Cloud Security Monitoring in Higher Education: Minding the Visibility Gap

Cloud Is Eroding Campus Cybersecurity Perimeters

Ed Skoudis, president of SANS Technology Institute, explains that the traditional campus perimeter has largely dissolved because institutional data, user identities and critical services now live across dozens or even hundreds of cloud and SaaS platforms.

“In higher education, that creates a much broader and more fluid attack surface, where risk comes not just from campus systems but from misconfigured cloud storage, compromised identities, unmanaged third-party apps and inconsistent security controls across distributed environments,” he says.

This means universities must now defend an entire ecosystem spread across many fuzzy boundaries, not a single perimeter clearly defined by firewalls, as in the past.

In a distributed or multicloud environment, identity and application access become the key control points.

Rich Campagna, senior vice president for network security at Palo Alto Networks, says universities need security that can consistently verify users and monitor activity across cloud services, SaaS platforms and campus infrastructure.

“We are no longer defending a ‘castle with a moat,’” he explains. “We are defending a distributed ecosystem where the identity of the user and the integrity of the application are the only true perimeters left.”

RESEARCH INSIGHTS: Find out how your peers are evolving their cloud strategies.

SaaS Sprawl and Shadow IT: Inventorying What Students and Faculty Actually Use

Campagna says shadow IT is common in higher education because researchers and students often adopt new tools quickly to support their work.

“Blocking every new application is rarely practical and can slow research and collaboration,” he says. “A more effective approach is to focus on continuous discovery and risk-based management of applications.”

Security teams should be able to automatically identify new SaaS applications and cloud workloads as they appear on the network. From there, they can assess the risk of each service and apply appropriate policies, such as access controls or data protection measures.

“This allows institutions to support innovation while still maintaining visibility and security oversight,” Campagna says.

Kurtz adds that colleges and universities can only manage shadow IT if they treat it as an ongoing program that blends technical discovery with governance and culture, rather than a one‑time cleanup.

“Publish an approved services catalog and use shadow IT insights to guide your roadmap — standardizing on secure, supported options in the categories users clearly want, rather than trying to suppress demand,” he advises.

 DISCOVER: Watch these four cloud trends in 2026.

Cloud Security Management for Universities: Continuous Visibility Without Disruption

Cloud visibility is foundational for university security because core teaching, research and administrative workloads have moved into SaaS and multicloud platforms that sit outside traditional perimeter and endpoint controls.

“Improving cloud visibility in higher education is less about tightening the screws and more about instrumenting what already exists, so security can keep pace with teaching and research, not slow it,” says Splunk Chief Cybersecurity Advisor Paul Kurtz.

He advises leaders to “observe first” on existing services, aggregating logs and security telemetry from identity providers, major SaaS platforms and cloud infrastructure into a single analytics layer before changing access patterns.

“This allows leaders to see who is using which applications and data sets, from where and on what devices, without altering academic workflows,” Kurtz says.

Campagna says the secret to nondisruptive security is operational agility, which means security should be built into the fabric of the cloud, not bolted onto it.

Automation is another critical piece of the puzzle: When tasks such as workload discovery, threat detection and policy enforcement are automated, security teams can respond quickly without slowing down research environments.

“The goal is to integrate security into the existing infrastructure so that researchers and students can continue their work while the institution maintains clear visibility and protection across its systems,” Campagna says.

LEARN MORE: Unified management simplifies hybrid cloud operations.

Protecting Research Data: Cloud Visibility Strategies for High-Risk, High-Value Information

Kurtz explains that universities face unusually difficult cloud security challenges for research data because their environments are decentralized, collaborative and highly regulated at the same time.

“Strong visibility into where data lives, how it moves and who can reach it is what turns that complexity into something governable,” he says.

The core challenges include fragmented, PI‑driven infrastructure, complex overlapping rules, and dark and legacy data. Campagna adds that research projects are often highly collaborative and involve multiple institutions, cloud platforms and temporary users, such as graduate students or visiting researchers.

“As a result, data can be copied, shared or stored across many locations,” he says.

He says that visibility helps reduce these risks by giving security teams insight into where sensitive data is stored, who is accessing it and how it moves between systems. With that understanding, institutions can apply consistent protections such as data classification, access policies and monitoring for unusual activity.

“This makes it easier to protect valuable intellectual property while still enabling collaboration,” Campagna says.

UP NEXT: Observability leads to more efficient incident response.

Connecting Cloud Visibility to Zero Trust: From Monitoring to Enforcement

Skoudis says integrating logs from major cloud and SaaS platforms into a centralized security information and event management environment is one of the most effective starting points to improve cloud visibility.

Institutions should also strengthen identity telemetry and maintain a more accurate inventory of cloud assets, so security teams understand what systems and applications are in use.

He also recommends concentrating security monitoring on a small number of high-risk scenarios that provide meaningful visibility without overwhelming teams or interfering with research workflows.

These include indicators such as risky data sharing, impossible travel patterns, privilege escalation and the use of unsanctioned applications.

“Security leaders should prioritize guardrails over friction,” Skoudis says, emphasizing that controls must support rather than obstruct academic work.

That approach is particularly important in higher education environments, where open collaboration is essential.

“In higher education, security succeeds best when it enables the mission instead of obstructing it,” he says.