Security, privacy, and compliance in the cloud
A discussion with Lehigh University’s chief information security officer
- Compliance is a shared responsibility between institutions and cloud providers.
- Moving to the cloud is a prime opportunity to clean and limit data.
- Many valuable tools for readiness and vendor assessment already exist.
Moving to the cloud can provide a wide range of security benefits. From disaster recovery to email security, cloud vendors and solutions offer valuable processes that many institutions can’t afford to manage on their own.
Before moving to the cloud, institutions should first assess their security positions, determine their security goals, and prepare their data. There are also some key questions that institutions should ask their potential cloud vendors.
In a recent webinar, Eric Zematis, chief information security officer (CISO) at Lehigh University, spoke with with Rosemary Kuperberg, Ellucian’s assistant general counsel and chief privacy officer, and Josh Sosnin, Ellucian’s CISO. Following are excerpts from the conversation. (Questions and answers have been edited and condensed.)
Ellucian: Security, compliance, and privacy are all interrelated, but for the purposes of this discussion, let’s discuss them one by one, starting with security. Eric, what’s your philosophy and approach?
Eric: Colleges and universities are complex organizations, so they need to have an idea of where they want to go as far as their security. I think the number one thing to strive for is alignment. Do senior leaders, staff, faculty, students, and other constituents have a similar understanding around the way that your institution handles security?
The next step I look at is, what is the current state of information security? If you don't know, there are a few simple approaches you can take to find out, and you can get external help. That might be your auditors. Or the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), which your institution may be a member of—they do peer assessments. Or maybe you hire a consultant to take a look.
But an even simpler way is to just do an internal survey. There are numerous risk assessment tools you can run internally to assess your risk posture. EDUCAUSE has some surveys that will benchmark you against peers. There's also the Higher Education Cloud Vendor Assessment Template (HECVAT), a higher ed-specific tool that's used to evaluate vendors and their security. Or you could turn it inside and look at your own security postures.
With those two pieces of information, you'll know where you want to be, and you'll know where you are now.
Then it's time to look at vendors.
Ellucian: What should institutions look for when evaluating vendors through the prism of security and compliance?
Eric: The most critical question in evaluating which vendors to partner with is, “Will that vendor or that solution move me closer to my security goals, closer to my compliance goal, closer to my privacy goals?” That's the type of context I try to look at rather than trying to evaluate, “Is this vendor absolutely secure?”
When we're dealing with partners, one of the things that a partnership always does is diversify our risk so we're not holding it all internally. An example is with the COVID-19 response. As we were partnered with cloud vendors, it helped enable responses, and helped the organization respond in ways they couldn't do just internally.
Another thing to consider is that your ERP vendor may already have access to all your data on-premise. If they are offering to bring you to the cloud, what it's doing is it's not giving them access to any more data, it's just moving the data from your data center to theirs. And therefore, they work in their data center, you work in your data center—and that can be actually a more secure solution than having external vendors having access into your data center.
Ellucian: Let’s explore the shared responsibility model a little more. Who does what when an institution partners with a cloud vendor?
Josh: In a shared responsibility model, responsibilities don't necessarily all shift when moving to the cloud. Depending on whether the model is software as a service (SaaS), platform as a service (PaaS) or even infrastructure as a service (IaaS), the responsibilities differ. The key takeaway is that no matter what, you have to remember that your data remains your data. It will always remain your data, and you don't want to forget that.
Things like responsibility over the network or servers—they're going to fall to the cloud provider. You're not going to have to worry about electricity and power and data centers and cooling and things like that. Depending on if you're talking about full SaaS versus PaaS, you could have things like customizations could fall on either side. Disaster recovery is almost always going to be something that SaaS provider is going to take over. And when you look at times that we're in now dealing with COVID, depending on the organization, that could be something that you're excited about potentially moving to someone else's responsibility and just letting them take care of it.
Eric, earlier you mentioned making sure that a vendor can really move the needle for your institution. Let's face it, everybody has challenges with budget. This is one area where security practitioners can see a move of the needle in the direction that they want.
Take email. Everybody used to host their own email, but now that’s pretty rare. You start looking at economies of scale, security, and certainly availability. If you go with one of the big email players, you're certainly going to get that security at scale, that reliability at scale, that you might not be able to invest on your own to get to that level.
Ellucian: What kind of vendor assessment tools are available to institutions as they evaluate potential providers?
Josh: Eric, earlier you mentioned EDUCAUSE’s HECVAT, or Higher Education Cloud Vendor Assessment Template. It has 265 questions focused on security and privacy in the cloud. It’s a great place to start, and if you're thinking about a move to the cloud, you should discuss it with your security folks as early as possible in the process.
Vendors should have answers to the HECVAT readily available upon request. They’re a great way for you to review the controls that potential cloud vendors have in place as you think about moving your applications and your data to the cloud. You don't need to start from scratch. You can rely on the hard work of your other friends in higher education that work on these things.
Eric, do you use the HECVAT?
Eric: Yes, we usually use the HECVAT Light, which is shorter tool that gives you a consistent lens to review your vendors so you don't have different types of criteria. You give it to them, you say it's part of your process, and they fill it out or have it already filled out, and they supply it to you. Then you have that information on their surveys.
If it's a vendor you want to evaluate periodically, you could ask them to complete it annually or every two years or whatever process works. If there are changes, you always want to take a look and say, "Hey, that could be a change in the risk posture."
Josh: It's a great place to start and a great resource. Everyone should consider taking advantage of it.
