As school IT staff, we handle very large volumes of learner information and, although it seems “everyday” to us, this information represents the identities of hundreds to millions of children and teachers whose data we maintain.

Now, type “school data breach” into your favorite search engine and see for yourself how frequently this information is “lost” or falls into the wrong hands.

This article is not intended to talk about how bad things are or alarm anyone (beyond the previous sentence) – its purpose is to outline some ways an educational institution can prevent it from happening.

Practices we recommend here are not the “throw the baby out with the bath water” techniques so often recommended as proper security that make everything so secure that nothing works properly. We also try to avoid suggesting policies like “change your password every 17 days to one you’ve never used before with 4 alphabetic (2 upper and 2 lower case), 4 numeric, and 3 special characters and make sure to not write them down”.  Policies like this end up being the least secure of all because they go far beyond the capabilities of their audience and in practice, the passwords end up getting written down somewhere (sticky notes). Strong passwords are good, but it is also important to remember that you are working with normal people who are also trying to memorize perhaps 20 to 30 other passwords with somewhat similar cycles and restrictions.

What we are presenting are technologies that allow those that need to work the tools to do their jobs with minimal interference, and at the same time, an infrastructure that makes this data transfer more reliable, secure and private by using software that keeps track of the data as it delivers it. If questions arise later, it provides auditors with powerful tools to quickly answer questions.

One note before getting too far: when we use term “learner” in this article, we will be referring to students but also teachers, bus drivers, cafeteria workers, administrators and anyone else whose personal data may stored in one of the many systems found in an educational institution.

Overview

In this article, we will consider several areas that all contribute to keeping data secure and private:

• Participants: who can access this data and on whose computers (or devices, networks) will this data sit (be transmitted, …)
• Software features designed specifically for data privacy
• Tools available to IT professionals
• Tools available to Educational professionals

(things in dark red are those that are going to be covered by most of the detail of this article)

Participants

There are many people, companies, computers, networks and other devices that come in contact with learner personal data. Some that come to mind are:

• People and Companies
  • Learners, Teachers, other School Staff (employees)
  • IT Staff (they generally have different permissions than do other school staff)
  • Outside people who fix computers, suppliers from whom you buy applications and through whom you get support
• Computing facilities:
  • Servers that host administrative applications
  • Servers that host shared academic applications
  • Servers that host dedicated, specialized applications
  • Applications that share data through SIF
  • “In the cloud” hosted applications
  • Desktop computers in the classroom
  • Learner-owned computing devices (laptops, others)
  • Devices such as USB memory devices, portable hard drives
• Networks
  • Internal administrative networks
  • Internal academic networks (perhaps different from the administrative network (on a different subnet))
  • Internet public network
  • VPNs and connections to other larger private networks

Some of these items above perhaps are already properly addressed, but all need to be properly addressed (or at least reviewed) before a school’s data can be considered private and secure. So, let’s take a look at them in detail.

People and Companies

Teachers, Other Employees and IT Employees

Since IT staff have access to all student information, we recommend that they be required to have the same background checks as would teachers. This may be different than current policy, but if so, you should consider changing your policy.

We would assume that almost every school would have the first item handled properly as well as the second, at least in the UK.

In the US, the first item (Teachers) is likely to be handled well, but if required at all, IT staff are often only required to have a “criminal background check” as they are in Pennsylvania. If that is the case, we would suggest upgrading the type of check to the same as those for teachers.

In Australia, we would recommend that IT personal be required to have the “WWC” background level check.

Outside Companies

This gets more difficult, especially when those companies are located in a different country. But, in order to ensure learner data privacy, these suppliers must also fall under these security checks.

Local suppliers:

• If these contractors come in contact with learner data, then they should be background checked, just as an IT employee would.
• They should not bring in USB memory sticks or external hard drives or anything else that could be used to take data back out.
• If they use a screen-sharing technology for support, it should be one where the local IT person “invites” the support person and participates in the session (the remote person cannot make an unattended or non-shared session).

Suppliers from other countries:

This is where things get potentially more difficult, especially when the issue of customer support is considered. The same principles as those listed (above) for local suppliers should apply, but some new issues arise:

• Have all the employees in the supplier’s company had background checks similar to those they would have received in the local country?
• If in the process of diagnosing a problem, student data leaves the country, does the data in the suppliers country have similar learner privacy protections as it did the data was in the country of origin?

