Associate Vice President of IT Nick Watson stands next to a sculpture at Westminster College made from sections of the Berlin Wall.

Aug 05 2021

What It Takes to Secure the Cloud

Data security remains a top priority as universities adopt cloud-based solutions and services.

All it took was a seemingly innocent email.

In late January 2017, an employee at Westminster College had just responded to a message that appeared to come from someone else on staff. With a click of a button, employee W-2 statements were instantly delivered to an unknown third party. Two months later, when the breach was discovered, the college learned it had fallen victim to a classic phishing scam. The perpetrator was using the W-2s to file bogus tax returns. That innocent email wasn’t innocent at all.

“That was the last time we had an event that really hit home,” recalls Nick Watson, associate vice president of IT at the Fulton, Mo., liberal arts institution.

Since then, Watson explains, Westminster College has entirely revamped its approach to enterprise data security. Previously, when it came to cloud services, the school opted for a strategy that was mostly hands-off, relying on its various cloud providers to adequately protect the data entrusted to them. When the school reassessed in the wake of the breach, leaders decided there were better ways to go about it.

“The security of your environment, wherever your data is, that’s on you,” Watson says. “It’s kind of like when you lease a car, it’s up to you to lock it up. You have to put it away in the garage at night.”

Cloud providers all have their own security solutions designed to thwart attacks from bad actors, Watson notes. But his department sees those solutions as a first step — a brick in a wall they’re responsible for building. As he and his team looked to adapt, they investigated everything from end-user education to a suite of security products from multiple vendors. “I have a small team, and they’re not security professionals, so we looked for tools that would provide some automation and that we could use as regular IT people,” he explains.

Those solutions include Cortex Data Lake from Palo Alto Networks. A cloud-based, centralized repository, the tool automatically collects and integrates log data from Westminster’s on-premises systems and cloud services. “Our firewalls and the anti-virus software that’s running on our endpoints send their data up to Palo Alto’s cloud, and then they use artificial intelligence to put it all together and monitor for irregularities,” Watson explains. Three other products, all from Proofpoint, provide comprehensive email security. A tool called Targeted Attack Protection detects and analyzes links and attachments to keep dangerous content out of email inboxes. Another solution, Threat Response Auto-Pull, automatically quarantines malicious emails post-delivery.

Now, Watson says, he’s gone from “worrying about what we don’t know” to having total visibility into Westminster’s cyberthreat landscape. Now, his IT organization has the backing and security know-how to protect data wherever it resides, be it an onsite server or a server far offsite. Since the breach in 2017, the college has had one instance of a compromised account, but the threat was quickly identified and eliminated. The 2017 phishing attack, he says, would be no match for his department today. “If we had the tools then that we have now, it probably wouldn’t have happened.”

RELATED: To Improve higher ed data security, address these risks in research projects.

A Shared Responsibility for Cloud Security

As higher ed IT teams increasingly adopt cloud-based solutions, many are coming to the same conclusion that Watson reached at Westminster College: Like any structure or technology, the cloud is as secure as its users make it.

“The business reasons for moving to the cloud in higher ed are kind of undeniable at this point,” says Frank Kim, an information security consultant and SANS Institute fellow. “The issue is that attackers know this. Where there’s value, they’re going to follow.”

The good news, Kim says, is that cloud-based platforms are no more vulnerable than on-premises solutions, and they could be considered safer in some ways for the security they do offer. “All the major cloud providers talk about the shared responsibility model,” he explains. “Amazon Web Services, Azure, Google Cloud Platform — they all give you a lot in terms of the security of the infrastructure, which isn’t always easy for a small college IT team.”

On the other hand, he notes, it’s still up to infrastructure users to build and deploy systems correctly, which makes application security especially important for higher ed IT departments. “The whole point of moving to the cloud is to deploy features and functionalities to your users faster, cheaper and more reliably. But you’d better make sure those apps and services are protected, because attackers are going to focus on those weak spots.”

MORE ON EDTECH: Future-proof higher education’s infrastructure security strategy.

Securing High-Risk University Data

One higher ed leader who echoes that advice is Randy Marchany, CISO at Virginia Tech. As of 2020, Marchany says, Virginia Tech had approved more than 500 use agreements for Software as a Service applications in university departments. Among the cloud services they now rely on every day: Google Workspace for Education Fundamentals, Microsoft 365, Zoom, Jaggaer and ServiceNow.

Virginia Tech students have been required to have their own computers since 1984, “so this BYOD world is nothing new for us,” Marchany says. He describes the school’s network security model as similar to that of an internet service provider. “Our whole cyber defense architecture is geared to data rather than device.”

In March, Marchany notes, the university’s IT division published its “Strategic Recommendations for Cloud Computing,” a report it developed following interviews with faculty and IT professionals across Virginia Tech. The document suggests, among other things, that the division establish standards and best practices for cloud computing. It also recommends that the university’s IT experts “have the skills and training needed to promote effective and responsible use of cloud-based technologies.”

Nick Watson
The security of your environment, wherever your data is, that’s on you.”

Nick Watson Associate Vice President of IT, Westminster College

“One of the biggest findings to come out of that work was that we need to create business processes and internal controls that promote sound stewardship of application delivery,” Marchany says. From his perspective as the university’s information security leader, he adds, “I don’t really care where people store data, as long as those data elements are protected.”

To that end, his team has defined three data classifications, with “high-risk” data being the most important. “If high-risk data is exposed in an unauthorized manner,” Marchany explains, “then the university has to self-report, and there may be penalties involved.”

To avoid that scenario, he says, the school requires such data be encrypted at rest. Word and other Microsoft files that may contain high-risk data, for example, are automatically protected using the encryption tools provided by Microsoft Office.

“The cloud services will tell you, ‘If you put your files in our cloud, we’ll encrypt them for you,’” Marchany notes. “That’s nice, but then they own the keys, so if somebody does get access to your cloud, they also get access to your files.” By encrypting files first, then storing them in the cloud, he says, “we at least have some control of the keys. If somebody gains unauthorized access to that cloud folder, they’re only getting a bunch of encrypted files.”

A Proactive Approach to Securing Higher Ed Data

While Virginia Tech and the University of Florida are different in countless ways, one area where they’re very much alike is in their approach to data security.

“For us,” says Elias Eldayrie, UF’s vice president and CIO, “it does not matter where your data is when it comes to protecting it.”

Similar to Virginia Tech and Westminster College, UF depends on multiple cloud services at both the application and platform level, including Salesforce, AWS, Canvas and many others. Eldayrie says he expects “the same security measures from third parties as we do of ourselves,” and that his team has developed a vetting process to ensure those measures are in place.

That process relies largely on standards and guidelines from the National Institute of Standards and Technology, and it includes a risk assessment that Eldayrie and his team developed themselves. Critically, he says, it involves participation by a wide range of university administrators, including those in compliance and procurement and in the office of the general counsel.

UF leaders, Eldayrie notes, “care more about how we are securing data, regardless,” than they do about the use of cloud-based services. Their main concern, he says, and his as well, “is that we use the security tools that we have to be as proactive about data security as we possibly can.”

Dan Videtich