Commercial organisations often describe their data as their most valuable asset. This commercial imperative does not exist to the same extent for schools and trusts, but the data protection landscape means data loss would be catastrophic.
With cyber criminals increasingly targeting the education sector, schools and trusts must be prepared to restore critical data if a cyber attack prevents access.
Having offline backup capability, and using it properly, is a requirement of the cyber threat cover included in the DfE’s risk protection arrangement (RPA).
The DfE recently added cloud solutions to their technical standards for schools and colleges, including backup requirements. We’ve updated this blog post to include information on how to ensure your cloud backup arrangements meet the new standard.
Having data in the cloud can give a false sense of security.
SaaS and cloud services take care of many of the day-to-day tasks of network management—for example, cross-platform access and updating and patching, with the bonus of access from anywhere.
It is common to assume that this convenience means that data is safe in the cloud by default. It is true that taking a simple view of security, for most schools, it will be at least as safe, if not more so, than data held onsite. However, it still needs to be backed up.
Recent advice for Microsoft 365 and Azure Active Directory users emphasises that responsibility is shared between the cloud provider and customer organisations.
Cloud providers have retention policies, but those policies do not constitute the ability to restore data and systems a school or trust would need if they lost access to pupil, staff and other data.
Which scenarios will backup protect you from?
Accidental deletion and human error
Accidental deletion and human error are among the most common form of data loss. Cloud platforms such as Microsoft 365 include some safeguards against this – such as a data retention period (typically as little as 14 days) during which a user with suitable access rights can restore files.
Data retention periods can be extended beyond the default timescale. However, the file or other data is irretrievable once the retention period expires unless you have instigated a backup process.
External threats to cloud-based apps
Cloud-hosted applications can be a point of entry for threat actors, just like natively hosted ones. Credential theft via a phishing attack or login spoofing could allow an attacker to encrypt a user's entire email account. A typical cloud-based email account would not provide any mechanism for resolving the problem. A backup of the account's inbox would be the only answer.
Internal threats to your cloud data
Every organisation should be aware of threats presented by disgruntled current or former employees. However, schools and trusts have an extra layer to contend with.
There are several instances of pupils testing out their cyber attack skills on their school’s systems. They may not appreciate the potential gravity of their actions, but the consequences can be just as serious as an attack by an external actor. With an appropriate backup in place, you can remove their access and restore the affected parts of your system.
Trouble in the data centre
The word ‘cloud’ hardly conjures up thoughts of metal, plastic, bricks, and mortar. However, your data still relies on those physical elements. Large cloud providers spread the risk to physical locations through georedundancy.
Instances of external events such as fire or adverse weather are thankfully rare, but it doesn't have to be the real thing that causes a problem. By backing up cloud data, you protect against physical disruption at the data centre and can let the service provider worry about literally putting out a fire.
DfE cloud backup standards
To meet the DfE’s new cloud solution backup standard, schools should involve their data protection officer when considering whether the cloud provider’s backup arrangements:
- backup the right data
- hold the backups in a location compliant with UK GDPR
- hold the data for an appropriate period of time
- create backups frequently enough
If the provider’s standard procedures do not meet a school’s specific requirements, you should work with your IT service provider to establish the right level of service. This could be by making your own arrangements or using a different level of provision from the cloud provider.
To meet the technical requirements of the standard schools should identify suitable backup arrangements for their cloud-based data based on:
- the data’s sensitivity and importance to normal operations
- the impact of temporary or permanent data loss
- the time it will take to restore the data from backup
- balancing the cost against need, since more frequent backups cost more while providing more recent data to restore
- using the 3-2-1 rule for critical data
Deciding which data is important
As when devising a response and recovery plan, it helps to classify data. What is mission critical, what can you live without, and what lies somewhere between? That leads to examining SaaS and cloud service agreements and responsibilities. What do MIS providers, Google, Microsoft and others do, and what are your responsibilities?
As for "natively generated data" (all the work completed by pupils, teachers and other staff), data management and classification become key. For example, programmes of learning and lesson plans are critical data and need to be backed up, as is year 11 course work for exams. The pictures from last year’s sports day may not be essential and can be left "at risk" while you deal with more important areas.
Whatever you decide, these decisions should be documented and recorded, along with the reasoning for the classification and whether it is backed up or not.
RM provides advice and services to give your school or trust the necessary backup arrangements. Contact us today to find out more.
Further reading:
RM helped Academies Enterprise Trust standardise backups across its 57 schools. Find out more in the case study.