Jun 15 2022
Data Center

Fact or Fallacy: Is Cloud Storage Safer Than On-Premises Databases?

With cyberattacks against K–12 school districts growing, IT leaders want to know which better protects their networks — local or cloud storage.
Adam Bertram
by

Adam is the author of the AdamtheAutomator.com blog, and works as a Microsoft systems administrator specializing in the Microsoft System Center suite and PowerShell automation.

In an attempt to minimize the impact of ransomware attacks that can irretrievably encrypt their data, some school districts are encouraging end users to move materials from the district’s local drives into cloud apps. Old-school vanguards of cybersecurity might shudder at such advice, but are these long-standing concerns still warranted?

Recent data suggests that local storage may not be as airtight as previously thought. Researchers found that more than 70 percent of organizations own public machines linked to identities with vulnerable permissions, which bad actors could exploit to launch ransomware attacks.

So, which is a better solution for K–12 networks in the event of a ransomware attack? The answer is not cut and dried. Let’s first dissect some popular beliefs about storage and separate fact from fallacy.

Click the banner to explore resources from CDW for K–12 data security.

K–12 Security CDW K–12 Security CDW

Fact: Neither the Cloud nor On-Premises Storage Is the Silver Bullet

Ransomware is devastating because attackers can effectively hold data hostage and force K–12 school districts to pay exorbitant sums. If these demands aren’t met, hackers could sit on that encrypted data forever, distribute it or even destroy it.

But, should you pay? Probably not. In its “State of Ransomware 2021” report, Sophos reveals that organizations that paid a ransom recovered just 65 percent of their data on average — while only 8 percent got back everything they’d lost. There’s also no guarantee that attackers won’t retain copies of your data. The decryption process is often unreliable and painstakingly slow. Finally, surrendering payment is legally dubious in many cases, as that could fund further criminal activity.

Overall, no approach is perfect when dealing with ransomware; even expert opinions remain split. That’s why retaining multiple data backups (in multiple locations) is critical to surviving these common attacks. And no backup solution, local or cloud, is perfect, which means that school districts should proceed cautiously. Before doubling down on any solution, IT administrators should do a deep, holistic evaluation of their security and goals.

Fact: Schools Are Legally Mandated to Provide Strong Data Protections

School systems oversee a wide variety of personal data on students, teachers and staff. Digital systems also let students and parents access grades, assignments and other key resources such as documents, media and more. Schools must protect any private data while judiciously delegating access via authorization and authentication.

Thanks to federal regulations such as the Family Educational Rights and Privacy Act, public-facing data (which has low sensitivity) requires fewer protections than tightly controlled data (such as personally identifiable information). Schools must decide what data fits into which box and plan their storage accordingly.

DIVE DEEPER: Understand FERPA, CIPA and other student data privacy laws.

Fact: Local Storage Alone Is Costly, a Hybrid Solution Might Work Best

While pure local storage may seem best, there are costs to consider. Districts must acquire and maintain their own servers and the facilities to house them. This model isn’t inherently scalable. Data expansion means adding capacity, which many schools can’t handle financially or physically. This happens as districts grow, and as time passes. However, local storage is lightning-fast when performance is critical.

Alternatively, schools can choose cloud storage. A vendor manages this storage externally, lends out capacity at a cost and provides nearly limitless scalability. Students and teachers can access essential information from almost anywhere, which is increasingly vital for hybrid learning. However, admins have limited configuration options, and districts must understand their security posture within an online ecosystem.

Click the banner to discover how one district migrated its storage to the cloud.

K–12 Cloud Case Study K–12 Cloud Case Study

A hybrid model might be ideal. While a document such as a syllabus could remain unprotected, students’ personally identifiable information cannot. A district can store the syllabus in the cloud (on Google Drive, for example), while keeping student records local and closer to the vest. This approach applies to all resources. Remaining organized and deliberate with your storage decisions is vital.

Fallacy: Cloud Storage Is Safer Because It’s Immune from Ransomware

Ransomware attackers often take advantage of syncing mechanisms that link local storage and cloud storage. Data in transit is exposed as it travels from origin to destination, leaving it vulnerable to man-in-the-middle attacks.

Furthermore, attackers can encrypt local files and push those changes to any cloud copies through the service’s syncing mechanism. While versioning can help, not all storage vendors share this feature.

Additionally, consider that ransomware attackers could encrypt email accounts from both Google Workspace and Office 365 in real time.

The web also opens users up to social engineering. Methods such as phishing can convince users to unknowingly share their credentials with bad actors. This theft then lets hackers access sensitive systems remotely and impersonate authorized users. From there, data lockdowns are possible.

MORE ON PHISHING: How can K–12 schools push back against consent phishing threats?

Fallacy: IT Admins Can Better Protect Data Than Cloud Security Experts

Having control is tempting, but it often allows schools and employees to venture down paths not paved by security best practices. While schools can configure their own storage systems, single sign-on or otherwise, it’s unlikely that employees possess the knowledge or experience of tech companies that specialize in secure storage.

Companies have invested millions or even billions of dollars into securing their databases. School districts can seldom match this. While services have to maintain their service-level agreements around uptime and security, schools are in contracts with themselves, so to speak. The recognition of data security’s importance is often there. However, reduced responsibilities and the notion that “if I can touch it, I can protect it” can be falsely reassuring.

In most cases, it’s best to let your storage vendor do the heavy lifting. Follow your vendor’s recommendations and educate staff on related best practices.

9 Ways School Districts Can Help Protect Sensitive Data

When it comes to keeping private data safe on-premises or in the cloud, schools can benefit from myriad recommendations for data storage and security. Here are some top tips.

  1. Plan for Disaster Recovery: The best time to plan for a disaster is before it happens. In the event of an attack or outage, you will need to have a plan for how your team will store and retrieve vital information.

  2. Backups: Perform multiple local and cloud backups to ensure redundancy should outages or attackers strike. If your data is held by bad actors, you can restore your data from an unaffected source. However, note that traditional backups may be inadequate, due to recycling and the inconspicuous nature of ransomware before its detection.

  3. Versioning: Take snapshots of your data so you can restore older, unaffected versions of it. Since data is immutable, ransomware modifications can create new versions. You can discard these newer, infected copies.

  4. Signature Detection: This technology compares the digital signature of an outside program against a list of known malware and ransomware signatures, stopping any matching, malicious software from executing.

  5. Abnormal Traffic Detection: This identifies any traffic patterns that resemble ransomware; however, it can also lead to false positives.

  6. Abnormal File Behavior Detection: This detects any file behavior reminiscent of malware or ransomware.

  7. Delete Prevention: Many cloud vendors protect you from deleting key data, either purposefully or accidentally. They also retain data for a set period before it is discarded.

  8. Replicate Buckets: This permits cloud storage systems to periodically back up their contents to virtual locations of your choosing.

  9. Least-Privilege Access Strategy: Last but not least, dole out only minimal permissions to users who need to complete common tasks. Following a least-privilege access strategy can prevent privilege escalation. Credential rotation and multifactor authentication are powerful allies in the ongoing process of securing your cloud and local storage.

Valentin Ignatkin/Getty Images; ptasha

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now