At Visual Software, since we have been asked to address these issues by our UK customers, we have made business adjustments and taken steps to address these concerns:

• Each employee, no matter what the job function gets the same level of background check as would a teacher in our local public school system and has it renewed each year.
• Visual Software has become what is known as an “US-EU Safe Harbor” certified company. In this way, we have adjusted our policies and customer support methods so that we don’t have situations where learner personal data ever gets stored on our computers, causing such problems. Presently, Visual Software is the only SIF supplier to be US-EU Safe Harbor certified.

Safe Harbor Certification

According to the US Department of Commerce:

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.

In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The safe harbor — approved by the EU in 2000 — is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive.

If you are in the United Kingdom, considering implementing SIF and working with a US supplier who is not Safe Harbor certified, it might be worth reading the document, especially sections 2.3 and 2.4: (the title below is a link to the document)

“Data Protection Act 1998, The eighth data protection principle and international data transfers The Information Commissioner’s recommended approach to assessing adequacy including consideration of the issue of contractual solutions, binding corporate rules and Safe Harbor.”

Computing Facilities

Well, the most important topic that we could talk about are the applications that share data through SIF. In terms of data privacy, there are many topics even within SIF transfer – for example:

1. Object level permissions: restricting data from going where it doesn’t need to go based on the object designation
2. Element-level filtering: further restricting the dissemination of the information to applications at the element level
3. Does your provider publish more than it needs to? Does your publishing SIF agent allow you to tailor what it publishes?

Object Level Permissions (ACLs)

Object level permissions have been around since the first versions of SIF. They are commonly referred to as ACLs or Access Control Lists. They are a list of permissions assigned by the ZIS administrator that control what a SIF agent connection is allowed to do at a particular connection. For example, the following is a screen on a ZIServer administration screen where the administrator sets these permissions:

In this example, the blue lines are an indication to the administrator that permissions for this object have been set.

Element Level Security

In March 2008, we began to hear from the community (mostly in the UK) that there was a need for a higher level of control over how data was being distributed and that the requirements of the UK Data Protection Act required that we add functionality to our ZIServer product to give this level of control. Since nothing in the existing specification prohibited us from doing so, we added “Element Level Security” shortly thereafter. Since then, this has been adopted as part of the SIF standard, both in the US and in the UK.

In ZIServer, if an object has elements that may be restricted and that object is being activated for this agent, the name of the object will become a link as in this example:

If the user clicks on the link, he or she will see the element level filtering options for that object as in this example:

Checking the box next to the element will cause that element to be stripped out of any message before it is delivered to this agent.

Publishing More Than You Need To…

The best approach of all to privacy, of course, is to not publish the things that don’t need to be published. In the words of the wise teacher, Mr. Kesuke Miyagi (from Karate Kid II, 1986):

“Remember, best block, no be there.”

So, if your agent allows, don’t publish those fields that you know none of the subscribing agents will need. We designed this capability into our ZIAgent™ configurable agent knowing that this would be a common need:

In this example, we are choosing not to publish “CitizenshipStatus”. Although we may store it in the student management system and the SIF agent is capable of distributing it, we also know that no other application will ever need it. The most secure way of protecting that value is to never distribute it in the first place.

Blanket Level Filtering and Managing Zones

A separate but very large topic in and of itself is the management of zones. In large enterprises with hundreds to thousands of SIF zones, you should consider the effort that will be involved with the management of all those zones and the thousands of agents connections in those zones.

Because most of the learner data is managed at the school level in the UK, this issue became clearest to us there. To address this need, we created our Envoy product and the concept of “Managed Virtual Zones”.

Managed Virtual Zones allows an organization to create a “Virtual SIF Zone” from a group of other SIF zones. For example, 20 school SIF zones could be grouped together forming a single Local Authority Virtual Zone. An application hosted at the LA could register in that zone instead of connecting separately to all 20 school zones.

The Managed Virtual Zone administrator would then only need to administer one set of permissions for the LA application. There are many other advantages; you can read more about the technology in Scalability and Reliability.

Tools for IT Professionals

Microsoft has two products with which our products integrate:

• Systems Center Operations Manager (SCOM)
• Systems Center Essentials (SCE)

Both of these products can be bundled with our software (partially configured) or can be purchased directly through Microsoft. SCOM is the version directed at very large deployments where SCM is a smaller version for smaller deployments.

