How to protect sensitive student data

How to protect sensitive student data

It’s a given that schools are repositories  for vast amounts of student and teacher data. Unfortunately, this information constitutes an incredibly attractive target for cybercriminals.

Cloud access security brokers (CASBs) have emerged as the solutions of choice for schools seeking to bridge the security gaps left behind by cloud app vendors. 

A complete CASB  platform contains four key elements. These are threat protection, data protection, identity management, and visibility – for any application, any device, anywhere. 

Threat protection

Instead of responding after a breach has already occurred, CASBs can proactively monitor for threats and employ remediation actions in real time. For example, user and entity behaviour analytics (UEBA) generate baselines for standard user activities in order to detect and respond to anomalous behaviours as they are occurring. In addition to the above, leading CASBs are able to detect zero-day malware as it is uploaded to applications, downloaded to devices, or at rest in the cloud. 

Data protection

A complete CASB provides advanced capabilities like cloud data loss prevention (DLP), encryption for file-and-field-level data, and much more. While traditional tools offer a limited range of policy actions, CASBs are context-aware and flexible in extending access to data, meaning that corporate information is protected wherever it goes. 

Agentless CASBs also support Bring Your Own Device (BYOD) and protect data on any mobile endpoint. This is done through secure transmission, content-aware DLP, and device controls like selective wipe. With an agentless architecture, no software installations are required, meaning that user privacy and device functionality are preserved. 

Identity and Access Management

Whether it is offered natively or obtained through integrations with existing tools, identity  and access management (IAM) is a core component of any leading CASB. Comprehensive IAM can be used in place of a number of disjointed features, ensuring simplified account provisioning, a streamlined user experience with single sign-on (SSO), and decreased operational overhead. 


CASBs scrutinise web traffic to identify the unsanctioned applications, or shadow IT, that employees are using. While  blocking all shadow IT might seem like a sound strategy, employees will often work around it by using different apps or networks. As such, CASBs offer a variety of remediation options. Organisations can determine whether they want to enable discovered apps, block them, coach users to sanctioned alternatives, or render them read only in order to prevent uploads of corporate data. 

A balancing act: IT vs. Teacher 

The rise of cloud and mobility has created numerous  cybersecurity challenges. Chief amongst them is the struggle to ensure that data is protected without taking draconian measures that will frustrate the employees who use said data. As such, the use of cloud apps and personal mobile devices must be safely enabled in organisations rather than prevented. Attempting the latter will alienate employees and keep them from using the most efficient, flexible tools for performing their work – a disadvantage for any organisation. Additionally, as previously mentioned, agent-based security tools do little to address the needs of teachers – they inhibit privacy, productivity, and flexibility. 

Educational institutions must deploy complete solutions that enable threat protection, data protection, identity management, and visibility on any app and any device – without the use of agents. In particular, schools need an agentless CASB that meets the needs of IT and teachers, enabling privacy, compliance,  mobility, and security wherever data goes. 

However, in addition to leveraging the latest technology, schools must also develop policies, cultures, and trainings that can help make cybersecurity a top organisational priority. 

David Shepherd is the Vice-President of Sales for Asia Pacific and Japan at Bitglass, a cloud computing service provider.