Guest Expert: Exploring Storing Data Securely

Woman smiling with a green Secure U logo overlaid

By: Jenny Blaine, Security Risk Analyst, University Information Security

Even “a long time ago in a galaxy far, far away,” where people could travel at the speed of light and destroy five planets at once, they still stored data on removable media; “hackers” stole sensitive data, copied it onto a flash drive and hid it in a droid. Storing data securely presents a challenge to everyone! In these days of cloud storage, and reported data leaks and breaches, what are our best options for safely storing our personal data and the University’s data?

Step 1: Evaluate the data

Whose data is it?

If you are storing your own personal data or your family data, tax returns, credit card numbers, family photos, friend and family contact information, it is very important to you that your data is secure, right?

The same goes for University data. If you are storing University data or legally-protected data, such as data covered by FERPA or HIPAA compliance requirements, storing that information securely is highly important. The University can be held responsible and risk substantial fines and reputational damage if that data is exposed or not adequately secured.

What kind of data is it?

There are different kinds of legally-protected data and different required options for storing that data.

The University classifies its data as public, private-restricted, and private-highly restricted (related to confidentiality), and assigns security levels, low, medium and high. The classification and the level are driven by federal laws and regulations and contractual agreements, and determine how the data should be stored and protected.

The Data Security Classification policy explains security classifications and levels in greater detail. Appendix A of the policy lists examples for the different classifications of data.

Research data can be a challenge to classify. For research data, see guidance provided by Liberal Arts Technologies & Innovation Services (LATIS). If you have additional questions about how to classify your data, contact [email protected].

It’s important to know the security classifications and levels of your data so you can store it in the right place!  

Step 2: Evaluate the potential storage options

For University data

University solutions support two-factor authentication and are backed up. Examples of “University data” would be: things like class schedules, student grades, research data, health information, credit card data, and much, much more.  

Google

Google Drive: The UMN domain Google Drive is okay for storing private-restricted data such as FERPA data (student data), but not HIPAA data.

Tip: A best practice when using Google Drive for your department is to use a departmental ID as the owner of the drive, and not have individuals own departmental files. See Good Practice: How to Keep Ownership of Departmental Google Files.

Google Team Drive: Team Drive is not the best option for storing private-restricted data or confidential internal documentation because there is less granularity to restrict access to some team members and not others. Team Drive is an excellent solution for collaborative work on departmental files that do not contain sensitive information.

Box Secure Storage

Box Secure Storage is the University’s secure storage and sharing solution for private, restricted data. See the article Box: When Should I Use Box? for more information.

Tip: Should you store personal data on box.umn.edu? Best practice is to find a different option for storing your personal data that is not dependent on your University of Minnesota login credentials.

Departmental Shared or Home Drives

This is a very good option for certain types of University-owned data. Check with your department or unit’s IT staff for recommendations on best practices.

Tip: Do not store University data on personally owned devices, or the local hard drive on University-owned device. If you do store data on your University-owned device, back it up and protect the backup media. Work with your local IT staff or contact Technology Help to learn more about backing up your University device appropriately.

For personal data

There are many cloud-based options for storing personal data.

Google, Amazon Web Services/Amazon Prime at amazon.com, dropbox.com and Microsoft’s One Drive are only a few of the cloud storage options available. Choose an established provider that offers two-factor authentication protection of your data, and make sure to enable it. See https://twofactorauth.org/ for to see what tools support two-factor authentication and https://www.turnon2fa.com/ for what two-factor authentication is and how to turn it on in all of your favorite apps. If someone tricks you into revealing your password, two-factor authentication will protect your data.

Tip: Choose a provider that offers backups and restores of deleted or corrupted files.

Use a personal email address to create an account, not your University of Minnesota email address. Be sure to also create a different password for your personal accounts!

Whatever storage solution you are considering, help and advice are available! Check with Technology Help or your local IT staff for assistance.