Colleges and universities across the country have embraced the cloud in a way that few other fields have. From student facing applications that streamline the admissions and registration process to the petabytes of cloud-based data that fuel the groundbreaking research that is the lifeblood of many institutions. And from all indicators even with the advanced adoption rates, we’re just at the beginning of the cloud revolution for educational institutions.
As Lauren Burnell, who heads up US Public Sector Cloud Alliances at FireEye, explained in a recent webinar, the ubiquity of the cloud in higher education is a great opportunity to build more data-driven and student-focused institutions. We all use cloud day in and day out in our personal lives and colleges and universities are looking to reap the benefits,” she shared during the conversation. But, as she readily acknowledged, just as the cloud is ubiquitous, so are the threats from hackers looking to exploit the vast amount of data educational institutions are looking to move to the cloud.
What concerns Burnell is that with “fewer than a third of organizations [having] a documented cloud security strategy,” the likelihood of assets stored in the cloud being compromised is too high for most educational institutions’ risk appetite. So, as organizations plan their move to the cloud, or refine their strategy, they must develop a security strategy to protect cloud-based apps and assets.
By starting with a background on security threats to cloud-based apps and assets and sharing insights on recent threat trends, Burnell laid the foundations for an in-depth exploration of how educational institutions can develop a comprehensive cloud security strategy and shared best practices for managing risk.
For Burnell the foundation of a cloud security strategy is understanding the current threat. Based on FireEye threat intelligence and incident response engagements, Burnell shared that the greatest threat to an organization’s cloud is to its users, not infrastructure. “Many public cloud compromises occur without any cloud hacking at all – there is no direct compromise of the cloud infrastructure” she said, highlighting that credential theft is attackers’ tool of choice. “The best first defense you can have for your cloud is strong email security,” she concluded.
But risks from email are just the tip of the iceberg when it comes to cloud threats. Burnell provided in-depth analysis of the risks that come with a hybrid cloud strategy, from cloud services hacking to shared security with cloud service providers. A common gap she sees in cloud security strategies stems from assuming that the cloud provider has all the necessary security controls in place to protect the assets the organization has put in the cloud. “A lack of understanding here is leading to a lot of challenges organizations are having with cloud security,” Burnell said as she walked through the shared responsibility model.
Despite what might seem like a gloomy outlook Burnell assured the participants that with a robust cybersecurity strategy and team threats can be managed and mitigated effectively. She urged colleges and universities to take the first step by developing a clear understanding of the risk environment and potential threats based on what assets they are moving to the cloud. Any institution that takes the time to map out a goal-oriented cyber plan, educate themselves on threat trends, and be proactive in monitoring can have an easy transition to the cloud. “The important thing is that your organization has clearly defined goals for your cloud efforts, and that your cloud security strategy supports those end state objectives,” said Burnell.
To hear more from Burnell on cloud security and strategy, listen to the webinar here.