I’ll also add few “be sure to's”:
- Request third-party reviews and audits. Ask for that information early in the process to get a feel for what your cloud or your prospective cloud vendors are doing about security.
- Understand where your data is going to live.
- Since nothing out there is perfect, and problems are going to happen, do your research to see if the vendor has a responsible disclosure policy. You want to partner with somebody who's going to be quick to address issues.
Ellucian: What else should institutions know about vendor relationships and evaluating their security positions?
Eric: We're looking for partnerships. And we need to understand that our vendors also have vendors. So we may ask for independent audits.
It's good to ask: “Who are your other key partners that you deal with? Where do you host the data? Do you have your own data center? Do you host it into one of the big public clouds?” And understand those relationships.
Rosemary: Again, it's so important to realize that you don't have to do this all on your own. The questions you need to ask, the things you need to think about—all of that is available, whether it's the HECVAT or something else. Even if this is your first move to the cloud, you don't have to start from scratch—and your fellow higher ed institutions are also very collaborative. Don't hesitate to ask and use the resources that are already out there so that it’s less overwhelming.
Ellucian: Moving on to privacy considerations: what are some key things institutions should think about?
Rosemary: The first thing your institution will need to do, if you haven't already, is determine what sort of definitions your privacy program is going to be based around. So a starting point for any privacy program is to answer the following questions:
- How are you going to define personal information?
- Is the information you have about your employees treated differently than that of your students?
- What regulatory scheme are you under?
- How do you fit in the overall privacy world?
You’ll have to figure out what personal information you have, where you got it from, why you have it. You may need to know the physical location of it. You need to figure out who can see it and what they can see it for, and how long you need to keep it. And then depending on where your institution is, you probably have some requirements of documentation relating to these questions.
One of the good things in the privacy space is that privacy is based on set principles, and regardless of where in the world you are, they’re pretty much the same.
- Election: Giving individuals choices about how their data is used when possible.
- Locked, or secure: Obviously, you cannot have privacy without security.
- Location of data: In some jurisdictions, it matters where personal data is stored and whether it crosses a national border from where the individual is. That's something that might matter as you're thinking of moving to the cloud.
- Use of data: Your institution’s responsibility for making sure that personal data is used for the purpose for which it was collected, or something that's related to that original purpose, or it's something that the individual knows about or would expect. You want to be sure that as you collect data, you know what purposes it'll be used for.
- Collection limitation, or data minimization: It's often helpful to get rid of personal data you don't need. If you don't have it, you don't have to protect it. So think about how long you've had personal data and how long you need to maintain it. And in some cases, you may be able to delete some of it or not move some of it to the cloud, which could help you clean up your data overall.
- Integrity, or accuracy, of data: If someone's personal information is incorrect or needs to be updated, that's something that your institution is responsible for.
- Access and accountability: The right of access is the right that an individual has to either get a copy or be able to see the personal data that an institution has about them. And the accountability principle reinforces that the source of the personal data or the organization processing it is accountable for what happens to that information. If you bring in a cloud provider, you want to make sure that you do due diligence on that provide, because your institution remains accountable for what happens to data once it goes into the cloud.
- Notice: This has to do with transparency, including privacy notices describing how you handle personal information.
While privacy principles remain the same regardless of how and where your data is stored, two may come into play in a different way as you're thinking about moving to the cloud: location and accountability.
- Location: You want to make sure as you're evaluating cloud providers that you’re aware of where the data will be stored. That includes non-production and failover locations, so you can keep your arms around where the data will be. You also want to know where the cloud provider has personnel, because in some cases, transferring or accessing data by those personnel could count as a cross-border transfer. You want to be aware so you have the right protections in place.
- Accountability: You need to make sure that your cloud providers have sufficient controls to meet your needs. Those needs will vary depending on the institution. You want to figure out how your cloud providers are going to supplement your program.
Josh: You mentioned reviewing and cleaning your data, especially when you get ready to move to the cloud. The amount of payback from spending time looking at your data, cleaning up your data, and limiting your data in systems, whether they be cloud or somewhere else, is so important. As security practitioners, we really like when our business partners are able to go through that exercise when looking at a new system.
Eric: It's almost like a spring cleaning. As you're moving in a project like this, it creates an opportunity where everyone in the university understands you're doing something new, so we need to take a look at that data.
Rosemary: It's a great chance for some cleanup, definitely.
Ellucian: What about compliance? What are the key things that institutions need to know?
Rosemary: Compliance is a broad topic. It can mean compliance with the laws, with internal policies and standards, and with things like funding requirements, grant rules, or contracts.
For the most part, your institution's compliance obligations have nothing to do with whether or not your data is in the cloud. The obligations that you have to individuals or other organizations are not going to change just because you’ve picked up your data and moved it into someone else's data center.
You want to make sure that the provider that you select can support what you need from a compliance perspective. And you want to make sure that you're not assuming that the cloud provider can do everything for you because, unfortunately, technology alone by itself can't guarantee compliance. It's a combination of people, process, and technology.
Josh: That's so key, because it's an absolute partnership when it comes to compliance. When you go with a cloud provider, it's not like a switch that you turn, and now compliance is pushed on to the provider. You'll both have certain responsibilities. But ultimately, compliance is still your responsibility. That's why due diligence with your cloud provider and making sure that your controls are where they need to be and acceptable is so important.
To hear the rest of the conversation and the follow-up Q&A, you can access the webinar recording here.