Functionally, the parts of the functionality we use lie within the intersection of the two products, so as far as features go, either would work equally as well; the choice of which to choose would depend on the size of your organization. For the sake of the rest of this discussion, we will refer to SCOM.

SIF to Microsoft Operations Manager

This is perhaps the more obvious use of the Operations Manager. In this scenario, we set up management packs in SCOM to monitor the SIF components, such as the ZIS push service, shown here:

By using SCOM to monitor things like the individual ZIS web servers, for example, we can use it to automatically re-balance the server farm when one of the servers goes down and alert an operator that it has happened.

Using SCOM to monitor the database, we can look for low disk space conditions or see when a web server is being over-utilized.

Microsoft Operations Manager to SIF

In the United Kingdom, individuals at the schools are formally held responsible for maintaining the privacy of the data stored at their institutions. Two roles are defined within the school which have distinct purposes (taken from Becta policy):

• The Senior Risk Information Officer (SIRO): The SIRO will own the information risk policy and risk assessment, act as an advocate for information risk on the board and in internal discussions, and provide written advice to the Chief Executive on the content of the Statement of Internal Control relating to information risk.
• The Information Asset Owner (IAO): These IAO’s will be required to take appropriate actions to:
  • Ensure the confidentiality, integrity, and availability of all information that their system creates, receives, maintains, or transmits and protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Conduct risk assessments on their system(s) and participate in an Annual Information Risk Assessment.

These two types of roles are usually filled by people at schools; the SIRO is typically the head teacher (or principal) and the IAOs are often department heads (teachers). Most of the times, these people do not have IT backgrounds and a tool such as Operations Manager would not be the most appropriate type of interface.

So, we feel that it would not be the best idea to send sensitive learner data into such a tool so that it could be analyzed by SIROs and IAOs through the SCOM interface.

Information Managed in the School

In the school, people who hold these roles need to manage two types of information:

1. Student and teacher-related information. This is the type of information typically transported through the SIF infrastructure.
2. Some system related information: events such as users account privilege level being elevated, admin password is reset, new computer joins the network, or someone is added to the “remote users” group. These would be events that might indicate potential risks, but not everyday events such as a teacher logging in or a service starting.

What if Something Happens?

As we will show below, we’ve created a set of tools designed specifically for the school-based staff. These tools provide quick and non-technical user friendly access to events that have been audited by the ZIServer Zone Integration Server.

By adding SIF functionality to SCOM, we can take selected system events (such as the ones mentioned above) and turn them into SIF_LogEntry messages. This will cause them to be fed into the ZIS so that when a SIRO or an IAO does an audit search, the system related events will be co-mingled with the data events.

An example:

A security breach is being audited where information about a pregnant student was disclosed. It is known that it occurred Tuesday afternoon between 2PM and 4PM.

A search of the audits is done. The time stamp information entered sets begin equal to 1PM that afternoon and ends at 5PM and the text has “pregnant”. The individual messages are returned. We then search again during the entire day for system related events and see that at 4AM someone granted a strange login membership to the “remote users” group and then at 5AM, the same user was made an administrator. We also see whose account was used to do this and from which workstation.

The SIRO did not need to sift through thousands of unrelated messages or use an interface that takes days of training. The answer was reachable in a matter of a few minutes. If a field was encoded, a complete description of its value was available by hovering the mouse cursor over the code value. The interface was made for the typical person in the user role.

Tools for Educational Professionals

As described in the example above, we’ve created a set of tools for Educational Professionals to allow them to:

1. Look at how their SIF environment has been set up and determine if it meets the requirements and policies of the school
2. In the event of a breach, be able to quickly find out what has happened through a simple interface

This first screen is used by the SIRO or an IAO to show him or her how the ZIS is configured.

This application uses “single sign on” (SSO) if available; if not, you will be required to sign on. From there, the application will determine your user role and for which zones and SIF agents you have responsibility.

At the top of the screen is a dropdown box showing the SIF Zones you work with. It might be reasonable that a single school would be set up with more than one SIF zone (see discussion on use of “raw zones”), so a SIRO may have more than one Zone from which to choose.

