Steamboat Springs School District Secures Google G Suite with ManagedMethods

steamboat school district K12 cloud security customerThis regional K-12 public school district’s IT team supports the needs of over 8,000 students and 1,000 staff members

The Challenge

The Steamboat Springs school district’s IT security team encountered potential compliance and security challenges when it transitioned to Google G Suite for cloud email services, document collaboration, and sharing.

Compliance requirements mandate that the district must have systems in place to monitor for sensitive data such as FERPA, HIPAA/PHI, Individualized Education Plans, and ensure that data is not being stored or shared in a way that violates policies. In addition, the rise of 3rd- party connected applications was presenting a threat to school data due to potential phishing attacks or unauthorized access.

The district also needed to monitor for policy violations and scan documents for objectionable content (e.g., adult content and profanity) and keywords and phrases that would indicate a student is in danger (such as threats, bullying, and harassment.) When student safety is at risk, time is critical. So the IT team needed to be alerted of potential policy violations, as well as deviations from normal data access and sharing behaviors.

“ManagedMethods’ cybersecurity and safety solution provided us a level of visibility we needed to ensure the security and safety of our students and staff. The platform was quick to deploy and gave us immediate insights.”  Tim Miles, Director of Technology

The Solution

ManagedMethods offers both out-of-the-box and customizable policy monitoring features to cover the district’s compliance requirements to protect students against cyberbullying and exposure to inappropriate content. ManagedMethods detects and alerts risks, quarantines sensitive information and remediates threats before they impact student safety or compromise identity.


Join Tim Miles, Director of Technology at Steamboat Springs School District, and ManagedMethods for a free live webinar. Register today to learn how Miles and his IT team use layered security tools to manage cyber safety and security in his district’s schools


How to Secure Student Data in G Suite & Office 365

How to Secure Student Data from Common Threats in the Cloud

Student data privacy is an important, and broad, topic for school districts. It ranges from protecting student data from improper use by companies to securing personally identifiable information from accidental exposure and cyber attacks. As you know, securing student data is a challenge, especially when that data is stored in cloud apps like G Suite and Office 365. There are four main threats to your student data in the cloud.

  1. Accidental exposure
  2. Phishing and malware
  3. Account takeovers
  4. Shadow EdTech

Protecting students from manipulation and identity theft are just two reasons why student data privacy is important. Contrary to popular belief, traditional cybersecurity infrastructure that relies on a firewall—even a next gen firewall—won’t provide the security you need to secure data stored in G Suite and Office 365. And content filtering certainly isn’t doing anything to protect data stored in your district’s cloud apps—that’s just not what it’s made for.


Here are tips on how to secure student data from these four big threats in G Suite and Office 365.

1. Secure Student Data from Accidental Exposure

No one in your district wants to expose sensitive data, but accidents are unavoidable. That makes data loss prevention an important topic. Accidental data exposure typically results when an employee sets document sharing settings improperly or accidentally emails information to the wrong people. For example, if a document setting allows sharing with the public, anyone can access it. If the document contains sensitive information, hackers can easily steal the data. Additionally, when a device is lost or stolen, data can quickly get into the wrong hands.

Google has incorporated a number of G Suite data loss prevention features into the Admin Console. Your role is to establish best practices using the tools Google provides, and make sure that cloud app security settings are properly configured.

Data loss prevention for Office 365 can be a bit less straightforward. Microsoft’s tools vary depending on the subscription level you maintain. Often, third-party tools are available that are less expensive, easier to use, and more flexible.

It’s important that you set up internal policies to govern document sharing. You’ll also need to educate your staff on the subject and set up automatic alerts when a policy is broken. Those alerts will remind users that they need to do something different to maintain security.

2. Phishing & Malware Protection

Phishing emails are still the biggest threat vector to any organization, and schools are no exception. Most ransomware, malware, or other type of cyber attack that happens today still begins with a phishing email. While advancements in phishing and malware threat protection technology are getting better at filtering these out of inboxes, criminals have an uncanny ability to stay one step ahead.

What many people don’t realize is that, when you’re working with cloud applications, hackers can get around traditional cybersecurity tools in different ways. For example, a seemingly legitimate email can easily get past the network perimeter because it looks like authorized activity. But, if that email distributes a document containing phishing or malware links, your data can be compromised.

Phishing and malware tools and technology are important, and must properly match your district’s IT infrastructure. But training and awareness is still the best way to secure student data and protect school information from these types of attacks. Train everyone in your district to think before they click, even if an email seems legitimate.

