Is the cloud less secure? Not if you do these 3 things.
- How data is controlled is more important than where it’s stored
- Cloud offers great potential to improve security, mobility, agility, and scale
- Security benefits of cloud include encryption, multifactor authentication, and identity and access management
It’s clear that higher ed is moving to the cloud. For most institutions, the benefits simply outweigh the risks. What’s not clear is whether information security belongs solely in the ‘risk’ column. In fact, the cloud offers great potential to improve data security, as long as you do 3 things:
1. Understand that it’s not about where data lives, but how it’s controlled
Many institutions equate having physical control of their data with better security. But that’s simply not the case.
On-campus data servers are often located in buildings to which many people have access. The process and tools for managing who can enter a facility, room, or floor may be more prone to error or breach than appropriate rules restricting data movement in the cloud.
In fact, what percentage of college or university servers are encased by multiple layers of physical security (fences, barricades, video surveillance, etc.), with entry requiring sophisticated badges, pins, and checkpoints monitored by trained staff whose only job is server protection? The best cloud providers can offer this level of protection because—unlike higher education institutions—security is their core business.
Another risk to storing data on campus is that a single event—whether a breach or natural disaster—can compromise all of your assets and bring operations to a halt. Most cloud providers on the other hand have data backed up to multiple geographical locations, as well as processing capability at multiple sites, making recovery easier and potential disruption lower.
Moving data to the cloud doesn’t mean giving up control, but rather thinking differently about who controls what and how. Which brings me to point number two.
2. Embrace the shared responsibility model
Cloud offers tremendous potential to improve security, mobility, agility, and scale. But to realize these benefits, institutions must learn to rely more on partners. This means selecting a reputable cloud vendor and being transparent about, and committed to, a shared responsibility model.
To be clear: regardless of where its data and applications live, an institution will always bear responsibility for security and compliance. But in the cloud model, its role changes. Typically:
- cloud vendors secure and manage the physical infrastructure that stores and serves data, as well as any cloud-based (SaaS) applications the institution may be using
- the institution secures the operating system, networks, and on-premise applications used to access data and services in a public cloud (including user identity/access management)
Amazon Web Services offers a useful graphic showing how the cloud provider is responsible for security OF the cloud and the customer is responsible for security IN the cloud. In other words, you are ultimately responsible for defining who can access what, how well data is encrypted, and how data flows between systems and applications.
The good news is: this is what your IT staff should be focused on. Once they’re freed from day to day server maintenance and protection, they can approach how data is governed and utilized strategically across the institution to make better decisions.
3. Take advantage of the security benefits inherent to cloud
While you are still responsible for governing your data in the cloud, cloud providers offer an array of tools to make this easier—and easier to do at scale. For example:
- Encryption: Many vendors offer state-of-the-art encryption tools, which you can use to improve protection of data you move to the cloud. (Just note that it’s still your responsibility to use them and to secure access.)
- Multifactor authentication (MFA): MFA adds an extra layer of protection on top of a username and password, such as sending a text message with a randomly generated number that the user must enter to login. MFA is becoming common practice for sensitive data, so take advantage of this capability if it’s available.
- Identity and access management: As data proliferates across campus, assigning identity and access rights is more important but more complex than ever. While only you can set policies and permissions, your cloud provider may offer tools that make it far easier to track the who, what, when, and where of data access at scale.
The cloud represents a seismic shift in the way we use technology to manage the flow, use, sharing, and protection of data across higher education. Questions, concerns, and a measured pace of adoption are to be expected.
But as more institutions challenge the traditional model and discover the cloud to be as, if not more, secure, adoption will only accelerate.
In the next blog, I’ll address the “people” side of data security. This includes not only overcoming concerns, but creating cultural shifts that better support using data securely to drive student and institutional success.
Read the complete infosec blog series.
Learn how Ellucian incorporates security into its cloud solutions.