In a Wednesday session at the Future of Education Technology Conference in Orlando, Fla., ClassLink Sales Manager Mcdeny Alcantara explained why.
“I sadly lived through a ransomware attack on one of my school districts, and they wanted our money, but more than that they wanted our data. Because if they don’t get our money, and they have our data, they can resell that and do even more damage in the future,” he said. “If I [as a hypothetical bad actor] cannot get to your data, because you did a great job protecting your network, I may want to target your district partner, and they may have some vulnerabilities that we can exploit and take your data out. That’s what bad actors are doing. Not just education, but education partners.”
Admittedly, he has a personal stake in this recommendation, as his employer helps schools to do this with a service called DataGuard. But he described the concept as a way for school districts to limit their liability if one of their vendors should be compromised in a cyber attack.
To begin with, Alcantara said, school districts should guard their data by having or creating a data governance program, prioritizing the most impactful security measures for their network, and documenting their security policies. He cited best practices that will be familiar to many IT security professionals already: single sign-on with multifactor authentication, data encryption and application vetting.
“You have the restore system — it could be your [student information system] — feeding your roster server, and your roster server is the one that interfaces with your ed-tech vendors,” Alcantara said. “The roster server is the one that you control, and you decide what to mask, what not to mask, to whom and when. So, your source system data is never altered. What you share with vendors is what you decide, how much you give and how much you don’t give.”
Rachelle Corry, coordinator of digital resources at Deer Park Independent School District in Texas, praised the practice of data masking as a customizable way to make data legible for users but not for external parties.
For Deer Park ISD, Corry chose to mask data on the student roster so that only the first three letters of a student’s first and last name were visible, followed by letters and numbers — for example, “Nic9c6f6 Brad4530” instead of the student’s full name. Teachers said they could still identify which students the masked versions of the data belonged to, but if the ed-tech vendor were to have its data stolen, the information would be useless to the thieves.
Corry said this can be effective as long as it’s communicated clearly to teachers, and they can give feedback.
“In our case, I didn’t want the teachers to be confused, or handicapped, or not being able to function,” she said. “When I first started, I reached out to some teachers and said, ‘I think you’re going to see some changes, and I need some feedback,’ because we don’t want to rock their world. They’re stressed enough in the classroom already.”
Alcantara said once data is masked, outside parties cannot reverse-engineer or revert it back to its original values unless they have access to the original data set on the school's network. They can't get it from the vendor.
He added that the customizability of the function is also key.
“It’s not one-size-fits-all,” he said. “You can apply this to some, many or none of your applications.”