An excellent example of the need to think before you click was reported in 2017. Hackers distributed emails that contained a Google Doc link. There was no malware or fake website associated with the email for traditional cybersecurity tools to find. Anyone who clicked the link gave hackers access to their contact lists and control over their email account.

Make sure that the people in your district understand that even emails from trusted sources could be dangerous. Encourage them to think twice before they click.

3. Secure G Suite & Office 365 from Account Takeovers

Account takeovers are much more challenging to prevent and detect in cloud applications. Like phishing and malware attacks, when a hacker is inside your network perimeter, the activity looks legitimate to traditional cybersecurity tools. Once a hacker has taken over an account, they can gain access to sensitive information. They can also send lateral phishing emails to take over other accounts in the cloud.

A cloud security platform can help with account takeover prevention and detection. Not only will it protect your district’s Gmail and/or Outlook accounts from phishing and malware threats, it will also monitor for attacks hidden within trusted links, like shared docs and drives.


A good cloud security platform will also monitor your accounts for irregular behavior that could signal an account takeover attempt (or success). These behaviors might include login attempts from another country or an unfamiliar IP address. It’ll detect lateral phishing emails originating from within your district’s accounts, and lockdown sensitive documents from being improperly shared, emailed or downloaded.

4. Student Data Security and Shadow EdTech Risks

With the proliferation of EdTech applications, your IT department may not even be aware of all the apps that are connected to your district’s Google and Microsoft environments through OAuth. This is what we mean by “Shadow EdTech”.

OAuth makes it easy for users to login to applications. For example, they can login to an EdTech application using their existing school Google or Microsoft credentials. The user likes it because it limits the number of usernames and passwords they must keep track of.

But, when a teacher, student, or employee logs in to an EdTech application with OAuth, they can easily be sharing their school credentials with a hacker. This risk happens in one of two ways. Most commonly, the app developer means well, but has not sufficiently secured the app infrastructure from attack. So, if their application is compromised, it can also create openings to your district’s cloud environment and/or expose student data. Less common, but still a concern, are malicious SaaS apps that are created to look like a trusted app, a fun game, or a helpful tool but are used to take over the user’s Google or Microsoft account.

You can manage EdTech security risks and OAuth security risks (which are closely related) by using tools to monitor and flag risky applications. It’s also a good idea to create an app policy to govern new EdTech providers. In addition, create an internal policy to inform all teachers, students, and employees of approved EdTech providers, the process for evaluating new apps, and the risks of using providers that haven’t been vetted.

Student data privacy laws have not kept pace with the impressive digital transformation taking place in school districts today. Admin and faculty are on the cutting edge of embracing technology to improve classroom experiences and student outcomes. School districts are transitioning to cloud computing, mainly through the use of G Suite, Office 365, and other EdTech SaaS apps, at an impressive rate. But these cloud apps require security tools designed for the cloud.

Cloud data security tools provide 24x7x365 continuous monitoring, run periodic audit reports, and set up automatic data security remediation. Advanced cloud security will provide you with the tools you need to stop accidental data leaks, outwit hackers, and make your systems secure.


Top G Suite for Education Security Features

These G Suite for Education security features are designed to keep district data secure in the cloud

g suite for education security chromebook growth

Source: 9to5Google

In 2006, Google set out to help user classroom learning into the 21st Century with what is now called G Suite for Education. Today, there are 80 million G Suite for Education users around the world, with 40 million students and educators using Google Classroom. With so many children using the product, G Suite for Education security is a growing concern.

Security concerns, ranging from the protection of students online to data security, are justified. They are also taken very seriously by Google, and the fact is that it’s among the most useful and secure platforms available to K-12 school districts.

There are two G Suite for Education tiers available to school districts today: G Suite for Education and G Suite Enterprise for Education. These products are innovating the way that educators teach and students learn in ways that we couldn’t have imagined when we were in school!

In recent years, so much of the focus has been on how Google could be using and profiting off of student information through the brand’s domination of the education market. But now, administrators and the public at large are turning more focus to the important needs of securing students’ personally identifiable information (PII) that is stored in G Suite.


A significant spike in ransomware and other cybersecurity attacks targeting school districts in the past year is driving this new awareness. So, let’s take a moment to look at the security features available in both G Suite for Education tiers.

G Suite for Education Security Features

G Suite for Education is the most used (and much loved) free version. Using G Suite for Education provides schools with access to Google’s popular productivity apps including Gmail, Calendar, Classroom, Docs/Sheets/Slides, unlimited storage in Drive and Shared Drives, and the basic version of Hangouts.

The free version of G Suite for Education also includes cloud security and control features critical for school districts to protect student data and comply with regulations such as FERPA, HIPAA, and COPPA.

