Those solutions include Cortex Data Lake from Palo Alto Networks. A cloud-based, centralized repository, the tool automatically collects and integrates log data from Westminster’s on-premises systems and cloud services. “Our firewalls and the anti-virus software that’s running on our endpoints send their data up to Palo Alto’s cloud, and then they use artificial intelligence to put it all together and monitor for irregularities,” Watson explains. Three other products, all from Proofpoint, provide comprehensive email security. A tool called Targeted Attack Protection detects and analyzes links and attachments to keep dangerous content out of email inboxes. Another solution, Threat Response Auto-Pull, automatically quarantines malicious emails post-delivery.
Now, Watson says, he’s gone from “worrying about what we don’t know” to having total visibility into Westminster’s cyberthreat landscape. Now, his IT organization has the backing and security know-how to protect data wherever it resides, be it an onsite server or a server far offsite. Since the breach in 2017, the college has had one instance of a compromised account, but the threat was quickly identified and eliminated. The 2017 phishing attack, he says, would be no match for his department today. “If we had the tools then that we have now, it probably wouldn’t have happened.”
A Shared Responsibility for Cloud Security
As higher ed IT teams increasingly adopt cloud-based solutions, many are coming to the same conclusion that Watson reached at Westminster College: Like any structure or technology, the cloud is as secure as its users make it.
“The business reasons for moving to the cloud in higher ed are kind of undeniable at this point,” says Frank Kim, an information security consultant and SANS Institute fellow. “The issue is that attackers know this. Where there’s value, they’re going to follow.”
The good news, Kim says, is that cloud-based platforms are no more vulnerable than on-premises solutions, and they could be considered safer in some ways for the security they do offer. “All the major cloud providers talk about the shared responsibility model,” he explains. “Amazon Web Services, Azure, Google Cloud Platform — they all give you a lot in terms of the security of the infrastructure, which isn’t always easy for a small college IT team.”
On the other hand, he notes, it’s still up to infrastructure users to build and deploy systems correctly, which makes application security especially important for higher ed IT departments. “The whole point of moving to the cloud is to deploy features and functionalities to your users faster, cheaper and more reliably. But you’d better make sure those apps and services are protected, because attackers are going to focus on those weak spots.”
Securing High-Risk University Data
One higher ed leader who echoes that advice is Randy Marchany, CISO at Virginia Tech. As of 2020, Marchany says, Virginia Tech had approved more than 500 use agreements for Software as a Service applications in university departments. Among the cloud services they now rely on every day: Google Workspace for Education Fundamentals, Microsoft 365, Zoom, Jaggaer and ServiceNow.
Virginia Tech students have been required to have their own computers since 1984, “so this BYOD world is nothing new for us,” Marchany says. He describes the school’s network security model as similar to that of an internet service provider. “Our whole cyber defense architecture is geared to data rather than device.”
In March, Marchany notes, the university’s IT division published its “Strategic Recommendations for Cloud Computing,” a report it developed following interviews with faculty and IT professionals across Virginia Tech. The document suggests, among other things, that the division establish standards and best practices for cloud computing. It also recommends that the university’s IT experts “have the skills and training needed to promote effective and responsible use of cloud-based technologies.”