Why your next gen firewall is not sufficient to protect data stored in Google Workspace and Microsoft 365
Firewalls have been around for decades now, and IT teams are very familiar with working with them to protect against cyber-attacks that target network entry points. The introduction of next-generation firewalls, or next gen firewalls (NGFWs), offers additional entry point protection. While the next gen firewall incorporates additional filtering functionalities, such as an application firewall, it still cannot protect data stored in cloud apps like Google Workspace and Microsoft 365.
Unfortunately, many IT leaders in K-12, as well as other industries, think that it can. The problem with that misperception is that with the proliferation of cloud apps, there is no network perimeter in the cloud. Firewalls were never designed to protect organizations in today’s environment where there is a large amount of data to manage and many user access entry points. Next gen firewalls take it a step closer, but are still only looking to filter traffic—or access to—cloud application environments. Cloud security is the real, modern solution to today’s modern data security challenges.
What is a Next Gen Firewall?
According to Gartner, next gen firewalls add inspecting and blocking application traffic to the traditional firewall capability of inspecting and blocking ports. As a result, there is a significant difference between traditional and the more advanced Next gen firewalls.
Next gen firewalls can filter packets at an application level. They use analysis and signature matching to identify applications. Just like a traditional firewall, a next gen firewall uses static and dynamic packet filtering along with VPN support. As a result, the firewall can confirm that the network, internet, and firewall connections are all secure.
Another important difference is that unlike traditional firewalls, a next gen firewall can block malware before it enters the network. They are also more effective in addressing Advanced Persistent Threats.
With these advanced capabilities, a next gen firewall can protect devices from a much more extensive list of disruptions.
What is Cloud Security?
Cloud security takes a different approach from next gen firewalls, one that is required to protect cloud applications. Instead of a focus on protecting network entry points, cloud security focuses on protecting data from any user behavior that would result in theft, unauthorized access to and distribution, or deletion of data—either malicious or unintentional.
While firewalls work to control activity coming into a network, cloud security uses a model called zero trust security to protect data. This concept acknowledges the reality that districts can no longer trust any activity inside or outside its network.
For example, traditional cybersecurity software would automatically trust emails sent within a domain, sent within the network. Today, a hacker can take control of an employee’s inbox, often using an OAuth connection between your systems and an EdTech app. Once that control is established, the hacker can send lateral phishing emails directly from an employee’s email – from inside the network.
You can see how security that protects entry points would be useless against today’s type of cyber-attacks. The right kind of cloud security overcomes those issues.
What Does Cloud Security Do?
It’s important to consider the cloud application security architecture when you’re choosing cloud security software. Cloud-native architecture gives you the advantage of applications that are created and deployed in the cloud. The benefits include:
- Redundancy that helps ensure that your cloud security is better able to avoid outages
- Resilience that is achieved by the platform vendor’s expert support team who are dedicated to resolving outages quickly
- Scalability that is easy due to the ability of the application to increase workload demand within its existing infrastructure
- Automated updates that keep cloud applications consistently updated and avoid problems that result when bugs aren’t fixed and security vulnerabilities aren’t patched
Cloud security platforms monitor a range of K-12 cloud risks beyond login access to your network. For example, it can identify possible account takeovers based on IPs and the location of the login. It can also identify lateral phishing and internal or external data exposure that is accidental or malicious.
A cloud security audit will help you control Google Workspace and Microsoft 365 operations. The data stored in these applications live outside your district network, making firewalls—even a next gen firewall—ineffective. An audit will help your IT team spot security vulnerabilities in your cloud environment and take action to keep your school, employee, and student data private.
Think Beyond the Firewall: Why Your District Needs Cloud Security
If your school district is using Google Workspace and/or Microsoft 365 applications to stored data, communicate, and collaborate you need to incorporate cloud security into your cybersecurity infrastructure. Simply using a next gen firewall and content filtering is not enough to protect staff and student data privacy.
Both Google and Microsoft do an excellent job of securing their infrastructure. However, it’s your responsibility to secure the data that you store in Google and Microsoft applications from unauthorized access and improper use.
Google Cloud Security Issues
Google’s infrastructure for applications like Google Workspace is among the best, if not the best, in terms of security and compliance. But, there are still Google cloud security issues that district IT teams using Google for Education need to be aware of, and able to monitor and control. Google apps security covers a range of issues from encrypting data in transit and at rest, to 2-step verification.
It’s your responsibility to follow best practices for Google cloud security to ensure that you protect your data within the application. Here are some examples:
- Establish an effective Google Cloud organizational structure that organizes units and hierarchy to control access
- Establish security policies such as requiring 2-step verification, and encouraging single sign-on to make the system easier to manage and protect
- Adopt a zero trust security model using a cloud security platform, which incorporates critical Google data loss prevention best practices
- Conduct regular security monitoring and audits
Microsoft Cloud Security Issues
Using Microsoft offers school districts, faculty, and students many advantages. But there are three main Microsoft cloud security issues that K-12 IT leaders need to address.
- Account takeover protection isn’t as strong as it needs to be because Microsoft’s native cloud security can’t detect compromised accounts reliably. Strong cloud security is required to offset this weakness.
- Microsoft’s data loss prevention doesn’t offer workflow options or detect policy violations in scanned documents, images or files other than Microsoft files. Using a cloud security platform that incorporates cloud data loss prevention methods provides the needed functionality.
- Microsoft’s core security tools don’t secure non-Microsoft SaaS applications. With the explosion of EdTech SaaS offerings, districts must take steps to secure them.
Cloud security is an important part of your district’s cybersecurity infrastructure. It serves a critical role in securing sensitive data in Google and Microsoft 365. Because there is no network perimeter in the cloud, firewalls and next gen firewalls cannot protect sensitive district data stored in cloud applications. School districts must address the issues that technologies like a next gen firewall can’t.