  • Unmatched infrastructure security
    The beauty of G Suite for Education is that it begins with underlying infrastructure security that is second to none in its market. Many billions of dollars go into securing Google’s infrastructure—the level of investment that is unattainable by most businesses, not to mention school districts and educational institutions.
  • Gmail & Drive Data Loss Prevention
    G Suite data loss prevention allows admins to control what information is being shared from Gmail, Google Drive, and Shared Drives. DLP policies for check for sensitive information in these apps and verify that it is being shared only with authorized accounts.
  • Hosted Gmail S/MIME
    This new feature takes aim at the heart of over 90% of data breaches that take place in K-12 environments. Email is still the most common threat vector, and with this G Suite for Education security feature admins have the ability to verify and encrypt emails to help protect against account spoofing and related threats.
  • Security key management and enforcement
    This security feature introduces a physical key into schools’ 2-step verification process. District admins can require staff, faculty, and/or students to use this security key to access the school’s G Suite environment.
  • Session length control
    Admins can set the length of time that a user account is able to access district Gmail, Drive, Docs, etc. with session length control. This security feature means that accounts won’t stay logged in indefinitely (unless set up to do so), which can increase the chances of unauthorized account access.
  • eDiscovery Vault
    Google Vault isn’t just a G Suite security feature, it allows admins to audit and access records for a number of purposes. This feature is an “oldie but goodie” for administrative staff at K-12 districts that are required to retain information, place legal holds on data, search, export, and more.




Upgrading to G Suite Enterprise for Education

School districts that make the $4/user/month (including faculty, staff, and students) upgrade to G Suite Enterprise for Education get everything included in the free version, plus several additional perks. On the security side of the upgrade, admins can expect to enjoy:

  • Security Center
    Security Center in G Suite Enterprise for Education provides admins with greater visibility and control over potential threats in G Suite. With Security Center, admins can get a better idea of what information is being shared outside of the organization, identify phishing threats, and more.
  • Advanced mobile device management
    Admins that are working with upgraded G Suite security features gain an ally in BYOD management. Using mobile device management, they can customize and automate may mobile device management tasks. They can also run audits of what devices are (and are not) complying with policies.
  • Gmail logs in BigQuery
    Integrating Gmail logs in BigQuery allow institutional admins the ability to analyze logs and gain insight into issues that will help them manage cloud environments more efficiently.
  • Security investigation tool
    The new security investigation tool builds on the features available in Security Center by providing even greater insight and control over enterprise G Suite environments. Admins can use the tool to perform advanced searches, triage threats, and take bulk actions to limit the impact of threats.
  • Anomaly detection (beta)
    Currently in beta, the G Suite anomaly detection feature will use machine learning models to help admins analyze and detect abnormal behavior in Google Drive.
  • Advanced Protection Program (beta)
    Also currently in beta, the aim of the Google Advanced Protection Program is to help enterprise-level organizations detect low volume, targeted attacks on the organization’s G Suite environment.
  • Security Sandbox (beta)
    This beta Gmail security feature is designed to detect previously unknown malware hitting Gmail accounts. The feature “sandboxes” the incoming email and “tests” it in a staged environment to see how it reacts.

G Suite for Education uses powerful security features to help ensure that faculty, staff, and student data is being protected in the Google Cloud environment. Whether your school district is using the free version or has upgraded to G Suite Enterprise for Education, you can be confident that Google is taking the safety and security of your district’s data seriously.


Where Cloud Security Fits In Your Cybersecurity Infrastructure

A Multi-Layered Cybersecurity Infrastructure Protects Data Both Inside and Outside Your Network

Everyone is aware that cybersecurity is critical for all types and sizes of organizations. But with cloud computing being relatively new, many don’t fully understand where cloud security should fit in their cybersecurity infrastructure.

The goal of each component, or layer, of your cybersecurity infrastructure is to protect against malicious or improper use of your school district’s information systems and/or data. But each does it in very different ways, based on the underlying technology of the system it’s designed to protect. These systems often include databases, endpoints, networks, and cloud applications.

Let’s take an overview of a multi-layered cybersecurity infrastructure, and discuss where and how cloud security fits into it.

What is a Multi-Layered Cybersecurity Infrastructure?

Multi-layered cybersecurity is an approach to network and data security that uses a number of different components to achieve prevention, detection, remediation, and discovery objectives. Your infrastructure is simply the tools, appliances, platforms, etc. that you use to maintain your cybersecurity strategy.

