Jun 15 2022
Data Center

Fact or Fallacy: Is Cloud Storage Safer Than On-Premises Databases?

With cyberattacks against K–12 school districts growing, IT leaders want to know which better protects their networks — local or cloud storage.

In an attempt to minimize the impact of ransomware attacks that can irretrievably encrypt their data, some school districts are encouraging end users to move materials from the district’s local drives into cloud apps. Old-school vanguards of cybersecurity might shudder at such advice, but are these long-standing concerns still warranted?

Recent data suggests that local storage may not be as airtight as previously thought. Researchers found that more than 70 percent of organizations own public machines linked to identities with vulnerable permissions, which bad actors could exploit to launch ransomware attacks.

So, which is a better solution for K–12 networks in the event of a ransomware attack? The answer is not cut and dried. Let’s first dissect some popular beliefs about storage and separate fact from fallacy.

Click the banner to explore resources from CDW for K–12 data security.

Fact: Neither the Cloud nor On-Premises Storage Is the Silver Bullet

Ransomware is devastating because attackers can effectively hold data hostage and force K–12 school districts to pay exorbitant sums. If these demands aren’t met, hackers could sit on that encrypted data forever, distribute it or even destroy it.

But, should you pay? Probably not. In its “State of Ransomware 2021” report, Sophos reveals that organizations that paid a ransom recovered just 65 percent of their data on average — while only 8 percent got back everything they’d lost. There’s also no guarantee that attackers won’t retain copies of your data. The decryption process is often unreliable and painstakingly slow. Finally, surrendering payment is legally dubious in many cases, as that could fund further criminal activity.

Overall, no approach is perfect when dealing with ransomware; even expert opinions remain split. That’s why retaining multiple data backups (in multiple locations) is critical to surviving these common attacks. And no backup solution, local or cloud, is perfect, which means that school districts should proceed cautiously. Before doubling down on any solution, IT administrators should do a deep, holistic evaluation of their security and goals.

Fact: Schools Are Legally Mandated to Provide Strong Data Protections

School systems oversee a wide variety of personal data on students, teachers and staff. Digital systems also let students and parents access grades, assignments and other key resources such as documents, media and more. Schools must protect any private data while judiciously delegating access via authorization and authentication.

Thanks to federal regulations such as the Family Educational Rights and Privacy Act, public-facing data (which has low sensitivity) requires fewer protections than tightly controlled data (such as personally identifiable information). Schools must decide what data fits into which box and plan their storage accordingly.

DIVE DEEPER: Understand FERPA, CIPA and other student data privacy laws.

Fact: Local Storage Alone Is Costly, a Hybrid Solution Might Work Best

While pure local storage may seem best, there are costs to consider. Districts must acquire and maintain their own servers and the facilities to house them. This model isn’t inherently scalable. Data expansion means adding capacity, which many schools can’t handle financially or physically. This happens as districts grow, and as time passes. However, local storage is lightning-fast when performance is critical.

Alternatively, schools can choose cloud storage. A vendor manages this storage externally, lends out capacity at a cost and provides nearly limitless scalability. Students and teachers can access essential information from almost anywhere, which is increasingly vital for hybrid learning. However, admins have limited configuration options, and districts must understand their security posture within an online ecosystem.

Click the banner to discover how one district migrated its storage to the cloud.

A hybrid model might be ideal. While a document such as a syllabus could remain unprotected, students’ personally identifiable information cannot. A district can store the syllabus in the cloud (on Google Drive, for example), while keeping student records local and closer to the vest. This approach applies to all resources. Remaining organized and deliberate with your storage decisions is vital.

Fallacy: Cloud Storage Is Safer Because It’s Immune from Ransomware

Ransomware attackers often take advantage of syncing mechanisms that link local storage and cloud storage. Data in transit is exposed as it travels from origin to destination, leaving it vulnerable to man-in-the-middle attacks.

Furthermore, attackers can encrypt local files and push those changes to any cloud copies through the service’s syncing mechanism. While versioning can help, not all storage vendors share this feature.

Additionally, consider that ransomware attackers could encrypt email accounts from both Google Workspace and Office 365 in real time.

The web also opens users up to social engineering. Methods such as phishing can convince users to unknowingly share their credentials with bad actors. This theft then lets hackers access sensitive systems remotely and impersonate authorized users. From there, data lockdowns are possible.

MORE ON PHISHING: How can K–12 schools push back against consent phishing threats?

Fallacy: IT Admins Can Better Protect Data Than Cloud Security Experts

Having control is tempting, but it often allows schools and employees to venture down paths not paved by security best practices. While schools can configure their own storage systems, single sign-on or otherwise, it’s unlikely that employees possess the knowledge or experience of tech companies that specialize in secure storage.

Companies have invested millions or even billions of dollars into securing their databases. School districts can seldom match this. While services have to maintain their service-level agreements around uptime and security, schools are in contracts with themselves, so to speak. The recognition of data security’s importance is often there. However, reduced responsibilities and the notion that “if I can touch it, I can protect it” can be falsely reassuring.

In most cases, it’s best to let your storage vendor do the heavy lifting. Follow your vendor’s recommendations and educate staff on related best practices.

Valentin Ignatkin/Getty Images; ptasha

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT