These cloud security myths are impacting your ability to protect your district from cyber threats
At this point, it is widely accepted that school information technology systems are a prime target for cybercriminals. This is because schools are underfunded, technology teams are beyond overwhelmed, and the cybersecurity technology and expertise needed to secure data are lagging. At the same time, student information is considered pure gold for identity thieves and ransomware operators.
K12 SIX’s often-cited report, The State of K-12 Cybersecurity: 2020 Year in Review, provides the hard data to support the call for legislative action to do something about it. According to the report, 2020 represented yet another increase in cyber attacks impacting districts. The rash of ransomware attacks and other data security incidents we’ve seen in the news is an indication that 2021 will continue this unfortunate trend.
Google, Microsoft, and other cloud-based applications are now an integral part of learning and administration in K-12. And yet, the cloud continues to be overlooked in K-12 cybersecurity.
Here, we’re going to look at how cloud security myths are part of the increase in incidents. In short, districts are increasing their use of cloud-based applications like Google Workspace and Microsoft 365 without adequately securing the data in them.
Based on hundreds of conversations we’ve had with administration and tech leaders, the primary reason why cloud data isn’t being secured is simple: You don’t know what you don’t know.
Myth #1: Cloud Service Providers Are Responsible For Securing Your Data
FACT: You are in a “shared responsibility model” with your service provider when it comes to securing your data, and much of the responsibility is on you.
This is one of the more problematic cloud security myths because it convinces district leaders that their data is secure, and they don’t need to address cloud security in any other way. Unfortunately, that couldn’t be farther from the truth.
This myth persists because there isn’t a clear understanding of who is responsible for what when it comes to the cloud. Providers, like Google and Microsoft, operate under a “shared-responsibility” model.
A shared-responsibility model is a service model that splits responsibility between the vendor and its users. The format of the definitions will vary among suppliers, but here’s a summary of what you need to know about that split.
- The Provider is responsible for protecting the hardware infrastructure you use against any disaster, whether caused by faulty equipment or a cyberattack. You may have seen memes and T-shirts out there that read something like: “There is no cloud. It’s just someone else’s computers.” The provider is responsible for securing their computers and the transferral of data between their computers and yours.
- The User is responsible for protecting the data stored in the application service against accidental deletion, unauthorized distribution, and cyberattacks.
While some providers provide decent security and data governance admin tools, they can be challenging to use and siloed if you’re using more than one brand. Further, you’re responsible for making sure settings are correctly configured, investigating possible incidents, and remediating data breaches—not the provider.
Myth #2: Securing Your Network Is All The Cybersecurity You Need
FACT: Data stored in your Google and/or Microsoft cloud apps are “outside” of your perimeter, and network security technology doesn’t secure it.
It isn’t a surprise that such a large group of people believe cloud security myths like the one about network security. Given the speed with which technology is changing, it wasn’t so long ago that network security was all you needed.
If you’re like the 99% of districts that have moved most of your data to Google or Microsoft 365, your perimeter is dead. As a result, you need to transition from protecting your network to safeguard the data you have stored, regardless of its location. This is generally referred to as zero trust security and is cybersecurity experts’ preferred methodology across all industries.
For example, firewalls have long been in use for a long time to protect network entry points. This is still a great protection layer. But, the sheer number of entry points to your network has exploded in recent years. Much of that growth can be attributed to cloud computing and IoT. You’re not just looking at entry points from your staff, servers, and maybe a handful of teachers. Today, basically everyone in your district accesses data systems—primarily via cloud apps. Students with Chromebooks and iPads, teachers, staff, and contractors. Plus anyone who uses their personal computers and/or devices. Then you have your servers, security cameras, classroom smart tech, point-of-sales (yes, POS in schools are critical as this school district suddenly realized when they were hit with a ransomware attack). Then you have all your access points from vendors and software providers…and the list goes on.
Don’t get me wrong; you still need a firewall and network-level intrusion security and detection. But, today, you need a multilayered cybersecurity tech stack that goes beyond the network and focuses on securing your actual data, not just your perimeter.
Myth #3: Content Filtering Is Cybersecurity
FACT: This E-Rate compliance check doesn’t seriously even begin to touch what is needed to comply with FERPA, CIPA, and a litany of state-level data protection laws.
A pervasive—and baffling—cloud security myth that we hear from district leaders often is that web content filters are cybersecurity tools.
When Congress passed the Children’s Internet Protection Act (CIPA) in 2000, it made web content filtering a legal requirement for schools. And schools that want to take advantage of the E-Rate program are required to have web content filters.
Filters are helpful for one thing: blocking inappropriate content before it reaches a student’s monitor. That is helpful to prevent students from being exposed to many pieces of content or images that would be disturbing. However, it doesn’t protect data. Its primary purpose is to manage cyber safety in schools by preventing students from viewing harmful content.
It can be argued that content filters help block students (and teachers and staff) from visiting phishing websites that can cause cybersecurity problems. This is true, but it’s also a very narrow data security use case.
In addition, most content filters can’t monitor school-provided technology, such as a Google Doc. Students are very creative when using those Docs for cyberbullying, discussing self-harm, threatening violence, and sharing explicit images and videos. A lot of inappropriate content is beyond the reach of a content filter—and, I can assure you, it’s sitting in your schools’ shared drives.
It would help if you had both content filtering and cloud security tools to protect students, secure data, and comply with state and federal regulations.
Cloud security tools allow you to:
- Comply with FERPA and COPPA
- Monitor activity inside cloud apps like Google Workspace and Microsoft 365
- Protect against cyberthreats such as phishing, ransomware, account takeovers, data breaches, and more
- Limit the dissemination of confidential information
- Protect students and staff from sharing or viewing explicit content, even by accident
- Respond to reports of unauthorized activity
How to Handle Cloud Security Myths
As one smart Director of Technology Services recently put it, “Ignorance can’t be a security policy…”
You may be tempted to let these cloud security myths persist. But that isn’t going to protect your students, faculty, and staff from the many harms of a data breach. Ignoring these facts will continue to leave your district vulnerable to:
- Cyberattacks that can disrupt learning and cost the district time and money
- Safety and privacy issues with students, faculty, and staff
- Budgets that aren’t structured to provide the cybersecurity tools that are desperately needed
As the saying goes, “seeing is believing.” Dispelling these and other cloud security myths in your district is perhaps most effectively done by seeing the risks in your domains. That is why we’re offering districts a free cloud content and behavior security audit. Believe me, when you activate your free audit, you won’t believe the things you find…