A multi-layered approach is considered a best practice for a couple of reasons. First, though there has been a good amount of consolidation in the cybersecurity market, no one solution does everything. Nor is there one solution that does everything very well. A multi-layered approach allows IT and cybersecurity teams the ability to integrate “best of the best” solutions to their infrastructure’s various needs.

Second, a multi-layered approach builds redundancy, or checks and balances, into your district’s cybersecurity infrastructure. We tend to think of redundancy as a bad thing in everyday life, but in cybersecurity it is critical. By creating layers that overlap a little, yet work well together, your cybersecurity infrastructure is better configured to prevent—or at least detect and remediate—incidents.

If your school district is using Google G Suite and/or Microsoft Office 365—whether you’re all-in or just using some apps—cloud security needs to become another layer in your cybersecurity infrastructure.

Why? Because, simply put, there is no perimeter in the cloud. Traditional security solutions, such as firewalls (even “next gen” firewalls), secure web gateways (SWG), and message transfer agents (MTA) don’t protect cloud applications. They are built to protect your network perimeter, not data stored in the cloud.

Once unauthorized access is able to break into your perimeter, none of these devices are going to protect the information stored in your district’s cloud applications. Or, worse yet, if someone within the school district is using information inappropriately (either intentionally or accidentally), these devices won’t detect that kind of behavior at all.

This is why zero trust security is becoming a popular approach to K-12 cybersecurity. Zero trust security puts checks and balances into place that trusts no one, whether it’s seemingly an authorized account or not.

[FREE GUIDE] Configure Your G Suite & Office 365 Security Settings With Your Free Cloud Security Checklist >>

Your Layered Cybersecurity Infrastructure

While a multi-layered cybersecurity infrastructure approach is preferred, it can also get out of hand. The dizzying array of different products and vendors available makes it all a bit overwhelming. This is why it’s important to have a strategy that outlines the specific needs of your district and the information you store.

Your cybersecurity infrastructure should cover the following six categories.

1. Infrastructure Security

Infrastructure security refers to securing the critical infrastructure underlying your entire IT system. Your approach to infrastructure security depends heavily on how your environment is configured. For example, if you have a lot of data assets stored on-premise, in servers, your infrastructure security approach will look one way. If your school district has migrated most or all of your data to the cloud, it will look very different.

With cloud computing, the majority of infrastructure security is outsourced to the vendor. Meanwhile, on-prem infrastructures require internal staff or a managed service provider to maintain infrastructure stability and security.

2. Identity and Access Authentication

Also often referred to as identity and access management (IAM), this layer of your cybersecurity infrastructure is like the lock on your front door. When a user tries to access their account, they need to authenticate that they are who they say they are, and should be granted access. This doesn’t just refer to platform or application logins. It also includes phone and laptop passwords, network access, etc.

3. Endpoint Security

Endpoint security, or endpoint protection, covers the devices that are used to access your district’s network. Endpoints include things like computers, laptops, smartphones, tablets, and servers.

4. Network Security

Network security protects the underlying connections and interactions between all endpoints connected to the network. Network security is the layer of your cybersecurity infrastructure that most of us think about when we think about cybersecurity. It is where your firewalls, SWGs, MTAs, etc. are organized in the infrastructure.

Some cybersecurity infrastructure models separate network security and perimeter security. This isn’t wrong. But my argument here is that network security mostly focuses on defending the perimeter. While there are differences, network and perimeter technologies have largely consolidated over the years.

5. Cloud Security

Cloud security protects information stored, accessed, and shared in the cloud. It is very different from network security, mainly due to the fact that the cloud is outside of your network. This placement renders network security basically useless.

For the most part, this information is being stored, accessed, and shared in cloud applications, such as Google G Suite and Microsoft Office 365. There are a number of benefits to working in the cloud with reputable application vendors. As mentioned previously, it allows IT teams to outsource infrastructure security and maintenance to these vendors (which, most likely, have far more resources to hire top talent and maintain large teams).

[FREE GUIDE] Configure Your G Suite & Office 365 Security Settings With Your Free Cloud Security Checklist >>

They also tend to build great native cloud security controls. These controls help system admins properly configure authentication and security settings. Because, while the vendor is responsible for the infrastructure security layer of their own cybersecurity infrastructure, they are not responsible for the service level security. Securing and monitoring access to information stored in cloud applications is the responsibility of the customer (a.k.a. you!)

6. Incident Management & Response

Finally, you will need to integrate an incident management and response layer into your multi-layer cybersecurity infrastructure. If (or, more likely, when) an incident occurs, you’ll need a plan and process for responding to it. Depending on the scale and/or seriousness of the incident, the attack vector, and the industry you are in, your processes may need to look a little different.

