New Hampshire-based company EduLok promotes a two-pronged approach to safeguarding sensitive data

data-securityWith data security breaches continuing to plague higher education, a New Hampshire company called EduLok is promoting what it calls an “unhackable” system for safeguarding sensitive information.

EduLok’s new system, announced in August, reportedly takes a two-pronged approach to securing campus networks and data: (1) It fragments the information stored in campus databases and disperses it across multiple EduLok servers located around the world, and (2) it requires multifactor authentication for students and staff to retrieve this information.

EduLok says its system eliminates the need for user names and passwords, which can be cumbersome to remember and easily hacked. Instead, students and staff would use a PassKey—either a USB token or a mobile app—and a Personal Identification Number to access the data.

Here’s how the system works, according to EduLok: When a student or staff member inserts a USB token into a computer and tries to access the campus network, or logs into the network using a special mobile app, this action initiates a “conversation” with an EduLok server, which asks the user for his or her PIN.

If the PIN matches the number associated with that PassKey, the user is granted access. Then, as the user requests information, these data are retrieved from multiple EduLok servers, reassembled, and delivered to the user.

Many data security breaches in higher education occur when someone hacks into a campus database, said Gerry Texeira, director of product management for EduLok. By fragmenting and dispersing information across multiple servers, “there is not a single database where hackers can get this information,” he said.

And because authentication isn’t taking place through a campus portal, but behind the scenes, EduLok’s system also “eliminates the possibility of phishing or ‘man in the middle’ attacks,” Texeira claimed.

(Next page: Fragmenting data, sovereignty and Internet2)

The standard edition of the system costs $1 per user, per month, and uses a mobile app as the security token. A more robust version costs $3 per user, per month, and includes physical PassKeys, as well as two “service keys” (master keys). These costs include all onboarding services for setting up the system, Texeira said.

If users lose their PassKey, they can go to a self-service EduLok portal to deactivate this token, and campus administrators would issue a new one. There is no personally identifiable information contained within a PassKey, Texeira said—and a thief would have to know the user’s PIN in order to use it.

Paul Howell, chief cyber infrastructure security officer for the Internet2 initiative, called EduLok’s fragmentation of data “an interesting approach.” He noted that Google uses this approach to secure the data stored on its servers as well.

“If a server is compromised, and only parts of a file are there, then you don’t risk revealing the full contents of the file,” he said.

But this approach also raises important questions, Howell said. For instance, some researchers have contracts forbidding them from exporting their findings outside the United States. Would those stipulations apply to data encrypted and stored in overseas servers?

EduLok’s approach also raises questions about data sovereignty, Howell said. When data are stored on U.S. servers, we would expect U.S. law to apply—but when information from an American institution is stored on a server in another country, “whose laws apply?” he asked. “And, could that affect the confidentiality of the information?” This is an unsettled area of the law, Howell said, but “it’s something to track and be aware of.”

As for multifactor authentication, Howell said this practice is growing among higher-education institutions. Internet2 offers “above-the-cloud” services for colleges and universities that include multifactor authentication, such as a two-factor authentication system from Duo Security of Ann Arbor, Mich., that gives users a choice of what kind of token to use.

Howell said the key takeaway from EduLok’s system is that it adopts a “layered” approach to data security, using multiple technologies and processes to protect sensitive information.

“There is no silver bullet to data security,” he said. “I don’t look at these two approaches as necessarily better than any others.” But any kind of layered approach gives campus administrators a better chance of safeguarding their data, he noted.