K–12 schools are on the move — at least, their data and applications are. In a recent CDW report on the cloud, 94% of school technology leaders surveyed reported moving at least 10% of their applications to the cloud so they can enjoy cost savings, scalability, reliability, agility and even improved security.
However, even though many report improved security in the cloud, 42% of school survey respondents share that the main reason they keep some applications on-premises is due to security concerns.
As schools gain a better understanding of how to assess cloud partners, navigate the shared responsibility model, acquire the right tools and put best practices and procedures in place, they can improve their cloud security posture and reduce their risk of cyberattacks. Here’s how to secure your cloud resources.
Click the banner below to read the 2024 CDW Cloud Computing Research Report.
Schools Should Vet Their Vendors Before Committing to the Cloud
A thorough approach to securing your cloud starts before you even begin the migration process. You need to do a risk assessment of your cloud partner first, before signing a contract.
“It’s really important to know what security your vendor provides,” says David Waugh, chief revenue officer at K–12 cybersecurity firm ManagedMethods. “Most schools don’t have the skills or staff needed to oversee their cloud security responsibilities. You’re going to be relying on them a lot for security support.”
The vendor risk assessment should include asking vendors to describe their security responsibilities and provide clear, supporting documentation. Prospective vendors need to answer the following basic questions:
- Will they provide data encryption?
- Are they compliant with federal laws protecting student health information and data privacy?
- Where will they store the school’s data?
- Do they have an incident response system?
- Is there access control for the cloud system and warehouse?
- Is there a data retention and deletion process in place?
“If the vendor can’t pass your assessment, then ask for remediation,” suggests Fil Santiago, director of technology and administrative services for West Orange (N.J.) Public Schools and president of the New Jersey Education and Technology Association. “Make the process part of an ongoing conversation with the vendor. Their practices change over time. And when you provide your assessment critique, be clear about what your needs are related to national and international cybersecurity frameworks.”
He recommends that vendors follow either the National Institute of Standards and Technology’s Cybersecurity Framework or global standards organization ISO’s 27001 and 27002 frameworks.
DIG DEEPER: Why do more K–12 schools believe the cloud has better security?
Schools Must Understand Their Role in Cloud Security
In the context of the cloud, shared responsibility refers to a framework that outlines security responsibilities between a cloud provider and its client. It is generally understood that the provider will be responsible for securing the cloud itself, the physical infrastructure and the network supporting it. The client is responsible for securing everything within the cloud, including its data and applications and access to these resources.
“Many schools misunderstand this, but they are responsible for their peoples’ interactions with their data in the cloud,” says Waugh. “A lot of attacks, such as 2023’s SingularityMD attack on Clark County School District in Nevada, go after misconfigurations. Cloud customers are responsible for managing their configurations.”
“Districts are responsible for securing data, apps and permissions inside the cloud,” Santiago agrees. “They need to know how to set up configurations so they align with best practices. Cloud partners are a great resource for ongoing training and support to help schools secure their configurations.”
Quick Patching and Stricter File-Sharing Rules Are Key
In addition to addressing misconfigurations, schools need to be on top of patching inside their cloud workloads. New vulnerabilities in software and systems come to light all the time.
“It’s really important to do patching in a timely manner on a regular basis,” shares Tony Dotts, information security manager at Community High School District 99 in Downers Grove, Ill.
Vulnerability scanning identifies areas of risk among your resources in the cloud so you can patch them. Cloud providers offer tools to assist with this process, such as Google’s Security Command Center. Schools can also use resources such as Tenable’s Cloud Security or Qualys’s TruRisk that identify and then prioritize patching needs.
LEARN MORE: Managed Patching as a Service strengthens school cybersecurity posture.
Another way that schools can tighten access to cloud resources is by establishing and enforcing trust rules. Schools need policies in place to control who can access shared resources. These policies can be structured to apply to individuals, groups, departments or domains. Schools should restrict file sharing outside of the school district and even turn off these permissions if they are not needed.
Modern Identity Management Tools Are Critical to Cloud Security
In addition to fixing the holes in systems and software that an attacker can exploit, schools with assets in the cloud also need to be wary of phishing attacks and other malicious activities that can be leveraged to hijack user identities.
18%
The percentage of K–12 cloud survey respondents that ranked data breaches as the biggest threat to cloud security
Source: CDW, 2024 CDW Cloud Computing Research Report, October 2024
Identity and access management tools are critical for controlling user access to cloud resources. IAM tools manage how identities and roles are established and defined. They not only offer an easy way to add, remove and update individuals in the network but also provide central control over who can access which resources based on the user’s role.
“IAM controls user access across the system,” explains Santiago. “Doing this manually can lead to errors, which can lead to increased risk. IAM automates this process for you.”
Access control needs to happen at the user account level as well, through authentication.
“Multifactor authentication is a key tool for verifying user identity,” says Dotts. “If a password gets compromised, MFA offers an additional layer of security to protect you.”
DIG DEEPER: Identity management makes schools less vulnerable to cybercrime.
If the Cloud Goes Down, Schools Need a Plan to Continue Operations
Schools can have a clear understanding of their vendor’s role in security — and do everything right themselves in securing their own systems and users — and still face risk in the cloud. Vendors’ systems sometimes go down. Having a strong business continuity plan is key for keeping your school operational should you lose access.
“We do regular backups of our data,” explains Santiago. “And to avoid a single-point-of-failure problem, we take an aggregated approach to our data and spread it out across several vendors. This can greatly reduce risk.”