Incident management and response processes generally include the following steps:

  1. Detection & analysis
  2. Containment, remediation, & discovery
  3. Reporting & communication
  4. Post-incident retro

[FREE GUIDE] Configure Your G Suite & Office 365 Security Settings With Your Free Cloud Security Checklist >>

How To Incorporate Cloud Security

The first step in incorporating cloud security into your school district’s cybersecurity infrastructure is to make sure that you have properly configured your various apps native security settings. Using this cloud application security checklist can be very helpful in accomplishing this first step.

Next, you will want to incorporate the 5 cloud application security best practices into your processes and your tech stack. These best practices include:

  1. Don’t ignore due diligence in cloud app selection & sanctioning
  2. Manage access to cloud applications & user behavior
  3. Cloud phishing & malware threat protection
  4. Automate & remediate cloud application security risks
  5. Audit & optimize cloud security settings

Finally, circling back to our earlier discussion about layering and redundancy, it may be a good idea for you to look into a 3rd party cloud application security platform. Commonly referred to as a cloud access security broker (or CASB), a CASB can provide several benefits to your cybersecurity tech stack. It can provide an additive layer of protection to your data stored in the cloud, providing more security than exists with the apps native functions. CASBs also pull all your cloud application security monitoring, auditing, and policies into one dashboard. This makes monitoring and incident response much easier for IT teams, because they don’t have to spend time logging into multiple different platforms and navigating different UIs to find the information they are looking for.

Cloud security is a critical layer of cybersecurity for school districts that are storing, accessing, and/or sharing information in the cloud. Relying on network security controls to protect the cloud layer is risky at best. The good news is that incorporating cloud security into your cybersecurity infrastructure isn’t complicated (nor does it need to be expensive).

The biggest problem I see right now is awareness. Many people are not fully aware of the unique cloud security threats they are exposing their data to. Others simply don’t realize that their network security tools don’t have them covered—until it’s too late. But now you know!

Cloud Application Security Checklist Blog CTA XXL

5 Cloud Application Security Best Practices

Best practices for securing data stored in your team’s cloud applications

Just about every organization uses cloud applications in daily operations. Data backup, communications, file storage, and much more is now being managed in the cloud. The biggest (and most troubling) misperception about cloud computing security is that perimeter-based technology works for securing cloud applications. Improve your cloud security operations with these five cloud application security best practices.

Learn More: What is cloud application security? >>

1. Don’t Ignore Due Diligence in Cloud App Selection & Sanctioning

SaaS infrastructure security is something that most of us take for granted. We’re so used to doing business in the cloud, that we connect to tools and applications without thinking twice about potential security consequences. This cavalier approach to technology is causing information security teams a ton of grief. It’s also given rise to the term “Shadow IT”, which has expanded significantly with the use of unsanctioned, or “shadow”, cloud IT.

Every time a new application and/or platform is connected to your company’s cloud environment, a new risk is exposed. The 2018 “Data Risk in the Third-Party Ecosystem” study by Ponemon Institute reported that 59% of companies surveyed experienced a data breach caused by a vendor or third party. While SaaS vendors only make up a portion of that number, it’s a compelling and troubling trend.

As company vendor and third party relationships expand and become more complex, it is critical for information security teams to manage what vendors are being granted access to their IT ecosystem. When it comes to SaaS applications hosted and accessed in the cloud, this task is impossible without the right set of cloud security tools.

But having the right cloud monitoring tools in place is just part of the battle. Information security needs to be involved in helping teams do their due diligence in selecting vendors. Here are six steps to safe SaaS app selection:

1. Know the source: Is the app offered by a reputable developer? Is that developer active in completing updates and patches?
2. Limit excessive permissions: What types of permissions is the app requesting, and does it really need those permissions for its intended purpose?
3. Be mindful of the app’s name: Camouflage is just about the oldest trick in the book. Criminals often create look-alike and sound-alike apps to trick people into downloading them.
4. In-app purchases: Does the app require credit card information for in-app purchases? Does it need to for its intended purpose?
5. Authentication & Encryption: How does the app handle authentication? What encryption methods are used for storing and accessing data? (This is likely something your team will have to help your colleagues out with)
6. Read Reviews! Always read through the app’s reviews to understand what other people have experienced. Be wary of overly complimentary reviews, which could be faked.

[FREE] Cloud Application Security Checklist. Get It Here >>

2. Manage Access to Cloud Applications & User Behavior

Setting up and properly configuring Multi-Factor Authentication (MFA) and Single Sign On (SSO) is access management 101. If you don’t have these set up for your organization’s cloud applications, do it now. Seriously.

