How did Joel Rosenblatt shift from opposing the cloud to embracing it? It was simple. With the campus community demanding cloud services, the director of computer and network security at Columbia University had no other choice, so he focused on making the university’s cloud environment as secure as possible.
“There are things people have to do and want to do where the cloud is the only way to get them done at this point, so I had to change my thinking,” he says. “I used to resist the cloud and say, ‘It’s not secure.’ But now I say, ‘How can we make it secure?’”
As colleges and universities transition to cloud applications and storage, they need a multilayered approach to secure their data. Rosenblatt and other campus IT leaders say it’s important to negotiate security requirements into contracts with cloud vendors, create data classification policies (defining what is sensitive, confidential, internal and public data), and give users guidance and policies on how to protect data when they use cloud services. Some higher education institutions, including Columbia, are using a new class of security tools: cloud access security brokers (CASBs). These cloud-based products let IT administrators monitor user behavior and set and enforce data loss prevention (DLP) and other security policies across their cloud services.
Although contracts with cloud vendors and data security policies for users are important, they aren’t fail-safe, says Jay Heiser, a Gartner research vice president who specializes in cloud security. Users can still make individual decisions that put sensitive data in the cloud at risk. That’s where CASB tools can bolster security. “If you want to let people use the cloud but don’t want the risk of having sensitive data leaked, cloud access security brokers are a central point of control,” Heiser says.
Ensuring Encryption Through New Tools
When Columbia implemented Google Apps in 2014 to take advantage of its email and office productivity software, Rosenblatt looked for DLP tools to prevent faculty, staff and students from exposing sensitive data.
His research led him to CloudLock, a CASB tool that analyzes users’ Google Apps accounts to make sure they are not sharing sensitive or confidential data publicly on Google Docs or Google Sheets. He configured the tool’s filters to continually scan users’ files for Social Security numbers, credit card numbers and other personally identifiable information.
“We have millions of Google Docs, so it’s a way to prevent anyone from accidentally putting up a spreadsheet or list that has Social Security numbers on it,” Rosenblatt says.
Columbia does allow users to store and share sensitive or confidential information on Google Apps and Dropbox, the cloud storage service, but only if they encrypt the data. With Google Apps, for example, Rosenblatt deployed a CloudLock feature that lets users easily encrypt files with a click of the mouse.
“If they forget to encrypt it on Google Apps, CloudLock will find the document and remove the shares, so you can’t see it anymore,” he says. The university then sends an email to users, notifying them that sensitive or confidential information was discovered, and if they want to share it, they have to encrypt it. “Users can then either delete the document because they didn’t mean to do that, or they can encrypt it and make it available,” Rosenblatt says.
He also uses a DLP application that analyzes employees’ outgoing email on Gmail for sensitive or confidential information. “It will block the mail from going out if it sees Social Security or credit card numbers in an email that’s not encrypted,” he says.
Reading All the Fine Print
Don Welch, CISO at the University of Michigan, believes most large cloud service providers — given their sizable and highly skilled security teams — can handle security as well as or better than universities.
Even so, institutions do need to ensure that contracts with cloud vendors address security provisions, he says. And when colleges choose a cloud vendor, they need to perform the same risk assessments that they do for their own internal systems.
The university, which uses Google Apps for email, Box for storage and Infrastructure as a Service offerings such as Microsoft Azure, asks vendors a set of security-related questions. It also determines if vendors perform third-party audits and network penetration tests, if the university can view the results and if the vendor documents employee security training.
“Sometimes they answer yes. Sometimes they don’t,” Welch says. “It’s a risk decision. We have to determine if it’s good enough and whether we can accept the risk.”
Sharing Liability with Vendors
At the University of Pennsylvania, an interdisciplinary team of staff from IT, legal, privacy and purchasing offices collaborates to negotiate with cloud vendors. Joshua Beeman, Pennsylvania’s information security officer, says his team seeks to ensure that the university retains ownership of data, that vendors comply with regulations — such as the Family Educational Rights and Privacy Act (FERPA) and and Health Insurance Portability and Accountability Act (HIPAA) — and maintain a sufficient security posture by implementing industry-standard frameworks, such as ISO 27000 series or NIST Special Publication 800-53.
At Michigan, the security team signs business associate agreements with its cloud vendors. Then, if there is a breach, the vendor is at least partially liable for any fallout, such as litigation. For example, cloud storage provider Box, which encrypts data at rest and in transit, is responsible for securing all content in users’ folders, Welch says.
“We have a business associate agreement with them and expect them to live up to those standards and are accountable for them,” he says.
At Columbia, the agreement with Google requires the company to house the university’s data in the United States. To ensure user privacy, the contract prevents Google from data mining users’ emails to serve up targeted advertising, Rosenblatt says.
Employing Additional Security Measures
Guidelines and training also can ensure that users know how to use cloud services safely, Beeman says.
According to Pennsylvania’s policy, users with Google Apps, Box and two Infrastructure as a Service services can only store nonconfidential information or student educational records regulated under FERPA. They cannot store any sensitive data, such as Social Security numbers, credit card data or health records regulated under HIPAA.
Equally important are traditional security controls, such as strong authentication and endpoint security, including anti-virus and regular software patching on computers, Beeman says.
That’s because cloud services are only as secure as people’s passwords. If hackers steal users’ passwords through malware or phishing, they can access the cloud applications and data. The university strongly encourages its users to use multifactor authentication whenever possible, he says.
“If you don’t have strong passwords and, ideally, two-factor authentication, you are at risk of having important credentials compromised,” Beeman says.
Ultimately, users play a critical role in securing university data, Beeman says: “Organizations must work to help educate users about things like phishing or misuse of data, and to ensure workstations remain secure against malware and external hacking.”