The Challenge of Protecting School Information Across Multiple Platforms

As school information becomes fragmented on personal mobile devices and cloud storage spaces, large districts are grappling with how to protect and restore data when an incident happens.

Since January 2011, data loss incidents are known to have occurred in 22 school districts, exposing over 67,500 records, according to the DataLossDB project from the Open Security Foundation. Four of those breaches happened in 2012 as a result of stolen laptops, accidental publishing of personal information on websites and security fraud from an internal malicious source.

Kentucky's largest school district, Jefferson County Public Schools in Louisville, Ky., has had a few data, production system or security breaches, said Whitney Roberts, manager of platform services for Jefferson County Public Schools. In these incidents, unauthorized data has left the district or shown up in a place it shouldn't.

Multiple platforms present data challenge

One of the major problems for large districts is knowing what student, staff and production system data exists and how to find it, Roberts said. Jefferson County Public Schools has more than 100,000 students and 13,000 employees, and it handles several hundred terabytes of data.

"We have a lot of challenges around wrangling all of the intellectual property that belongs to the school district back into one place," Roberts said. "It's not so much a control issue as it is a data protection issue. Just making sure that we can plan for redundancy and availability, and we can actually back up and restore it when something happens. … That's probably one of the biggest challenges that we have faced over the past several years."

With such a large and diverse school population, personal information is going into the cloud and is stored in personal mobile devices, thumb drives and is handled by contractors. It's hard to recover information when it's not in a central location.

"We knew we had to do something because we could not get our hands on the data otherwise; it was spread out over way too many places," Roberts said.
 

Centralizing data

In 2008 and 2009, the Kentucky district started centralizing its data. Part of that effort involved using FalconStor data protection and virtualization software. 

"We have had some things crop up. But because we have the ability to mirror our data now and to locate it across disparate storage devices and storage solutions, the data availability to our applications has really been genericized," Roberts said. "So it's actually helped us in several scenarios."

Another part of this effort involved standardizing operating systems, platforms, virtualization stacks, storage stacks and disaster recovery methodologies. The district also standardized development tools, databases and other things between infrastructure and production.

"We've tried to standardize everything as much as we can and flatten the stack," Roberts said. "That has created an environment for us where it makes us much more agile. It makes it much easier to accommodate business-level requests in a timely manner and perform problem resolution, because everything fits a standard."

School district environments as a private-sector enterprise

Because school districts are publicly funded and are frequently targeted in budget cuts, sometimes they don't choose products or start initiatives with a view of what those resources will do for them three years down the road, Roberts said. Instead, they choose the cheapest options available today.

That strategy inhibits district leaders from taking a big picture view of the total cost of products or initiatives, Roberts said.

"We need to look at the private sector for inspiration in the public sector," Roberts said. "Meaning that we need to look at best practices, industry standards, and emerging technology trends and adopt them based upon the lessons that the private sector has learned, because those are the people who live on a profitability margin in a do-or-die scenario. I think that public-sector entities can become a lot more competitive when they do that and be a better guardian of the public trust as a result."