Higher education is a sector that lends itself to big data analytics. Organisations can draw on multiple sources of education-related information – such as courses and research – and may use Web 2.0 and social media channels as part of this.
At the same time, higher education organisations are host to vast amounts of student and staff personal data, as well being operators of on-campus businesses handling financial transactions, so big data security is a major concern also.
In this podcast, ComputerWeekly.com storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about big data security in higher education and the key steps towards achieving it, including how data is classified, putting in place disaster recovery/business continuity and steps to legal and regulatory compliance such as the PCI-DSS regulation.
Antony Adshead: What are the key issues in big data security in the higher education sector?
Mathieu Gorge: First, we need to appreciate that the higher education sector is increasingly reliant on online capabilities to educate students. So, we see higher education organisations running universities like a business and embracing new technologies such as e-learning, social media and Web 2.0 to educate their students.
At the same time, we’re seeing services to students within the campuses evolve rapidly. It’s no longer just about providing a good education system for students, it’s also about providing services such as shops where they buy access to books, to online libraries, lunch, gym facilities, etc, which involve online payments.
They may also have access to research labs which hold information about what the students study and when. They also provide Wi-Fi, as most students today have their own tablets or use those provided by the university.
There is also the issue of information about students harvested by the higher education institution – educational information, address information, maybe medical details, parents’ financial information – which has to be protected under the Data Protection Act. And there is staff information, for example pertaining to lecturers and examinations, which is at risk of being leaked, as we’ve seen in some examples in the UK and elsewhere.
So, there is a huge amount of data kept by different lines of business within the higher education sector, and making sure that information is kept the right way has to be a priority.
Adshead: What implications for data storage and backup flow from these?
Gorge: We’ve identified that there are different types of data that need to be kept for higher education organisation to function.
Data classification is the first port of call. The next thing is to make sure, from a network security perspective, that you implement network segregation between the different lines of business.
So, again, higher education sector organisations need to understand that this is a line of business. Treat it this way and you end up with a network for the administration of the university, a second network for the students, including Wi-Fi, then separate networks for lecturing staff and services. You start dividing the task of protecting the information and it becomes easier to put the right strategy in place.
Divide the task of protecting the information and it becomes easier to put the right strategy in place
Mathieu Gorge, Vigitrust
It’s also important to remember that access to data in real time is key when the student is at the university, but also after they have left – students often need information about the subjects they studied, their results, who they studied under, the modules they took.
When you perform a data classification exercise, you need to keep in mind that information might be needed 10, 20 or 30 years down the road, so the storage of that data needs to allow you to access it quite quickly. You need to make sure that if you keep that data for a long time you protect it in the right way.
We’ve also seen a lack of preparedness in the higher education sector with regard to disaster recovery and business continuity. Because some universities are not treating their organisations as a business, they are not necessarily implementing standard disaster recovery and business continuity practices, and that is something which needs to be addressed.
So, the recommendation would be to look at the guidance provided by the ICO and by standards such as PCI-DSS, which provide good benchmarks for securing not only student data, but also data collected across the campus – credit card information, geo-location data, and so on.