The migration of database and application infrastructure to the cloud is now taking center stage for both private and public sectors as organizations seek to reduce the cost and risk of operating their own data centers. According to Forbes, 83 percent of enterprise workloads will be in the cloud by 2020, and higher education isn’t far behind. A survey conducted by MeriTalk found that 60 percent of higher education institutions are integrating cloud computing into their IT strategies.
As adoption grows, higher education institutions must address industry-wide security concerns to fully embrace the cloud and its key benefits. For example, data privacy regulations, such as FERPA, dictate how electronic student records are stored and protected. Before any cloud migration takes place or cloud-based apps are integrated into the IT landscape, leaders should decide which service and deployment models make the most sense for the institution and determine the additional steps they will take to protect sensitive data.
Selecting a Secure Cloud Delivery Model
How an institution plans to use the cloud and the level of security needed based on the types of data stored will help IT and security leaders determine which cloud deployment model to select. The NIST designates the main cloud service delivery models as private, community, public and hybrid.
In a private cloud environment, cloud infrastructure is used exclusively by a single organization. Private cloud is a good option for institutions needing the highest levels of control and security for their data with the ability to pay a premium for it. Community clouds offer a specific community or consortium exclusive use of cloud infrastructure based on shared concerns and requirements. This model is useful for sharing certain data, perhaps among researchers.
Public cloud infrastructure is provisioned for open use and any entity can purchase capacity. In the public cloud, you pay much less and bear no responsibility for the operation and maintenance of the equipment. Lastly, a hybrid cloud delivers a combination of cloud infrastructures where each one remains distinct but enables data and application portability among them. Here, some data and applications may be in the cloud while others remain on-premise. This model offers the maximum level of control over your data while still gaining the flexibility of the cloud.
Beyond evaluating models for hosting cloud infrastructure, it’s important to identify how a campus’s higher ed application providers are hosting their own cloud-based applications so proper security protocols are aligned with the institution’s security requirements.
Balancing control and security in the cloud
The decision of which service model to select also depends
on the lines of responsibility or extent of influence – and level of security –
you want over the underlying cloud infrastructure. In order of most to least influence,
these models are:
1) Infrastructure as a Service (IaaS), where the institution can provision processing, storage, networks and other fundamental computing resources on the cloud infrastructure, and then run software, such as operating systems and applications;
2) Platform as a Service (PaaS), where the institution can deploy their own or third-party applications onto the cloud infrastructure, but it cannot manage the underlying cloud infrastructure including network, servers, operating systems or storage;
3) Software as a Service (SaaS), where the institution can use a solution provider’s applications running in the cloud with no management of the underlying infrastructure; and
4) Serverless, which have abstracted the application to only the resources needed to support the bits. This model focuses on only requiring the code-logic-integration needed with a micro-billing or utility model billing. This is a native cloud provider feature and while powerful and less to maintain, it is fair to note that this will tie you to the cloud provider.
Figure 1.1 illustrates how these responsibilities play out in reference to the above strategies.
Protecting your data in the cloud
No doubt, many colleges and universities already have security practices, policies and procedures in place for an on-premise or off-site data center. Fundamental practices shouldn’t change simply because an application is running in the cloud. The CIA Triad – confidentiality, integrity and availability – should always apply, no matter where data is stored. However, institutions should consider these additional security measures:
Encryption – As attackers find increasingly innovative ways to compromise systems, it’s imperative to protect sensitive data both in transit and at rest. Your institution’s SaaS vendors should be encrypting data, and your internal IT team will need to ensure encryption if using IaaS or PaaS models.
Lines of responsibility – Does your IT and security team understand which aspects of your cloud infrastructure you’re responsible for, versus the areas that fall to the cloud platform vendor, such as Microsoft or Amazon Web Services? Depending on the service model, you may have more or less responsibility for your cloud instances. SaaS applications give you the least amount of influence over things like maintenance windows, scheduled upgrades and the overall security model.
Role-based permissions – An important aspect of CIA is limiting access to sensitive data to only those who need it. Role-based permissions act as a guardrail around sensitive data, so you’ll want to implement levels of permission that protect data without impeding appropriate access.
Privacy by design – Data privacy regulations like GDPR require organizations, including higher ed institutions, to build security practices right into their application code from the outset, rather than as an afterthought. Today’s shift to a DevOps culture, where application developers and database administrators work in integrated cycles, also facilitates privacy by design.
Safe coding practices – In addition to privacy by design, colleges and universities need to ensure that their developers are following safe coding practices and avoiding risks, such as those in the OWASP Top 10 list of the most critical security risks to web applications.
Smart AI for security – Artificial intelligence (AI) can be applied to identify and address security risks within institutions. By giving AI parameters for standard configurations around cloud security, AI can alert a university’s IT team to security anomalies as well as recommend security policy updates based on learnings over time.
Security-minded culture – Users are an organization’s greatest security risk. It only takes one irresponsible click on a phishing email to bring down an entire network or expose sensitive data to exfiltration. Security awareness training and repeated practice through simulation are proven to be effective in reinforcing individual responsibility for organizational security.
Despite pressures to utilize cloud to operate more efficiently and reduce overall tech spend on campus, utilizing cloud technology shouldn’t be rushed and must include a thorough assessment of organization needs. With a comprehensive set of considerations in mind, institutions can ensure their cloud platform and application vendors meet the best-of-breed security standards for protecting student data and ensuring ongoing security compliance.
Greg Leonardo serves as Cloud Architect at Campus Management