You’ll also want to make sure that you set up user groups within your main applications (typically Google G Suite and/or Microsoft Office 365) to manage who can access what. For example, not everyone in the organization needs access to business financial data or HR information. Segmenting information and only allowing access by specific users who need access to them significantly improves your data security posture.

But there is more that can be done. Account takeovers are on the rise, and can lead to all kinds of problems. Putting a block on IP address locations for logins, for example, go a long way in significantly reducing your risk of an account takeover. Monitoring for a spike in the number of failed login attempts will also help your team detect when your environment is currently under attack, so steps can be made to fortify account access. Perhaps a password change is in order. Or a simple communication to the organization to be hyper-vigilant for phishing emails can go a long way to thwarting attacks.

Monitoring for abnormal user behavior is another way to detect if an account takeover is occuring. These behaviors could include phishing emails being sent from an internal account, bulk downloading of files, and importing of files containing malware links to your shared drives.

We hate to think about it, but internal threats are also something that teams need to monitor for. Data breaches that involve disgruntled or otherwise compromised employees happen, and they are just as harmful (if not moreso) than one created externally. Customer and/or employee information, trade secrets, and financial data are all assets that an employee may decide to use for their own gain.

By monitoring user behavior, security teams can detect if information is potentially being improperly handled by internal users, as well as external attacks.

3. Cloud Phishing & Malware Threat Protection

Email is still the #1 threat vector. Protecting email, whether they are hosted in the cloud like Gmail or otherwise, should be a top concern for security teams. Cloud malware threat protection works a little differently than traditional perimeter-based security technology, like proxies and gateways. Criminals are increasingly finding ways to circumvent perimeter-based security for organizations that use cloud-based email platforms.

We’re increasingly finding that native email filters provided by Google and Microsoft are also susceptible to a significant vulnerability. These filters are set to automatically “whitelist” links coming from their own domain. Now, there are more incidents where hackers upload a file containing a malicious link to Google Drive or SharePoint, and then send the file link in an email.

Adding a cloud-specific protective layer to your cloud-based email apps is now as critical to a secure infrastructure as traditional email filters.

4. Automate & Remediate Cloud Application Security Risks

Information security teams are notoriously under-staffed and under-funded, particularly in small to mid-sized organizations. Cybersecurity awareness in the executive suite is certainly improving, but we still have a long way to go. Using tools that can help small, overwhelmed teams operate more efficiently is key.

A Cloud Access Security Broker (CASB) helps automate cloud app security risk detection and remediation 24/7. It makes each of these cloud application security best practices actually happen, day in and day out, for security teams.

Using a CASB, you can set up data loss prevention rules and policies that will automatically detect abnormal behavior, improper use of information, malware and phishing threats, shadow cloud IT, and more. The technology will then take the remediation action that you select to quarantine, delete, revoke access, etc. automatically, making your job much easier.

See CASB In Action! Click Here For A Quick Demo On-Demand >>

5. Audit & Optimize

All good cybersecurity teams consistently audit and optimize their security infrastructure and posture. Depending on the size and complexity of your data environment, this may happen on a weekly, monthly, or quarterly basis. Whatever your time scale is, make sure you are auditing your cloud security often enough, and consistently.

This is another area where CASBs can help. Using a CASB, you can set up audit reports that you would like it to run on a periodic basis. This way, you get the reports you need sent directly to you, rather than needing to set up the same report over and over again.

An audit will show you where new vulnerabilities have opened up, if you have unsanctioned apps sneaking back into your environment, etc. Keeping an eye on these risks and trends overtime will help you optimize how you’ve set up your rules and policies, making your CASB work even better for you over time.

There is no perimeter in the world of cloud computing. Using technology meant for defending a perimeter to secure cloud applications is ineffective, and creates unnecessary vulnerabilities. Following these cloud application security best practices, paired with the right kind of technology, will close the vulnerability gap while providing your security team with the visibility and control they need to do their jobs effectively in the cloud.

Cloud Application Security Checklist Blog CTA XXL

Cloud Application Security Audit Checklist

Configure settings and mitigate risks with this cloud application security checklist

Using Google G Suite and Microsoft Office 365 provides school districts with many benefits. From improving productivity and collaboration to outsourcing infrastructure security, schools and districts of sizes are making the move to the cloud.

But there are security issues in cloud computing. The NIST Cybersecurity Framework recommends that you run a risk assessment and cloud security audit regularly. This cloud application security checklist is designed to help you run such an audit for your district’s G Suite and Office 365 to mitigate security issues.

