Need to secure cloud access in your school district, but not sure where to start?
Cloud access security is a term that may not be familiar to everyone. Securing cloud access deals with access control and threat detection in cloud applications such as Google Workspace and Microsoft 365. School technology managers secure cloud access in two basic cases:
- Access from your local network to authorized or unauthorized cloud services (i.e. cloud apps). This would include access to cloud apps like Gmail, shared drives, etc. It also refers to access to unauthorized apps (sometimes referred to as “shadow” technology). Many school technology leaders are very familiar with the use of unauthorized apps. There are a TON of EdTech apps used by teachers, students, and staff, often without data security and compliance vetting.
- Access from anywhere to your district’s cloud resources. The beauty of cloud computing is that your users can access resources, collaborate with each other, and more from any physical location. This was particularly helpful for students to do homework, teachers to work on lessons and grading, and more even before the pandemic forced schools into remote learning. But this more open access also creates cloud security risks.
What Does It Mean To Secure Cloud Access?
Cloud access security covers issues such as risk assessment, policy violations, shadow cloud applications, and account misuse. Unlike a firewall, cloud access security concerns itself with application-specific policies and the actions of apparently legitimate users to protect your data (not just your network perimeter). It is a critical part of building a zero-trust cybersecurity strategy.
This difference is important. When your district moved to the cloud for services like email, file sharing, meeting, learning management, and financial databases, those cloud services need to be secured within the app itself, not just on entry and exit.
Further, weaknesses in security are not limited to malware, phishing, and other types of external malicious threats. Incidents also include risky use of accounts, improper data sharing permissions, malicious mobile apps, and more. These types of activities will not be caught with traditional firewalls alone.
How To Secure Access To Your District’s Cloud Apps
An appliance or software service that manages cloud access security is commonly called a cloud access security broker or CASB. This term covers a variety of approaches.
A traditional CASB uses a proxy or agent that stands between the users and the services. In most cases, it’s a forward proxy, residing on the edge of the local network. All requests that originate locally will pass through the proxy, it can then catch access to unauthorized services (shadow cloud IT), but not access to services from outside the local network.
Deployed as a reverse proxy, a CASB sits in front of one or more cloud services. All access to cloud accounts and resources which use the proxy go through the CASB.
Cloud application security is a newer approach to the analyst-coined term CASB that has many advantages. Cloud application security uses the API of SaaS applications, rather than an agent or proxy. This approach offers several benefits:
- Greater speed for set up and efficiency
- No impact on network performance or end-user experience
- Less disruption when SaaS applications change
- More precise visibility and control
- Complete coverage, protecting access to cloud applications from anywhere on the Internet, on any device
CASB terminology is unsettled, it is often used for all these methods. Here, we’ll use CASB for proxy-based technology, as distinguished from API-based cloud access (or application) security. The API-based approach doesn’t sit between the user and the application, but rather is integrated into the application. So, it isn’t really a “broker.”
Benefits Of Cloud Access Security
Using a cloud access security solution provides a number of benefits:
- User Monitoring & Compliance: Monitoring users will catch deviations from normal behavior, such as logging in from a different place or at an unusual time, a jump in data usage, or a qualitative change in account usage. Such shifts may indicate a hijacked account or an insider threat.
- Data Loss Prevention: If sensitive data is being exported in an unusual way, that may be a sign of data theft. A cloud application security solution will report anomalies so that administrators can take a closer look. It will also catch unintentional data leaks, such as an employee accidentally sharing a file containing credit card numbers with users who shouldn’t be able to access it.
- Malware & Threat Protection: Malware and phishing schemes are evolving with a trend toward cloud computing. These threats now go beyond infected email links to include malicious cloud/mobile applications and file sharing. Cloud security tools will detect and quarantine all types of malware in the cloud environment, which a firewall or gateway would never be able to detect.
Whether you decide to use a proxy-based CASB or an API-based cloud security solution to secure cloud access for your school district largely depends on your technical requirements. The most important takeaway here is that, if your district is using cloud applications (like Google Workspace or Microsoft 365) and you’re not securing them with a cloud access security solution, your information is vulnerable.