Data talk: To protect and to server

As the GDPR dust settles, Sophie Beyer has her head in the cloud…

Schools, colleges and universities have to alter how they operate when they adopt the cloud, and also with the advent of the GDPR. Clouds, too, are subject to disruption by future technologies, and changes in law.

Does GDPR now mean that more, or less, of education’s data is in the cloud? Phillip Wicks of LogPoint argued that it’s almost too early to say: “In general the majority of HE establishments are starting to look at cloud storage as an option. But there are many where it won’t be appropriate for them, if they have lots of intense data analysis or high-value copyright material. It’s about perception of risk and how they decide to manage it.”

Rachael Hartley from Cognizant said that GDPR has brought clarity to data security within the cloud: “GDPR will not delay cloud adoption, but simply provides clear regulations with which to frame the division of responsibilities for data within the cloud.”

This clearer accountability around data will have made the cloud less opaque for some. 

Professor James Davenport of the University of Bath agrees that GDPR has brought clarity and predicted that, “Cloud for data sharing will certainly grow for HE; there are enormous advantages in terms of collaboration and cooperation [but] part of the problem for education, is that it doesn’t segment neatly by institution, particularly when it comes to research.” 

Education’s different needs, and continuing perceptions of the cloud as risky, has resulted in a mix-and-match approach. Rachael Hartley explained it well: “While each service has its own adoption curve, a hybrid environment is emerging whereby some services (and supporting data) are provided locally by the institution, with others hosted in the cloud. In addition, the wide availability of cloud services direct to the individual, coupled with the slower update of services owned by organisations, is leading to a new type of ‘shadow IT’ within institutions where data can be further distributed. The journey to adoption can be difficult to navigate and measurable benefits can be difficult to achieve in the short term. However, in the long term, the benefits to educational organisations can be huge.”

The University of Bath has a robust policy on data storage. In common with other universities though, collaboration between institutions happens using public cloud services. The biggest problem is not that these companies are faulty, but that people are, said Professor Davenport: “It’s so powerful, and so dangerous, so easy to impersonate and subvert. Fake messages are a good way to get malware on people’s computers.”

Proprietary cloud services also have limits though, and much depends on how they are used. “The cloud will almost certainly not lose data for you, but you can certainly lose data in the cloud,” said Professor Davenport. The key point in how secure the data is, is the interface between institution and cloud provider.

GDPR, then, has brought another layer that individuals and institutions must consider before they choose a cloud, but have the merits and demerits of the cloud remained much as they ever were? RM Education’s Steven Forbes recognises the importance of this interface and the extra controls the cloud offers. He argued that: “There’s no reason that cloud is any less secure than the way [schools] operate on their premises today. In the cloud you can put additional controls over data and revoke access if you feel it is not secure.” RM Education has interface features such as multi-factor authentication which provide simple but powerful layers of security, and AI can provide further checks.

Education can take other steps to mitigate the perceived risk of the cloud. Machine learning offers additional layers of awareness, said Phillip Wicks: “LogPoint is almost like surveillance, looking at exactly what is happening within your system. Whether those systems are ones you control yourself, or whether you have outsourced to a cloud provider. It will analyse what is happening across your network and alerts to something which is out of the ordinary, when you need to take some kind of action.” 

Future technologies then, are enhancing the controls within the cloud, but also bring the potential for disruption. Companies such as Educhain, Gradbase and Storj are exploring blockchain as a data record or cloud. Dr Paolo Tasca, founder and Executive Director of UCL’s Centre for Blockchain Technologies, explained: “Blockchain can be described as a group of ‘blocks’, which are chained together and constitute an encrypted digital ledger that is stored in a number of computers, the nodes of the system. In brief, blockchain is a secure and transparent distributed database where files [could be] broken up in a number of pieces, encrypted and stored in hard drives, located all around the globe without the need to resort on centralised third-party storage providers like Dropbox, Google Drive or Amazon. For these reasons, this model is said to be more secure, privacy oriented and cost efficient as compared to centralised systems.”

A major stumbling block to blockchain data storage is that it is immutable, so is blockchain compliant with GDPR’s right to be forgotten? Dr Tasca said: “This is a problem that seems difficult to overcome for all blockchain systems, including those in the field of data storage. Some have pointed out, however, how blockchain technology could provide at the same time a useful tool to comply with the GDPR.” It could be worth solving this conundrum, as Dr Tasca argued that blockchain may cause a paradigm shift: “If the cloud and blockchain technologies were successfully integrated in education, chances are it might generate a collaborative environment between students, schools and the industry that could favour innovation. This will bring us towards a meta-university model: a kind of transcendent, accessible, empowering, dynamic, communally constructed framework of open materials and platforms.”

How far GDPR will affect education’s adoption of the cloud, and whether blockchain will become compatible with GDPR will become clearer with time. GDPR may have been the biggest change in data storage recently, but there are plenty more changes to come.