Cloud Application Security Checklist Mid-Blog CTA10 Step Cloud Application Security Audit Checklist

What is cloud application security? It is a series of defined policies, processes, controls, and technology governing all information exchanges that happen in collaborative cloud Software as a Service (SaaS) applications like Microsoft Office 365 and Google G Suite.

As your school district moves more information and activity to the cloud, your perimeter security safeguards become less effective. More IT and security professionals are opting to secure cloud storage by deploying a zero trust security model. This checklist also helps you lay the groundwork for deploying zero trust security for your district’s cloud applications.

1. Set password policies

Passwords are the foundation of any good security plan. Educate both students and staff on what factors make passwords strong or weak, and why password strength is so important.

As a system admin, you can set policies and standards for your district’s cloud app passwords. At a minimum, you should enable your system’s “require a strong password” feature. You can also set minimum and maximum password lengths, password expiration, and more.

If you’re setting the standards for the first time, be sure to run a check of current passwords to see whose passwords are out of compliance with the new standards. You can then force a password change through your admin console.

2. Make multi-factor authentication mandatory

Multi-factor authentication requires users to take a second step, after entering the correct password, to prove they have authorized access. This typically includes entering a code that is sent to their phone via SMS. It can also include phone calls, answering security questions, mobile app prompts, and more.

3. Manage SaaS access and permissions

Open Authorization (OAuth) makes app use convenient for end-users, but it can be a little bit of a nightmare for those in charge of IT security. The proliferation of SaaS use in classrooms and throughout school districts makes it difficult to stay on top of what apps have access to your cloud environment, what permissions are granted to them, and how secure the app is itself.

District system admins have the ability to control what apps are allowed permissions to the company’s Google or Microsoft cloud accounts. This can be as simple as restricting access to risky apps, or as customized and detailed as creating sanctioned and unsanctioned apps lists.




4. Enable anti-phishing protections

Email phishing is still the most common external threat vector. And there is a myriad of tools on the market aimed at removing phishing emails from inboxes. Unfortunately, none of them work with 100% accuracy.

The best option is to start with configuring your native cloud email provider’s anti-phishing capabilities and then layer additional safeguards and monitors on top of it. Educating the rest of your district about common phishing attacks, new ones as they arise, and how to spot them is also extremely important.

5. Turn on unintended external reply warning

One of the ways you can ensure that sensitive, internal information isn’t improperly shared outside of the school district is to enable an external reply warning. This feature also protects your district against forged emails from malicious hackers trying to gain access to internal files and information.

When the external reply warning is enabled, users receive a pop-up notification asking if they’re sure they want to send it to an external domain. It’s important to reinforce to your colleagues why they need to pay attention to this pop-up and think twice before dismissing it.

6. Set external sharing standards

Beyond sending emails, you should configure data loss prevention external sharing standards for shared calendars, drives, folders, and files. The best approach is to start with the most strict standards possible, and then open up as needed.

Files and folders containing the most sensitive information such as student, parent/guardian, and staff personally identifiable and financial information, should rarely (if ever) be configured to allow external sharing and access.

7. Set up message encryption

Encryption prevents anyone other than the intended audience from viewing a message. Microsoft and Google provide native encryption options. In Google’s case, they provide “Confidential Mode”, which works a little differently. There are also a variety of third party encryption tools available.

Sending sensitive or confidential information via email should always have encryption and confidential protections enabled. It forces the recipient to authenticate that they are the intended audience and protects the information from being forwarded to others. The sender can also set up an expiration date to ensure the information isn’t lingering in someone’s inbox into eternity.

8. Set up data loss prevention policies

Fundamentally, data loss prevention is a strategy to ensure that your district’s sensitive and protected information does not inadvertently leave the network—whether it’s accidental or malicious.

System admins have the ability to set up data loss prevention policies in most popular and “enterprise-level” cloud applications. These policies help admins maintain and automate rules around how information can be accessed and shared. Most policies create alerts and actions that the system can take if a data loss prevention policy is broken. For example, if an employee account is trying to share a spreadsheet containing social security numbers with an outside domain, the policy can be set up to automatically warn the user and/or quarantine the file.




9. Enable mobile management

Everyone in your school district likely uses mobile devices to access school cloud accountsmainly email, files, and drives. These mobile devices represent more endpoints that need to be secured by IT. But, endpoint security isn’t enough in cloud computing security. You will also need to configure mobile device policies in your cloud applications.

10. Run a security health/score audit

Once you’ve completed this checklist, it’s a good idea to run a cloud security audit of your environment. An audit will re-check for any configuration errors, sharing risks, files containing sensitive information, and more.

