Cloud

4 Ways to Keep Sensitive Data from Escaping to the Public Cloud

Strategic monitoring of employees’ use of cloud services adds a layer of security for higher education campuses.

Mike Chapple is a teaching professor of IT, analytics and operations at the University of Notre Dame.

Think about how many cloud services you use every day. Chances are that it’s a mixture of services managed by your employer and others that you’ve chosen to use in your personal life.

As an IT professional, you might carefully manage the separation between those worlds, but it’s easy for non-IT users to accidentally spread information from their work life into their personal cloud services. When this happens without IT staff being aware of it, the institution is at risk of exposure to loss, theft or public disclosure of sensitive information.

Let’s look at four ways to manage faculty and staff use of cloud services to detect data leaks and repatriate improperly exposed data.

1. Leverage Google Alerts for Accidental Exposures

Some of the most embarrassing and damaging exposures of sensitive information occur when employees accidentally publish it online. In 2017, the educational data warehousing firm Schoolzilla misconfigured an Amazon Web Services storage bucket to allow public access. This simple mistake led to the exposure of educational records covering more than 1.3 million students.

Administrators can establish strategic Google Alerts to watch for the presence of sensitive information. For example, a search for “+site: yourschool.edu +SSN” could provide an early warning of places where users have accidentally exposed Social Security numbers to search engines.

2. Audit Cloud Permissions for Approved Cloud Services on Campus

When you do allow employees to use approved cloud services, be sure to audit service permissions to prevent any accidental exposure. For example, a faculty member might share student records with a counselor by uploading the files to a cloud service and then sharing them with her colleague via a shared link. If she grants permission to read the file to “anyone with the link,” the organization loses control of the information.

Administrators should conduct regular audits of cloud service permissions, paying special attention to publicly shared files and those shared with accounts outside of the college.

3. Cloud Access Security Broker Solutions Save Time for IT

Managing cloud service use and permissions is a time-consuming task that can quickly overburden IT staff. Cloud access security brokers alleviate some of this difficulty by providing a centralized approach to cloud service management.

These software solutions monitor cloud service usage and watch for violations of the institutional security policy, from inappropriate permissions to the use of unapproved cloud services. For staff, CASBs serve as a force multiplier by automating routine cloud monitoring and policy enforcement activities.

4. Keep Data Out of the Cloud with Data Loss Prevention Tools

One surefire way to stop accidental loss of data in the cloud is to prevent that data from reaching the cloud in the first place. Data loss prevention technology monitors user activity on endpoints and the network, watching for attempts to transfer sensitive information.

For example, a DLP system might detect an instructor uploading a grade file to his personal cloud account so he can easily work on it at home. The DLP system can block this transfer before the information leaves the network. DLP systems play an important role in stopping the spread of sensitive information to the cloud. This saves administrators from a time-consuming and embarrassing cleanup effort.