Many IT leaders in higher education are excited about the potential for the cloud to improve the security of their stored data. But migrating to the cloud will not instantly improve a university’s security — in fact, maintaining adequate security during and after a cloud migration requires ongoing, vigilant effort.
The most significant vulnerability isn’t technology itself– it’s the people who use it.
A whopping 95 percent of all cybersecurity attacks happen because of human error. And with thousands of students, faculty, and administrators on campus, there’s no shortage of potential risks. It should come as no surprise that the overwhelming advice to protect any higher ed institution from cyber threats boils down to education. This matters for three main reasons:
- First, user behavior contributes to the overall security of a cloud environment. Research shows that 90 percent of cybersecurity incidents happen in part because of human error — that is, the tech didn’t fail, but someone made a bad decision. Without proper education, users could succumb to phishing attacks, share access credentials, or store sensitive data improperly, all of which could put the entire system at risk. Even tech-savvy users use unapproved apps and software, adding to an organization’s potentially risky “shadow IT” footprint.
- Second, cloud security awareness training can help manage user expectations around network performance and capabilities — and even change behavior. Users aligned with a culture of security are less likely to try to circumvent secure processes that they perceive as unnecessarily cumbersome.
- Finally, widespread adoption of and adherence to security practices is easier when all stakeholders understand the risks. For example, it’s not hard to convince students to lock their dorm rooms — they clearly understand the stakes of not doing so.
With these concerns in mind, we’ve put together a security checklist for any higher education institution considering migrating to a cloud solution, whether it’s just for email and data storage or for the entire campus IT infrastructure. Below, we outline 10 security measures to take, along with insight into why each item matters for the larger security of the campus.
1. Develop a creative plan for educating stakeholders about the cloud
A campus population of 10,000 means 10,000 unique points of vulnerability for the cloud. It only takes one person to unknowingly log in to a fake website to compromise the system. That’s why any campus cloud security strategy must include a plan for educating stakeholders about what they need to do to maintain cloud security — and what might happen if they don’t.
As you develop your educational plan, consider including the following:
- Explicit security and privacy guidelines, such as those outlined by the National Institute of Standards and Technology (NIST). It may be wise to have students sign an agreement stating that they’ve read and agree to those guidelines.
- Plain English explanations about why the guidelines are important. Most beneficiaries of the cloud won’t be IT professionals, so it’s crucial to translate potential security risks into terms lay users can understand.
- Notifications about security issues as they arise. This doesn’t have to mean that every student gets constant security system notifications, but regular communications about threats targeting users are helpful for keeping security top of mind.
- Interactive components aimed at building awareness and creating a culture of security. Education is important, but it’s only the beginning of maintaining a secure campus. The kind of training that can change behavior over the long term requires participant engagement and needs to be recurring — a “one and done” approach won’t suffice.
These efforts will likely be most successful if you work with other parts of the university to get the word out. For example, could you put together a mini quiz everyone must pass before logging into their portal at the start of each semester? Even better: could you disguise the quiz as a game? Could you run a campus-wide contest for the best way to get the word out? Lock people out of the system if they don’t complete the quiz/game/training in the time period?
Creativity in communication is crucial to drive engagement and, ultimately, adoption of security best practices.
2. Empower your institution’s IT team for the cloud
If you’re like many IT leaders in higher ed, you may have concerns about whether your team has the necessary skills to handle a cloud migration. In fact, finding qualified employees is among the top five concerns IT leaders in education have about cloud migration.
Also notable: only 17 percent of IT leaders in higher ed have led a cloud migration in the past — so if you have questions about the process, you’re certainly not alone.
Consider this an opportunity to get training for yourself and your team from the cloud provider you’re working with. Ask for detailed recommendations about necessary infrastructure changes to prepare for the cloud, as well as maintenance guidelines. Empower members of your team who will be responsible for various components to ask questions during the migration so they gain the knowledge and skills necessary to maintain the new network.
3. Make sure IT admins can control cloud products and services
During the contract negotiation process, make sure you and other IT administrators can control which cloud services and products your institution uses. This is important both to control costs and to ensure that no new products present a security threat to the campus network. After all, Gartner predicts that, by 2020, a third of all successful attacks on organizations will be on their shadow IT resources.
One popular option available to IT administrators: refer faculty and staff to a list of apps approved by the government’s Federal Risk and Authorization Management Program (FedRAMP). FedRAMP reviews cloud services for adherence to security best practices and puts vendors on an approved list. By directing users to FedRAMP or a modified list of FedRAMP apps, IT admins give them some freedom while improving the odds that the campus cloud remains secure.
4. Pay attention to third-party audit results
Third-party audits can be useful to verify that your cloud provider is adhering to the security standards established in your contract.
