Protecting Education Data: On-Premise vs. Cloud Storage
Six guidelines to follow when deciding how to store sensitive student info.


By Ray Ackerlund
Rays-Education-protection



 
More than 90 percent of school districts have electronically stored data on student demographics, attendance, student grades, student test scores, and much more, according to this Fordham Law national study. These school districts generally store data in one of two ways: on-premise or in the cloud.
 
Which one is better for your district? How can you keep this data safe? And what are the guidelines to follow when choosing a vendor? I’ll answer all of these questions to help you make the best decision for your district.
 
On-premise storage is installed and run on computers in a district building rather than a remote facility. Advantages of on-premise storage include complete control over all systems and data, and internal storage and handling of district data. The district needs to have dedicated staff for maintenance and support. Only a short time ago, on-premise storage was the most common approach; however, that has been surpassed by cloud-based solutions in the past five years. For districts that choose an on-premise approach, I recommend they include backup storage in a cloud environment. Skyward’s disaster recovery service for on-premise storage includes a rapid start-up service that can restore a district’s information within 24 hours if the on-premise solution is compromised.
 
Unlike on-premise storage, cloud computing is a model of data storage where the stored information spans multiple servers (and often locations) and the physical environment is typically owned and managed by a third-party company. Advantages of cloud computing include cost-effective services, limited software licensing costs, no new infrastructure requirements, and the storage company does most of the work, eliminating the need for extra IT staff.
 
As a student information system provider, Skyward recommends the cloud environment because it is a more effective use of resources. There is no right or wrong choice for school districts to store education data although they should assess their needs and resources before making the decision.
 
With the recent attention around education data privacy, the protection of student privacy within cloud computing has become a popular topic, although many educators are unfamiliar with the complexities of protecting student data. Because the protection of student privacy within cloud computing is generally unknown to the public and policymakers, districts should complete the following steps in order to ensure their student data is safe.
  •  Maintain physical measures to secure building locations of network equipment, including multistep processes to access network centers such as server rooms and a storage area network.
  • Establish separate network access points within buildings that segregate network access of administrative and classroom from students or guests.
  • Limit database administrator rights to a minimum number of staff—typically primary and secondary individuals such as SIS data administrators or district database managers.
  • Conduct routine security audits and network penetrator testing to ensure security measures meet current standards.
  • Establish a disaster recovery policy that protects data secured off-premise with the same level of protection as data stored on-premise.
  • Monitor network traffic to detect and block any unusual activity.
   
As districts rapidly shift to cloud-based storage, many important processes are easily forgotten, as cloud services can be poorly understood, nontransparent, and weakly governed. Based on the Fordham Law study, only 25 percent of districts inform parents of their use of cloud services and nearly 20 percent fail to have policies governing the use of online services. Meanwhile, a sizable amount of districts have widespread gaps in their contract documentation, including missing privacy policies.
 
Districts frequently surrender control of student information when using cloud services. For example, fewer than 25 percent of third-party agreements specify the purpose for disclosure of student information and fewer than seven percent of the contracts restrict the sale or marketing of student information by vendors. Many agreements also allow vendors to change the terms without notice.
 
Given the limited control in some third-party agreements, districts considering a cloud-based data storage approach should follow these guidelines when selecting an SIS and cloud-computing provider.
  • Require a single contract that includes all parties and defines security requirements to ensure protection of student data.
  • Ensure the cloud provider meets recommended standards, with an SSAE 16 standard as a minimum.
  • Provide database management and monitoring services.
  • Provide database updating and application updating.
  • Maintain multiple data centers with redundant failover.
  • Continually monitor industry standards to ensure latest protection and security recommendations are being followed.
 
An increased awareness for district staff, parents, and local politicians about data storage are paramount for increases in security and privacy. The emergence of these discussions regarding proper privacy measures to protect student data will help districts strengthen their internal procedures, data management, and storage of student information.