Stars-image
0 Comments

Cybersecurity for Education SaaS - EdTech

Educational Technology or “EdTech” is a discipline of Technology focused solely on the development of Software as a Service (SaaS) to improve student learning. Despite EdTech sounding field-specific, its impact is far-reaching as education or even the lack of it touches everyone’s life. This blog will dissect how cybersecurity intersects with EdTech.

Defense-In-Depth

You wouldn’t rely on floodlights as the only mechanism of securing your home from burglars, so why would you solely use an anti-virus solution as means of protecting your entire IT infrastructure from threat actors? The secret to achieving a robust cybersecurity program is security must be woven into every angle of your environment in such a way that each control complements the others. This is formally known as “Defense-in-Depth” or otherwise a strategy that is used to eliminate single points of failure.

For instance, EdTech software platforms specifically must consider students how students submit assignments. Is there a public-facing portal that could be brute-forced? Could student logins be hijacked to manipulate or snoop through their connection? Are your backend databases that contain student records externally accessible? Defense-in-Depth is all about slowing down an attacker and making your business less enticing to attack. This approach is reliably effective in preventing, deterring, and detecting cyber-attacks because an attacker has numerous “layers” to overcome before completing their objective.

For those seeking to validate their controls can stand up against a real attack, Silent Sector also offers Pen testing for our clients to simulate real-world adversarial tactics. We then walk them through what we did how they can improve their EdTech platform’s security.

It is important to recognize Defense in Depth necessitates considering users because technological controls are not 100% effective. Unfortunately, the human element is often neglected when considering a cybersecurity program. However, employees are instrumental in protecting an organization as they are the ones interacting daily with the IT, email system, and data records. Proper training can equip them with the right mindset to identify phishing attacks, probing threat actors, inherent procedure weaknesses, etc., and other activities that are precursors to attacks.

Security Domains to Consider

  • Physical
  • Endpoint
  • Network
  • Application
  • Data
  • Personnel Training

 

Keep Digital Compliance at the Forefront

Compliance is one of the major priorities schools strive for so they can qualify for federal funding, and their EdTech programs must uphold compliance. Given that EdTech solutions are fully hosted by the vendor or a cloud organization's infrastructure; and accessible anywhere translates to data security concerns. This is expected since storing data on a 3rd party’s equipment means giving up some control over how it is protected. Even more so, concepts such as data localization come into play since data hosted in the USA is under a myriad of vastly different regulations than data hosted in somewhere like Europe. In the USA, the Family Educational and Rights Privacy Act (FERPA) requires educational institutions to protect student records.

The pandemic convoluted things when regulations like Americans with Disabilities (ADA) were overlooked because educational institutions quickly onboarded EdTech platforms to support remote learning without fully vetting their information security. The ADA “requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data.” It is imperative your institution fortifies its data ingress, egress, and storage locations to protect against lurking threat actors.

Silent Sector recommends our clients take the initiative to review how their personnel and student data is protected by 3rd parties because cybersecurity for software companies is not yet enforced by legislation. Additionally, your organization could be penalized when your students’ records are in the possession of a vendor who has little to no security.

Automate the Tedious Tasks

Basic IT Security tasks are often overlooked due to their repetitive nature but are essential. For example, operating system and application patches are released often. Manually applying patches to every workstation, server or application is not realistic. Conversely, not patching positions your organization as a prime target for an attack like ransomware and other detrimental side effects.

Automating patches goes hand in hand with other IT tasks like creating up-to-date and functional backups. Consider scheduling mission-critical data to be remotely backed up on an interval. This way you do not have to worry about losing sensitive data, natural disasters, or when a ransomware gang targets you. Automation also addresses the human element mentioned above because automating a task such as device deployment ensures devices are securely configured from the moment they are deployed.

It is also worth mentioning automation is accompanied by a great value-added feature since it can reduce the amount of time dedicated towards repetitive operational tasks so that your team can focus on more complex topics instead. Another security domain like vulnerability scanning should also be scripted so that your team is quickly made aware that vulnerabilities that pose a risk to your organization exist.

SaaS cybersecurity and compliance are major distresses that can be overcome with proper consulting. For instance, cybersecurity firms like Silent Sector can execute web application penetration testing to uncover any weaknesses in how an EdTech app behaves thus, avoiding a breach and FERPA violation. Interested in hearing how to vet EdTech platforms or security your own EdTech company? Contact Silent Sector today to learn more.

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.