For higher-ed institutions, it’s often a good fit to ensure that your cloud provider complies with the standards of the SOC 2 audit. SOC 2 audits monitor the security, availability, processing integrity, confidentiality, and privacy of a cloud network. These are not one-size-fits-all efforts, though, so be sure that your cloud provider is being measured on metrics that matter for your organization.
Another thing to be aware of is that a cloud provider passing a particular audit for a particular certification does NOT automatically mean the cloud provider’s customer (the university) is now also certified. For things like payment card industry (PCI) data standards, you need to undergo your own PCI audit to say you are PCI certified. Using the facilities of a PCI-certified cloud provider is usually not enough to also certify your own infrastructure.
5. Monitor performance and make changes as needed
Colleges and universities aren’t static entities; new performance needs and security threats emerge all the time. Part of maintaining security when adopting cloud solutions must involve monitoring the cloud network for security and performance — and making any changes necessary to reduce ongoing security risks.
6. Develop a threat assessment strategy
This strategy should be deliberate and comprehensive so that you have a way to systematically evaluate all potential threats to your cloud network on an ongoing basis.
The first step in developing a threat assessment strategy is defining the scope of what your strategy needs to encompass — just the functionalities you’ve migrated to the cloud? The entire campus IT infrastructure?
Once you’ve defined your scope, you’ll want to consider the types of threats your system faces:
- Intentional external threats (e.g., malware, DoS attacks, phishing attacks, etc.)
- Accidental threats (e.g., those that result from a computer malfunction or a student’s failure to follow security protocol)
- Threats from natural disasters (e.g., floods, fires, or anything else that could restrict access to your network or bring it down)
- Intentional internal threats (e.g., rogue employees abusing their privileges)
Once you have a strategy for assessing threats to your network, you’ll want to have a plan for minimizing the likelihood of each threat causing harm. The guidelines in the remainder of this checklist will help you do that.
7. Classify data and applications in the cloud
Not all data needs top security protection, and not all applications use sensitive data. Remember: security measures affect the speed and performance of a system, so it’s best to use them only as needed.
It’s important to make sure that everything deemed “critical” really is — meaning that it requires 24/7 availability. Simply contextualizing your needs in the world of cloud can unearth sizable cost savings.
Classifying your data and applications will give you a sense of where Personally Identifiable Identification (PII) and other sensitive data lives so that you can deploy security tools strategically.
8. Implement and regularly monitor authentication and authorization tools and mechanisms
Once you’ve classified the security levels of all your cloud assets, you’ll have to implement tools to limit and control access. These are the areas you’ll want to focus on:
- Authentication: This involves setting up parameters for verifying (authenticating) the identity of network users. Your authentication tools might include rules for password creation, password resets, session timeouts, and more. This handy cheat sheet from The OWASP Foundation offers more detail.
- Authorization: Authorization protocols may also be required to access PII, such as medical records from the campus health center.
9. Develop backup and recovery plans to prevent data loss
No one wants to get bailed out of a data center emergency.
That’s why both backup and recovery should be part of the service offerings your cloud provider offers. As you discuss your backup and recovery plan, be sure to understand any associated costs, as well as any expectations for your team.
You should also have a clear idea of the process for restoring backed-up data and how long it will take to restore from backup data copies. Backups are great, but understanding backup restore times is key. Essential data needs to be backed up in systems that allow rapid restoration of the data.
This shouldn’t come as a surprise: your disaster recovery plan has to work.
10. Provide strong encryption protocols and key management for data
Data must be secured (typically by encryption) in all three of its states:
- At rest: Data at rest is the data being stored but not actively being used by network participants. It needs to be protected to ensure that it’s not improperly accessed or altered, many times by encrypting it.
- In use: Data in use is data that’s actively being used by an application or stored in memory or a CPU. If data in use is compromised, it could enable access to other types of data.
- In transit: Data in transit is the data that’s traveling through a network at any given moment. It can be protected with encrypted network connections.
A secure cloud in higher ed depends on everyone
Higher education institutions face many unique security challenges in adopting cloud infrastructure, not least of which is their high turnover — every year, hundreds (if not thousands) of new users enter the system. This means that educational and awareness-building efforts about the importance of privacy and security in the cloud must be ongoing.
Ensuring a secure cloud means not just verifying that the network is technically ready for cloud infrastructure, but also that all network users are active participants in bolstering the network’s security. Achieving this state will require cross-departmental communication and some creativity, but the security gains will be well worth the effort.
If you’re curious about how we’ve helped higher education institutions migrate securely to cloud solutions in the past, read about our work with Northeastern Illinois University and DePaul University. If you’d like to learn what a secure cloud migration might look like for your institution, please get in touch — we’d love to help.