
personal information for a school’s educational purpose, not any
commercial use.
HIPAA. The Health Insurance Portability and Accountability Act
(HIPAA) creates standards for electronic healthcare activities and protects
the privacy and security of personally identifiable health information—
including students. HIPAA is not applicable in most cases for
student records. However, it and FERPA do overlap to some degree. A
school is a “healthcare provider” as defined by HIPAA when it operates
a health clinic offering medical care to students in the normal course of
business. Also, a school must comply with HIPAA if it conducts any
electronic transactions that fall under the standard.
Now on to the products that can help keep your digital data safe.
Encrypted USB Drives
Standard USB drives (such as removable media, flash drives,
thumb drives, etc.) are used as file-sharing and mobility tools,
backup drives, and more. While they have revolutionized data
storage and transfer, they have also introduced serious security
concerns. USB drives can turn up anywhere with their extreme
portability, making them a very vulnerable device, susceptible to
being easily accessed causing a potential breach.
Considering how much data can be stored on these drives, the
damage caused by a lost or hacked drive can be unfathomable. The
most effective means to secure data on such a portable storage device
is encrypted USB flash drives.
A hardware-centric/software-free encryption approach to data security
is the most effective means of combating someone unauthorized
from viewing private, student-related information. Such a USB drive is a
cost-effective and easy to implement a solution to protecting private data.
These devices meet tough industry security standards and offer the ultimate
security in data protection to confidently manage situations and
reduce risks arising from missing drives. The encryption/decryption functions
are self-contained within these devices and do not require a software
element on the host computer. Brute-force, sniffing and memory hash
attacks are eliminated because there is no software encryption vulnerability.
Hardware-centric and software-free encryption eliminates most of
the common attack routes used by hackers. Complete cross-platform
compatibility with any OS or embedded equipment using a USB drive
for storage is also a benefit of software-free encryption.
AES 256-bit encryption in XTS mode is the top-of-the-line hardware-
based encrypted USB drives use. This ensures that anyone who
finds such a drive cannot easily access the information by cracking
the encryption. Additionally, state-of-the-art drives will lock away
data on the drive when the wrong password is attempted 10 times.
These USB drives also have digitally signed firmware that cannot
be altered and add a physical layer of protection to a common hack
called BadUSB. Access to the physical memory is also prevented by
filling the cases with epoxy.
A hardware-centric/software-free encryption approach eliminates
the most commonly used attack routes and is the best defense against
a breach-causing data loss as it.
Encrypted Solid State Drives (SSD)
SSDs are the preferred storage medium for PCs as they feature unbelievable
speed and reliability. They have gradually replaced older-style hard
disk drives over the past 10 years. SSD encryption is similar to USB
drives in that it is hardware-based, but requires software to engage it.
Many SSDs come standard with 256-bit AES encryption. This puts
a wall around the data stored on the drive. However, as it is the computer’s
hard drive, it requires software to lock that wall. Fortunately,
organizations may have the lock in place already as part of their OS.
Education institutions and organizations who deploy data security
measures from other major vendors are in luck as well as most of
these companies also provide a software component to lock the
encrypted data on SSDs.
Here are a few encryption methods that your SSDs should include.
The more types an SSD has, the secure the personal-student data.
AES 256-Bit Encryption. AES (Advanced Encryption Standard) is a
symmetric encryption algorithm (this means that the encryption and
decryption keys are the same). AES is known as a "block cipher" where
data is divided into 128-bit blocks before being scrambled with a 256-bit
key. AES 256-bit encryption is an international standard and is recognized
by the government, among others. AES-256 encryption is nearly
undecipherable, making it the strongest encryption standard available.
TCG Opal 2.0. This protocol can initialize, authenticate and manage
encrypted SSDs by using independent software vendors featuring
TCG Opal 2.0 security management solutions such as Symantec™,
McAfee™, WinMagic®, and others.
Microsoft eDrive Support. Microsoft eDrive is a security storage specification
program that is provided through the Pro and Enterprise editions
of Windows 8, and above. While an SSD may feature AES 256-bit encryption,
it is wide open if not used in conjunction with eDrive or any of the
other solutions listed above from the major security software vendors. In
other words, AES 256-bit encryption on an SSD provides a fence around
the data. The software solution is the lock that keeps the fence closed.
If you, your school or the school district are not using encrypted USB
drives or encrypted SSDs, your personal student data could be at risk of
being hacked or breached, as well as you not being compliant with strict
federal and state regulations protecting personal student information.
Here are a couple of Kingston USB products to give you an idea of
what is available and what you, as a teacher or school district, should
be using.
• DataTraveler® 2000 (DT2000). It is designed with an alphanumeric
keypad that locks the drive with a word or number combination of
your choosing for easy-to-use PIN protection. The keypad works on
any device, such as a Windows PC, MacBook or Chromebook. It
features hardware-based Full-disk AES 256-bit data encryption in
XTS mode, which means the encryption is done on the drive with
no trace of your PIN left on the system and provides a level of security
that the government and other such organizations around the
world have adopted.
It also has FIPS 140-2 Level 3 certification, including military-grade
anti-tampering protections, to meet a frequently requested corporate
IT requirement. Its fast storage speed allows for speedier data transfers.
The DT2000 can be used on any device with a USB 2.0 or USB 3.0 port,
which includes virtually all later model digital devices. With an adapter,
it can also be used on devices with a USB-C data port.
• The DataTraveler® Vault Privacy 3.0 USB flash drive (DTVP30) provides
affordable business-grade security (thanks to its 256-bit AES
hardware-based encryption in XTS mode) that ensures 100% protection
of stored data. Complex password protection with minimum characteristics
prevents unauthorized access. Plus, for additional peace of
mind, the drive locks down and reformats after 10 intrusion attempts.
School administrators will be glad to know that the DTVP30 can be
customized in various ways to meet internal IT requirements. It is FIPS-
197 certified and TAA compliant to meet frequently requested corporate
and government IT requirements. Its SuperSpeed USB 3.0 technology
means you will not be compromising transfer speeds for security.
It is unknown how long before students are back in the classroom
but either way it’s best to be sure that all efforts in personal data protection
are being made.
This article originally appeared in the May / June 2021 issue of Campus Security Today.