Why isn't "encrypted at rest" part of the discussion around remedies and prevention? MFA is fine, and all, but sooner or later someone with a legit account will try this again. Better if the data were unreadable except at the customer site (think LastPass and similar).
Agreed 100%... This is really a good cautionary tale about the importance of defense in depth and what happens when you don't layer in controls. From MFA to encryption to DLP and anomalous activity, there were so many places where this could have been prevented, identified, or contained before the blast radius was as large as it appears. To your encryption point specifically, I had a false sense of security as a self-hosted customer, because when we've worked with PowerSchool support, if PS has needed access to student data, they've requested we perform a data pump and send it to them. When we've done that, they assure us that they scrub the data of PII, which made me feel pretty good about their access to our data since we had to manually coordinate that data transfer. When I first heard they had an always on remote connection, I was floored.
Why isn't "encrypted at rest" part of the discussion around remedies and prevention? MFA is fine, and all, but sooner or later someone with a legit account will try this again. Better if the data were unreadable except at the customer site (think LastPass and similar).
Agreed 100%... This is really a good cautionary tale about the importance of defense in depth and what happens when you don't layer in controls. From MFA to encryption to DLP and anomalous activity, there were so many places where this could have been prevented, identified, or contained before the blast radius was as large as it appears. To your encryption point specifically, I had a false sense of security as a self-hosted customer, because when we've worked with PowerSchool support, if PS has needed access to student data, they've requested we perform a data pump and send it to them. When we've done that, they assure us that they scrub the data of PII, which made me feel pretty good about their access to our data since we had to manually coordinate that data transfer. When I first heard they had an always on remote connection, I was floored.