The Family Educational Rights and Privacy Act (FERPA) is a Federal law originally enacted in 1974 that protects the privacy of student educational and personal family records. FERPA grants parents specific rights with respect to their children's educational records and access to review or comment on the results. Educational institutions must have written permission from the parent or eligible student in order to release any information from a student's educational record. FERPA also allows schools to disclose those records to the following parties without consent, but provides provisions that educational institutions must protect against the misuse or inappropriate access to student records.
Challenges Educational Institutions Face When Trying to Protect Access to Student Records
Traditionally, educational institutions have always found it difficult to find funding for large scale security solutions. In addition, many organizations consider their student networks apart of the public internet and provide no protection capabilities from traditional threats (they may offer free AV but not proper segmentation and isolation capabilities). This leaves strategic initiatives within an environment to focus strictly on the backend systems as specified by FERPA. Protection of an individual’s records on their personal devices is not covered by the mandate. Therefore, best practices to protect privileged access to student records and vulnerability management of operating systems and applications falls within the IT and Security staffs realm for management.
The challenge is not keeping the databases locked down, or installing patches, but answering the question: Who should have access and for how long?
Typically, these controls are very loose in educational intuitions due to the variety of access required and by all approved entities. This may include stale user accounts, non-rotating passwords, legacy applications with no support, or even custom applications written by students or faculty to access information. All of these create environmental concerns that lead to poor IT management controls and risks to the data being accessed inappropriately.
In the end, FERPA requires protection to this information but fails to provide the necessary checks and balances – like PCI DSS in the payment card industry – to ensure organizations are making good security decisions to protect the information.
3 Steps to Stop Insider and External ttacks Against Information Technology Assets
There are several steps educational institutions can take to better protect access to student records, here are my top 3 recommendations:
- Privileged Access Management – Implement a strategy (and if needed a technology solution) to remove administrator rights from all backend and supporting user systems. This implies segmented access via proxy or password safe technology complimented by least privileged with full session monitoring, auditing, and reporting.
- Vulnerability Management – Ensure whatever the asset is; from operating system and application, to router, switch, and HVAC all security patches are applied and tested regularly for new threats.
- Education – Ensure team members are educated on the latest cyber security threats from ransomware to phishing. Once teams understand how modern (and legacy) attacks occur, they are better prepared to architecture, configure, and defend against them within the intuition. BeyondTrust has partnered with multiple education institutions like Embry-Riddle, providing free information technology security training videos to help staff and students understand the latest security threats and architectures to protect against them.
Where to Start
For any educational institution’s IT department, I would recommend following security best practices from SANS or even PCI. These frameworks can be easily adopted to protect the crown jewels (student information) from would-be hackers and provide a consistent process for identifying threats and securing the information. For example, treat student information just like credit card information, and:
- Limit access and log all activity
- Encrypt the data at rest and in transit
- Split critical information like SSN numbers across multiple databases
- Perform regular vulnerability assessments and pen tests
- Limit administrator access
- Have network and application segmentation
Learn how the University of California San Diego Keeps Focus on Collaboration with PowerBroker in this case study.
Then, the risks to the personally identifiable information can be minimized and secured against hacks. For more information on how BeyondTrust can help your educational institution better control access to student records, contact us today, or check out one of the many case studies where customers used BeyondTrust to secure against hacks and data breach threats.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
