9
Transcript
Hello and welcome to the second week of the Advanced Cybersecurity Training for Teachers course. My name is Patricia Musomba and I will be your instructor this week.
During this week, we will explore data security and various techniques used to protect data created and processed by learning institutions from alteration, loss and unauthorized access. This module will provide you with the necessary skills and techniques to protect important and critical data such as the curriculum, student data and assessments.
With continuous integration of technology in educational institutions, data security and data management have become more important.
Data security is a set of standards and processes used to protect data against intentional or accidental destruction, modification or disclosure. Its main aim is to protect all the data that an organization creates, collects, stores, receives or transmits. Learning institutions create, collect and store data that is very critical. Primarily, any unauthorized access to this data could lead to a data breach and result in financial losses and damage of brand image. It is thus important for teachers and teacher educators to learn about data security.
Now, let us look at some of the data processed by learning institutions.
Learning institutions are data driven. They utilize data collected to make informed decisions about delivery of quality education, service delivery, resource allocation and fulfilling their mandate to key stakeholders such as parents, students and education ministries. Some of the critical data created, collected and processed by learning institutions includes:
-
- Financial data including fee payments, payroll information
- Employee information such as employment history, residential addresses, contact information, health information
- Student records including performance grades, health information, parent information, behavioral reports
- Intellectual property such as training materials, courses, tests, booklets
It is the responsibility of the learning institutions and every personnel that handles the data in any manner to protect and preserve the confidentiality and integrity of the data during its entire life cycle. The data lifecycle includes ordered steps from data acquisition to destruction of data. As shown, data is first created or collected. For example, in learning institutions, data creation could involve filled student application forms or parents providing copies of identification documents such as National IDs or driving license. Data is then processed and analyzed. This could be analysis of student performance to draw insights and conclusions. Data is then preserved through the use of various techniques to maintain its integrity and confidentiality. This data may need to be accessed from time to time by authorized parties.
To apply proper data protection controls, an understanding of the three data states is required. The three data states ensure that data is protected throughout its lifecycle.
Data at rest refers to data not being accessed and is stored on a physical or logical medium.
Examples of data at rest include:
-
- Files such as curriculum and examination documents stored in a file server
- Student records in databases
- Documents in a flash disk
- Video training content stored in a hard drive/disk
How can data at rest be protected?
Data at rest can be protected using the following techniques:
- Encryption: This is a technique that scrambles or encodes data in a way that only authorized personnel with a particular key can access and unscramble it. If unauthorized personnel access the data, it will be unintelligible to them because they do not have a special key to decrypt the data. Encryption can thus be applied to data storage such as databases, flash disks and hard drives. If a device such as a laptop is lost but encryption has been enabled, the data stored in the laptop will be protected. There are various free tools that can be used to encrypt our devices such as Vera Crypt and Bit locker. These two tools will be discussed later.
- Another technique is Multi-factor authentication: To access data stored in the cloud, multi-factor authentication should be enabled. For example, when accessing your Google Drive, you should authenticate yourself with a password and a code sent to your mobile phone. This adds another layer of security. If an attacker tries to access the drive, they will need the code. Multi factor authentication can also help you detect unauthorized access. If you did not initiate the connection, then receiving a code would translate to an attempted unauthorized access.
The second data state is Data in transit is also referred to data in motion or data in flight. This is data that is transmitted or travels through an email, web or collaborative work applications. Here are some examples of data in transit:
- Email communication using clients such as Gmail and Microsoft Outlook
- Instant messaging communication using WhatsApp, Telegram
- Team collaboration using Microsoft Teams, Slack
- And downloading and uploading files on the internet
Data in transit can be protected by:
- Using secure communication channels. Most secure communication channels have encryption enabled, hence if and when the data is intercepted while in transmission, the unauthorized personnel will not be able to read it.
- It can also be protected using secure websites to access data on the internet. Secure sites usually have a padlock at the beginning of the URL as shown.
The last data state is data in use. This is data that is being consumed or accessed by a user. When data is opened by one or more applications, it is considered to be in use.
Examples of data in use include:
- Requesting for access into a learning management system such as Moodle or Google Classroom
- Another example is accessing fee payment transaction history
Data in use is protected through:
- Tracking and monitoring who is accessing any critical information. This is why users have accounts used to log into any critical systems such as the student information system or the learning management system.
- It can also be protected by implementing data access controls to govern what each user can do to the data. For example, students can request access to view their performance grades but cannot modify them.
- Lastly, tracking and monitoring any changes or modification to data can be used to protect data in use. If any unauthorized changes are made, a previous version of the data can be restored and the perpetrator can be identified.
We have now come to the end of the first topic. In this video, we learned about data security, and the three data states. Next, we are going to look at data access controls.