The prevalence of cloud computing doesn’t stop IT leaders from asking how to make cloud adoption more secure. The answer is important to understand, especially if those leaders aren’t information security specialists, said Brian Markham, assistant vice president for information security and compliance services at George Washington University.
He presented “Make Security a Priority: How Edtech Security Bridges the Gap with Cloud Security” with Kristyanne Patulla, a Cisco Systems consulting systems engineer, on Wednesday at the 2017 EDUCAUSE Annual Conference.
The cloud, Markham pointed out, isn’t new, and it isn’t going away. IT leaders in higher education would do well to worry less about whether the cloud represents “more or less” risk, and instead focus on thinking about risk differently. To that end, he outlined a series of steps they can take to help their institutions take advantage of the cloud while keeping data secure.
1. Set Achievable Information Security Goals
Leaders first need to understand institutional goals and processes, with an eye toward using these to prioritize security efforts.
“In a given year, you’re probably going to be able to do only a handful of things,” Markham said. “If you try to do everything, you might end up doing nothing.”
Defending users, data and the network is, of course, the primary goal of IT professionals. That responsibility doesn’t change because an institution moves to the cloud, he said; it just takes on a new dimension. “IT’s job is to understand what the cloud provider is doing to manage security,” Markham said.
Next, understand and manage risk within the realities of the current environment.
“The days of InfoSec being able to say ‘no’ to everything and saying, ‘I just made my institution safer’ are over,” he said. “I like to say, it’s not up to me to approve or deny. It’s up to me to advise and make a recommendation.”
Part of that means ensuring that CIOs and other senior leaders have the information they need to make effective decisions, when those may influence data security.
Implement processes and technology to meet security objectives, and train people to be an effective line of defense. Users are often the weak link, Markham acknowledged, but he argued that overcoming that hurdle is simply part of IT’s responsibility, even in a distraction-rich environment that makes it tough to cut through the clutter of competing messages.
“I believe you need to invest in your people. You need to train your faculty, students and staff; tell them how they are going to be attacked and how people are going to come at them,” Markham said. “If not, they’re going to get owned, and it’s going to be your fault because you didn’t prepare them.”
Finally, he said, talk with cloud providers to gain assurance that security controls have been designed effectively and operate as intended to keep data safe.
2. Establish Cloud Adoption Objectives and Take Inventory
Key to a successful cloud adoption is having people on staff who understand and embrace the technology, Markham noted. Ensure that all stakeholders, from faculty members to business units, understand the cloud strategy and support it within a strong governance framework. Develop a risk management framework, and establish a consistent vendor security methodology.
“What does ‘good’ look like?” Markham asked, adding that institutions should develop standard criteria to evaluate potential partners.
IT leaders also need to define objectives in four areas, Markham said, and these can serve as a touch point throughout an implementation. “The goals are your North Star, and you can always go back to those,” Markham said.
He recommends that IT leaders ask:
- What do we want to achieve?
- What is the governance model?
- How does the cloud product go from idea to procurement to production?
- What are the institution’s baseline capabilities and where are the gaps?
“Wherever you are, you’re somewhere on the maturity-level spectrum, from ‘We do it differently every time’ to ‘We do it the same way every time and we’re feeding data back into the process to make it better every time,’” Markham said.
Next, leaders should ask a series of questions designed to help them assess their current environment, especially because they are often unaware when individual users decide to adopt cloud tools and, consequently, don’t always know whether users are storing sensitive information. Leaders need to know:
- What services are currently running outside the data center?
- What is the data classification strategy for data being stored there?
- What is worth investing in, and what risks are acceptable?
“Try to do discovery and see what’s happening on your network and what people are using,” Markham said.
3. Learn What You Can Control
The secret to securing the cloud is to control what you can, Markham advised. Start with endpoints, identity and data flow. Establish administrative and technical controls that reduce the risk of accidental or malicious exposures. Take advantage of technology tools that provide visibility into networks and applications. Markham also recommended security information and event management solutions, along with identity management via single sign-on and two-factor authentication.
“You have to pick the tool that works for your environment and your users,” he said.
The notion of control lets IT, as well as stakeholders, understand where data is going and what the business case is for going there. Even in a cloud environment, he said, “there are things you can control. It’s just a little bit different than if all your stuff was on-prem.”
Finally, Markham said, institutions should commit to continuous monitoring. For example, how does an institution use data to improve outcomes over time? How well does it modify policies, procedures and standards to reflect what it learns about users’ behaviors or in response to evolving threats?
“Policies can’t stay the same forever,” Markham said. “IT moves way too fast to be pushing 9-year-old policies out there, so it’s always got to be in line with the reality.”
To stay up to date on all of the news and ideas coming out of EDUCAUSE, follow EdTech's coverage on the EDUCAUSE 2017 conference hub.