Three ways the cloud can improve your information security plan
The widespread move to online and hybrid instruction has spread out where information is stored for most colleges and universities. Without the proper infrastructure, this often came at the expense of data security, which was ranked as the most pressing IT issue for 2022 by The Chronicle of Higher Education. A full move to off-premise storage might seem like a liability at first, but as with most technologies, the cloud’s value is in how you use it.
With these three guiding principles, the cloud offers great potential to improve data security for both the short- and long-term sustainability of your institution.
1. Understand that it’s not about where data lives, but how it’s controlled
Many institutions equate having physical control of their data with better security. That’s a myth.
On-campus data servers are often located in buildings to which many people have access. The process and tools for managing who can enter a facility, room, or floor may be more prone to error or breach than appropriate rules restricting data movement in the cloud.
Few (if any) college or university servers are encased by multiple layers of physical security (fences, barricades, video surveillance, etc.), with entry requiring sophisticated badges, pins, and checkpoints monitored by trained staff whose only job is server protection. The best cloud providers can offer this level of protection because—unlike higher education institutions—security is their core business.
Another risk to storing data on campus is that a single event—whether a breach or natural disaster—can compromise all your assets and bring operations to a halt. Most cloud providers, on the other hand, have data backed up to multiple geographical locations, as well as processing capability at multiple sites, making recovery easier and lowering the potential for disruption.
Moving data to the cloud doesn’t mean giving up control, but rather thinking differently about who controls what and how.
2. Embrace the shared responsibility model
The cloud offers tremendous potential to improve security, mobility, agility, and scale, but to realize these benefits, institutions must learn to rely more on partners. This means selecting a reputable cloud vendor and being transparent about, and committed to, a shared responsibility model.
To be clear, regardless of where its data and applications live, an institution will always bear responsibility for security and compliance. But in the cloud model, its role changes. Typically, cloud vendors secure and manage the physical infrastructure that stores and serves data, as well as any cloud-based (SaaS) applications the institution may be using. Meanwhile, the institution secures the operating system, networks, and on-premise applications used to access data and services in a public cloud (including user identity/access management).
Amazon Web Services offers a useful graphic showing how the cloud provider is responsible for security of the cloud and the customer is responsible for security in the cloud. In other words, you are ultimately responsible for defining who can access what, how well data is encrypted, and how data flows between systems and applications.
The good news is, this is what your IT staff should be focused on. Once they’re freed from day-to-day server maintenance and protection, they can approach how data is governed and utilized strategically across the institution to make better decisions.
Choosing a partner
With a shared responsibility model, it’s critical to choose a reputable partner with the tools and commitment needed to maintain compliance and protect institutional data. To aid in this process, the Higher Education Information Security Council (HEISC) created the Higher Education Community Vendor Assessment Toolkit (HECVAT), a questionnaire framework to inform procurement of a cloud vendor.
In an Ellucian webinar on cloud security, Lehigh University’s Chief Information Security Officer Eric Zematis clarified, “The most critical question in evaluating which vendors to partner with is, ‘Will that vendor or that solution move me closer to my security goals, closer to my compliance goal, closer to my privacy goals?’”
While airtight security is the ideal, real goals are set against finite resources. Even with savvy investments and prioritization, institutions must adapt their defenses as information security threats constantly change in nature, scope, and sophistication. In addition to the minimum standard software updates, today’s defense systems must systematically gather logs and network data for ongoing analysis, respond quickly and aggressively to incident reports, and monitor processes controlled by departments other than IT.
Cloud security is a two-way street, however, and institutions must do their part to protect their information. One way to do so is to regularly schedule risk assessments to evaluate the people, processes, and technology through which data moves.
There are many methodologies for conducting a risk assessment. Some are open source, some are proprietary, but all aim to answer the same basic questions:
- What assets do we need to protect?
- Who/what poses a threat to those assets?
- What would the impact be if those assets were stolen, damaged, or lost?
- What needs to happen in order to minimize our risk?
The HEISC and the EDUCAUSE Cybersecurity Initiative also provide a tool for self-assessment, with 101 questions designed to gauge the maturity of your information security program in areas such as policies and procedures, asset management, data access controls, education, supplier relationships, incident management, and physical and environmental security.
3. Take advantage of the security benefits inherent to cloud
While you are still responsible for governing your data in the cloud, cloud providers offer an array of tools to make this easier to do at scale:
- Encryption: Many vendors offer state-of-the-art encryption tools, which you can use to improve protection of data you move to the cloud. (Just note that it’s still your responsibility to use them and to secure access.)
- Multifactor authentication (MFA): MFA adds an extra layer of protection on top of a username and password, such as sending a text message with a randomly generated number that the user must enter to login. Perceived complexity once deterred institutions from implementing MFA, but now it’s gained widespread use in higher education due to advancements in user-friendly and single sign-on technologies. MFA integration into myriad software solutions is now easier than ever, so institutions should take advantage of this to safeguard against the impact of a compromised password.
- Identity and access management: As data proliferates across campus, assigning identity and access rights is more important but more complex than ever. While only you can set policies and permissions, your cloud provider may offer tools that make it far easier to track the who, what, when, and where of data access at scale.
The cloud represents a seismic shift in the way we use technology to manage the flow, use, sharing, and protection of data across higher education. Questions, concerns, and a measured pace of adoption are to be expected.
But as more institutions challenge the traditional model and discover the cloud to be as—if not more—secure, adoption will only accelerate.