K-12 schools are on the move, at least their data and apps are moving. in Latest CDW report On the cloud, 94% of The survey included technology leaders in schools They report moving at least 10% of their applications to the cloud so they can enjoy cost savings, scalability, reliability, speed, and even improved security.
However, although many reported improved security in the cloud, 42% of school survey respondents say the main reason they keep some applications on-premises is due to security concerns.
As schools gain a better understanding of how to evaluate cloud partners, navigate the shared responsibility model, acquire the right tools and put best practices and procedures in place, they can improve their capabilities Cloud security Position and reduce the risks of cyber attacks. Here's how to secure your cloud resources.
Click on the logo Below to read CDW's 2024 Cloud Computing Research Report.
Schools should vet their vendors before committing to the cloud
A comprehensive approach to securing your cloud starts before you begin the migration process. You have to Assess the risks of your cloud partner First, before signing the contract.
“It's really important to know what security your vendor provides,” says David Wu, chief revenue officer at cybersecurity firm K–12. Managed methods. “Most schools do not have the skills or staff to oversee their own cloud security responsibilities. You will be relying on them a lot for security support.”
A vendor risk assessment should include asking vendors to describe their security responsibilities and provide clear supporting documentation. Potential sellers need to answer the following basic questions:
Will they provide data encryption?
Do you comply with federal laws protecting student health information and data privacy?
Where will school data be stored?
Do they have an incident response system?
Is there access control for the cloud system and repository?
Is there a process for retaining and deleting data?
“If the seller can't pass your evaluation, seek remediation,” suggests Phil Santiago, director of technology and administrative services at West Orange (NJ) Public Schools And the president New Jersey Education and Technology Association. “Make the process part of an ongoing conversation with the vendor. Their practices change over time. When you provide your evaluation critique, be clear about your needs related to national and international cybersecurity frameworks.”
It is recommended that sellers follow either National Institute of Standards and Technology's Cybersecurity Framework Or the International Standards Organization ISO 27001 and 27002 Frameworks.
Dig deeper: Why more K-12 schools believe the cloud has better security?
Schools must understand their role in cloud security
In the context of the cloud, shared responsibility refers to a framework that defines security responsibilities between a cloud provider and its customer. It is generally understood that the provider will be responsible for Secure the cloud itselfAnd the physical infrastructure and network supporting it. The customer is responsible for securing everything within the cloud, including its data, applications, and access to these resources.
“A lot of schools misunderstand this, but they are responsible for their employees’ interactions with their data in the cloud,” says Wu. “There are a lot of attacks, like the 2023 attack SingularityMD attack on the Clark County School District in Nevada, Follow the wrong configurations. Cloud customers are responsible for managing their own configurations.
“Regions are responsible for securing data, applications and permissions within the cloud,” agrees Santiago. “They need to know how to set up configurations so they align with best practices. Cloud Partners It is a great source of training and ongoing support to help schools secure their configurations.
Faster patching and stricter file sharing rules are key
In addition to addressing misconfigurations, schools should be a top priority Patching Within their cloud workloads. New vulnerabilities in software and systems come to light all the time.
“It's really important to patch timely and regularly,” says Tony Dots, CISO. Community High School District 99 In Downers Grove, Illinois.
Vulnerability scanning identifies areas of risk among your resources in the cloud so you can patch them. Cloud providers offer tools to help with this process, e.g Google's Security command center. Schools can also use resources such as Defensibles Cloud Security or backstageTruRisk identifies debugging needs and then prioritizes them.
Learn more: Managed patching as a service strengthens a school's cybersecurity posture.
Another way schools can tighten access to cloud resources is to create and enforce trust rules. Schools need to have policies in place to control who has access to shared resources. These policies can be structured to apply to individuals, groups, departments, or areas. Schools should restrict file sharing outside the school district and even turn off these permissions if they are not needed.
Modern identity management tools are essential for cloud security
In addition to fixing vulnerabilities in systems and software that an attacker could exploit, schools with assets in the cloud also need to be wary of them. Phishing attacks And other malicious activities that can be leveraged to hijack user identities.
18%
Percentage of K-12 cloud survey participants who ranked data breaches as the biggest threat to cloud security
Source: CDW, CDW 2024 Cloud Computing Research Report, October 2024
Identity and access management Tools are necessary to control user access to cloud resources. IAM tools manage how identities and roles are created and defined. Not only does it provide an easy way to add, remove, and update individuals in the network, it also provides centralized control over who can access resources based on user role.
“IAM controls user access throughout the system,” Santiago explains. “Doing this manually may introduce errors, which can increase risk. IAM automates this process for you.
Access control should be done at the user account level as well, through authentication.
“Multi-factor authentication “It's a key tool for verifying a user's identity,” Dots says. “If your password is compromised, MFA provides an additional layer of security to protect you.”
Dig deeper: Identity management makes schools less vulnerable to cybercrime.
If the cloud recedes, schools need a plan to continue operations
Schools can have a clear understanding of the role of vendors in security – and do everything right themselves to secure their systems and users – and still face risks in the cloud. Sometimes vendors' systems crash. Strong presence Business continuity plan It is key to keeping your school running in the event of loss of access.
“We make regular backups of our data,” Santiago explains. “To avoid the problem of a single point of failure, we take a consolidated approach to our data and spread it across multiple vendors. This can significantly reduce risk.”
