As more higher education institutions move into the cloud for storage, applications and classroom technology, some challenges have emerged among users and IT professionals.
Cloud security has become a highlighted concern among university IT teams, with CISOs reporting the most notable concerns to be user behavior, lack of time and staff and a lack of security awareness training, according to a report by 451 Research.
In addition to the usual pain points of cloud security, IT teams at higher education institutions must also consider more specific security concerns, including designing a cloud security system that aligns with the regulations of the Family Educational Rights and Privacy Act and tighter budget constraints.
While these issues persist, the demand for cloud integration is expected to increase as campuses are lured by promises of greater flexibility, scalability and ease of access to stored data.
According to an Okta survey, 39 percent of higher education apps run in the cloud today, and that number is expected to increase to 62 percent by 2021, which means IT teams will need to be prepared to overcome the challenges that come with it.
Top Cloud Security Concern: End-User Behavior
According to 451 Research, the top cloud security concern for IT teams was end-user behavior, with 35 percent of respondents saying it was a primary concern.
Cloud breaches are most often accomplished through stolen end-user credentials or some other form of user error, according to “The Cybersecurity Insight Report” by CDW.
To help limit the dangers of improper use by students and faculty, institutions like the University of Michigan and Duke University offer resources to educate users about the security risks they may bring to their campuses’ cloud networks, as well as issuing alerts when a phishing email or other breach attempt has been reported by users on campus.
Identity and access management in conjunction with the cloud can also be useful for university IT workers. This allows IT teams to authorize different access abilities to different users based on certain authentication parameters while unifying the identification, authentication and authorization process.
“Once a user successfully completes the authentication process, the IAM system must then verify the user’s authorization to perform the requested activity,” according to a CDW white paper on IAM. “The fact that a user proves his or her identity is not sufficient to gain access — the system must also ensure that users perform actions only within their scope of authority.”
Already, universities are transitioning from traditional authentication practices to cloud IAM. The University of Virginia has recently undergone a transition to IAM, now assigning students computing IDs when they pick up their university IDs, as well as giving faculty their own authentication identification.
The system, according to the university’s IAM page, offers an array of authentication types — for example, giving graduate students working part time at the university both a student and staff classification.
“The first phase of the IAM project is largely about replacing our legacy Identity Management system, including our legacy Central User Database (CUDB) and the various data feeds into and out of the CUDB,” the page reads. “In addition to replacing these components, new self-service functionality will be provided to users via a consolidated Identity Portal. Phase 1 will provide the foundation for future IAM improvements and enhancements.”
Cloud Security Automation Can Make Multitasking Manageable
The number of tasks university IT teams need to complete regarding cloud security can stretch teams thin, making networks easier to breach.
“Organizations may see hundreds, if not thousands, of alerts each day regarding actual or potential attacks, suspicious activity or new vulnerabilities, coming from both inside and outside the organization,” 451 Research explains. “The myriad changes to operational systems required for security can lead to a host of exposures if not resolved consistently — but IT can be overwhelmingly broad and complex.”
By deploying automated cloud security systems, university IT teams can extend their reach by running checks automatically based on threat parameters. In some cases, automated cloud security systems can analyze a threat and identify how severe it is, then notify an IT team member to address the problem.
“Because IT resources are limited, deploy integrated and automated security infrastructure that allows rapid response to each incident, without having to wait for data to be collated and addressed by a busy team member,” Jonathan Nguyen-Duy writes for eCampus News. “Additionally, these capabilities result in decreased cybersecurity costs, as integrated solutions are more cost-effective than disparate point solutions or employing a large enough IT team to manage the network manually.”
Identifying The Most Common Cloud Security Threats
Cloud technology brings its own unique security risks, ones that may not be covered in traditional best practices. According to the Cloud Security Alliance, there are nine major threat categories that IT teams can face when dealing with cloud security management.
A CDW white paper, “Playbook: Overcoming Cloud Security Concerns” lists these threats — and possible solutions — in order to help IT leaders educate their staff and establish new cloud security measures and best practices. From the paper:
- Data Breaches: Data breaches occur when files are improperly accessed, tampered with or stolen. The primary control for preventing data breaches is establishing strong access control and authentication. By strictly limiting who can access sensitive data, an organization can significantly reduce the risk of that data being compromised. This can be established through encryption or data loss prevention services.
- Data Loss: Data loss generally occurs when data that has not been properly duplicated and secured to protect its availability is lost, deleted or otherwise made unavailable. One effective technique against this is to back up cloud data to a separate cloud from a different provider. Use of this technique greatly reduces the risk that the loss of one cloud would affect the status of another cloud. Organizations can also utilize in-house backups of cloud data.
- Account or Service Traffic Hijacking: This threat involves gaining unauthorized access to a user account or service, such as stealing a user’s password and logging into a system as that user, or exploiting vulnerability in a service to gain access to that service. It is most often used to get access to sensitive data, and the results are usually a data breach or data loss. The solution to protect against this threat is through strong levels of authentication, as well as anti-phishing software.
- Insecure Interfaces: An insecure API can lead to compromises of both service usage and management, causing data breaches, data loss and other serious problems. To mitigate the risks of API exploitation, it is important that access to these interfaces be strictly controlled. For example, access to management APIs should be available only from authorized administrator hosts or networks. Again, strong authentication methods can reduce this security risk to the cloud.
- Denial of Service: These attacks work by consuming resources, thus preventing legitimate users from accessing those resources. An obvious mitigation for DoS attacks is to work closely with the cloud provider in planning and executing DoS mitigation strategies. For example, intrusion prevention systems can be deployed at the cloud-provider level to detect and automatically respond to significant changes in usage patterns. IT administrators should be aware, however, that major changes in usage, such as a one-day special event, can lead to blocking benign activity. Therefore, it may be wise to keep the system in monitoring mode so that IT teams can review a detected threat and act accordingly.
- Malicious Insiders: Malicious insiders are authorized personnel — users and administrators — who intentionally violate organizational policy for personal reasons, such as financial gain or revenge. Access to all sensitive data in the cloud should be strictly limited to only those personnel who absolutely need to have access, and all operations involving this data should be logged and audited. This is where IAM may be particularly useful, as it makes it easier to open and close access during offboarding processes. Encryption and DLP technologies can also help reduce the risk posed by malicious insiders.
- Abuse of Cloud Services: Organizations that are considering the adoption of cloud technologies must fully understand the risks inherent in this step. An enterprise that does not effectively secure its cloud deployment to address the numerous cloud threats faces a significantly increased risk of compromise. There are significant differences in the threats faced by standard data center deployments and cloud deployments, and IT managers must address these differences when migrating data and services to cloud architectures. Otherwise, the confidentiality, integrity and availability of the organization’s data and services may all be put in jeopardy.
- Insufficient Due Diligence: An enterprise that does not effectively secure its cloud deployment to address the numerous cloud threats faces a significantly increased risk of compromise. Organizations also must have a better understanding of cloud-centric risks and must perform full-fledged risk assessments before and after performing cloud migrations.
- Shared Technology Vulnerabilities: Vulnerabilities within the cloud infrastructure itself, such as hypervisor weaknesses or an application or service shared by cloud users from different organizations, also represent a threat. Cloud customers can do little to mitigate these threats other than to choose the appropriate cloud model (public, private or hybrid) when migrating data and services to the cloud. Organizations can also ensure that their contracts with cloud providers include requirements for how quickly the cloud provider will apply hypervisor patches and other updates to the cloud infrastructure to deal with severe vulnerabilities that could be exploited.