Under the dropdown box is a list of SIF agents registered in that zone that the signed in user is responsible for (it may not be the complete list of agents in the zone). It will also show how many SIF objects it provides and how many it subscribes to and if auditing has been shut off for that agent.

(click on the image to see a full-sized screen shot)

When the agent is selected, a list of the objects that the agent supports appears below it, along with a description of the object and the number of restrictions. These restrictions are identified as ‘blocked’ in the detailed list next to the security level.

The security level is defined by policy – this policy may be defined by country-wide, regional or local standards. In this example, certain fields are assigned “L1” for “mildly sensitive” and “L2” for “highly sensitive”. Having the fields show in different colors is an added indicator to the user that these fields have added privacy significance.

(click on the image to see a full-sized screen shot)

Also note that “IDEA”, “Migrant”, and “EconomicDisadvantage” are checked – this means that those data elements will not be delivered to this agent. Lastly, when we took this screen capture, the mouse cursor was hovering over the “AcceptableUsePolicy” element name. This is why the description of that field appeared in the pop-up box.

The sample above was taken from our AU lab ZIS (this is why the Agent names are so similar and why they subscribe to so many objects). In a normal school environment, the Agent names would be more closely related to the applications they represent.

The other function needed by educational administrators (data asset owners) is an ability to know where data has gone in the past and be able to get to it in a quick and straightforward way. This has to be secure (role based), so that the data is limited, restricted to only that information permitted to be seen by the account accessing it.

At the top of the screen are a set of search boxes that allow the user to enter search criteria. In this example, we enter that we want to see all messages generated on Sept 16th that contain the string “IDEA”.

The interface returns two lists of messages: the top list shows “audit messages” and the bottom list shows “error messages”. When we click on the 5th item in the list to see more, a new window opens…

…containing the message details.

Significance of Operations Manager

To bring attention back to a point made earlier, the messages in this audit trail are ordered in time sequence. When anything such as an intrusion is being investigated, the more context that is available, the more helpful the combined information will be.

Networks

The SIF specification supports many different security models. If all applications are securely behind the same firewall on the same LAN or connected remotely over a VPN tunnel, HTTP may be used to pass data between them.

If not connected locally, they should use HTTPS and digital certificates to pass data and digital certificates so that each side can trust the identity of the other side.

Digital certificates may be acquired through a third party authority such as Verisign, Thawte or Comodo (or others) or may be issued locally through the use of Windows Certificate Services.

Using Certificate Services

If a ZIS or an application services provider is going to have many connections, they may choose to issue certificates using Windows Certificate Services. These would be installed on the ZIS or agent web site and a copy of the certificate would be sent to the administrator of the agent on ZIS on the other end of the connection who would import it as a trusted certificate.

Setting up Remote SIF connections

SIF allows four different types of remote (HTTPS) connections:

• No authentication required and a valid certificate does not need to be presented.
• A valid certificate must be presented.
• A valid certificate from a trusted certificate authority must be presented.
• A valid certificate from a trusted certificate authority must be presented and the CN field of the certificate's Subject entry must match the host sending the certificate.

Although we have seen implementations of all four of these, we only recommend the fourth mode in this list (known as “Authentication Level 3”).

This means that a certificate has been issued on both sides of the connection and that the “Common Name” from the certificate is known in both the ZIS and agent software. This also means that whenever a message is received, the receiving software checks the incoming message to make sure that its certificate has the correct CN value. This prevents “spoofing” and gives the highest level of protection available.

Summary

In summary, data privacy is best maintained by:

1. Not publishing the data you don’t need to publish in the first place
2. Only publishing what is needed by each application that receives it (choke off what is not needed by a subscriber at the ZIS)
3. Make sure that if the data is moving off-site that it is encrypted and that both ends have used digital certificates to identify each other.
4. Know beforehand where the different types of data can go
5. Know beforehand who has access to sensitive data and make sure they have been properly background checked
6. Keep track of what data has been distributed and where it has gone (keep accurate, full audits)
7. Have the necessary tools so that the people with the proper access authority can get to the audits if and when they are needed. In an emergency, you don’t want to need to resort to bringing in a third party just to read the audits (see number 4 above).

Yes, there are many, reasonable measures that can be put in place to ensure the privacy of learner and teacher private data. Do you have other thoughts? Leave a comment…