The migration of database and application infrastructure to
the cloud is now taking center stage for both private and public sectors as
organizations seek to reduce the cost and risk of operating their own data
centers. According
to Forbes, 83 percent of enterprise workloads will be in the cloud by 2020,
and higher education isn’t far behind. A survey conducted by
MeriTalk found that 60 percent of higher education institutions are
integrating cloud computing into their IT strategies.
As adoption grows, higher education institutions must
address industry-wide security concerns to fully embrace the cloud and its key
benefits. For example, data privacy regulations, such as FERPA, dictate how
electronic student records are stored and protected. Before any cloud migration
takes place or cloud-based apps are integrated into the IT landscape, leaders should
decide which service and deployment models make the most sense for the
institution and determine the additional steps they will take to protect
sensitive data.
Selecting a Secure Cloud Delivery Model
How an institution plans to use the cloud and the level of
security needed based on the types of data stored will help IT and security
leaders determine which cloud deployment model to select. The NIST
designates the main cloud service delivery models as private, community, public
and hybrid.
In a private cloud environment, cloud infrastructure is used
exclusively by a single organization. Private cloud is a good option for
institutions needing the highest levels of control and security for their data with
the ability to pay a premium for it. Community clouds offer a specific
community or consortium exclusive use of cloud infrastructure based on shared
concerns and requirements. This model is useful for sharing certain data,
perhaps among researchers.
Public cloud infrastructure is provisioned for open use and
any entity can purchase capacity. In the public cloud, you pay much less and
bear no responsibility for the operation and maintenance of the equipment. Lastly,
a hybrid cloud delivers a combination of cloud infrastructures where each one
remains distinct but enables data and application portability among them. Here,
some data and applications may be in the cloud while others remain on-premise. This
model offers the maximum level of control over your data while still gaining
the flexibility of the cloud.
Beyond evaluating models for hosting cloud infrastructure,
it’s important to identify how a campus’s higher ed application providers are
hosting their own cloud-based applications so proper security protocols are
aligned with the institution’s security requirements.
Balancing control and security in the cloud
The decision of which service model to select also depends
on the lines of responsibility or extent of influence – and level of security –
you want over the underlying cloud infrastructure. In order of most to least influence,
these models are:
1) Infrastructure as a Service (IaaS), where the institution
can provision processing, storage, networks and other fundamental computing
resources on the cloud infrastructure, and then run software, such as operating
systems and applications;
2) Platform as a Service (PaaS), where the institution can
deploy their own or third-party applications onto the cloud infrastructure, but
it cannot manage the underlying cloud infrastructure including network, servers,
operating systems or storage;
3) Software as a Service (SaaS), where the institution can
use a solution provider’s applications running in the cloud with no management
of the underlying infrastructure; and
4) Serverless, which have abstracted the application to only
the resources needed to support the bits.
This model focuses on only requiring the code-logic-integration needed
with a micro-billing or utility model billing.
This is a native cloud provider feature and while powerful and less to
maintain, it is fair to note that this will tie you to the cloud provider.
Figure 1.1 illustrates how these responsibilities play out
in reference to the above strategies.
Protecting your data in the cloud
No doubt, many colleges and universities already have
security practices, policies and procedures in place for an on-premise or
off-site data center. Fundamental practices shouldn’t change simply because an
application is running in the cloud. The CIA Triad – confidentiality, integrity
and availability – should always apply, no matter where data is stored. However,
institutions should consider these additional security measures:
Encryption – As attackers find increasingly
innovative ways to compromise systems, it’s imperative to protect sensitive
data both in transit and at rest. Your institution’s SaaS vendors should be encrypting
data, and your internal IT team will need to ensure encryption if using IaaS or
PaaS models.
Lines of responsibility – Does your IT and security
team understand which aspects of your cloud infrastructure you’re responsible
for, versus the areas that fall to the cloud platform vendor, such as Microsoft
or Amazon Web Services? Depending on the service model, you may have more or
less responsibility for your cloud instances. SaaS applications give you the
least amount of influence over things like maintenance windows, scheduled
upgrades and the overall security model.
Role-based permissions – An important aspect of CIA
is limiting access to sensitive data to only those who need it. Role-based
permissions act as a guardrail around sensitive data, so you’ll want to
implement levels of permission that protect data without impeding appropriate
access.
Privacy by design – Data privacy regulations like
GDPR require organizations, including higher ed institutions, to build security
practices right into their application code from the outset, rather than as an
afterthought. Today’s shift to a DevOps culture, where application developers
and database administrators work in integrated cycles, also facilitates privacy
by design.
Safe coding practices – In addition to privacy by
design, colleges and universities need to ensure that their developers are following
safe coding practices and avoiding risks, such as those in the OWASP Top
10 list of the most critical security risks to web applications.
Smart AI for security – Artificial intelligence (AI)
can be applied to identify and address security risks within institutions. By
giving AI parameters for standard configurations around cloud security, AI can
alert a university’s IT team to security anomalies as well as recommend
security policy updates based on learnings over time.
Security-minded culture – Users are an organization’s
greatest security risk. It only takes one irresponsible click on a phishing
email to bring down an entire network or expose sensitive data to exfiltration.
Security awareness training and repeated practice through simulation are proven
to be effective in reinforcing individual responsibility for organizational
security.
Despite pressures to utilize cloud to operate more
efficiently and reduce overall tech spend on campus, utilizing cloud technology
shouldn’t be rushed and must include a thorough assessment of organization needs.
With a comprehensive set of considerations in mind, institutions can ensure their
cloud platform and application vendors meet the best-of-breed security
standards for protecting student data and ensuring ongoing security compliance.
Greg Leonardo serves as Cloud Architect at Campus Management