It’s also important to run an audit on a periodic basis. Weekly and/or monthly audits and reports can be automated and provide you with detailed information into the security health of your cloud applications. Microsoft provides Office 365 Secure Score, which is very helpful in providing on-going health checks and recommendations. Particularly as new security features are rolled out and new risks are identified.

If your school district uses SaaS applications such as G Suite and/or Office 365, cloud application security is a critical layer in your cybersecurity infrastructure. Without it, monitoring and controlling behavior happening within applications are impossible. This blind spot creates critical vulnerabilities in your district stakeholders’ sensitive information and financial futures.

Cloud Application Security Checklist Blog CTA XXL

What Is Cloud Application Security?

Everything you need to know about mitigating your cloud computing risks with cloud application security

Most IT professionals understand the importance of securing their networks and on-prem data. And many are also beginning to understand the importance of cloud security to ensure sensitive data stored and shared in the cloud stays safe. However, there still seems to be a misunderstanding of how to secure cloud storage.

Some believe that their firewall or VPN will do the trick. Others think that they get all the security they need “out of the box” from the applications they license. And many still believe that cloud application security is the responsibility of the application vendors themselves.

Let’s take a look at what cloud application security is, what it means for your organization, and where the responsibility of securing applications, and the data stored in them, lie.

What is Cloud Application Security?

Cloud application security is a series of defined policies, processes, controls, and technology governing all information exchanges that happen in collaborative cloud environments like Microsoft Office 365, Google G Suite, Slack, and Box (to name a few).

So, if you or your employees frequently store and share data in cloud applications like the ones listed above (or any of the tens of thousands available), it is absolutely necessary to add a cloud application “safety net” to your zero trust security infrastructure.

Top Cloud Application Security Threats

It is no secret that there are security issues in cloud computing that IT teams must be aware of. According to the 2018 Cybersecurity Insider Report, the four most common cloud application security threats that IT teams are facing include:

  1. Misconfiguration of application setup is the single biggest threat to cloud security because data breaches tend to happen when services are accidentally exposed to the public internet.
  2. Unauthorized access to a website, server, service, or other system is also an area for great concern because once they’re in, there’s no telling what unauthorized users will do to create chaos.
  3. Insecure APIs and interfaces present easy opportunities for attackers to breach systems because they are the only asset(s) outside of the organizational boundary with a public IP address.
  4. Account hijacking is feared because so much sensitive data and resources is stored and accessed on devices shared by many different users—and because keeping tabs on rogue employees is difficult.

[READ MORE] Cloud Computing Security: Secure Your Data, Not Just Your Perimeter >>

Cloud Computing Security - API vs ProxyWhat Cloud Application Security Options Are Available?

A common misconception in today’s marketplace is that you need a proxy, browser extension, or some other agent to secure cloud applications. However, there are cloud security solutions available that use the a cloud application’s native APIs to monitor, control, and secure activity within them. The two basic options on the market are between an API vs proxy CASB. API-based cloud application security platforms (CASP) are quickly becoming the favored security model for admins. This is for three main reasons.

First, a CASP doesn’t need to route access through a broker or proxy, so it doesn’t impact end users’ experiences in speed of access or network performance.

Second, unlike a proxy-based solution, CASP provides an additive layer of security to your architecture. They work well with existing network security appliances, like your firewall, by providing an additional level of security and control over information stored in cloud applications, that a firewall or gateway can’t provide alone. A proxy-based cloud access security broker (CASB) simply duplicates the functionality of a firewall and puts it between your users and the applications they need to do their jobs. As a result, the user experience is slowed down even further (hitting, effectively, two different firewalls) with minimal to no additional security benefits.

Finally, most popular cloud applications advise against using a proxy-based CASB. Notably, Google and Microsoft have both published recommendations against their use. The main reason is due to a CASB’s inability to stay updated as they make upgrades to their application infrastructures; application developers make changes to protocols, authentication methods, and more fairly regularly.

Due to the nature of the CASB architecture, these changes can easily break the connection in any number of ways. Application developers (especially big ones like Google and Microsoft) do not commit to warning CASB developers when a change could impact their product. Nor will they slow down the development of their own products for the sake of CASB vendors. So when these updates happen, the CASB developers won’t know about it and they won’t realize the full extent of the impact and gaps it creates in your security infrastructure until those gaps are patched by the CASB developers.

It’s worth noting that some cloud security providers use Chrome browser extensions, rather than an agent or broker, to secure cloud access. They call it “agentless” cloud security, but an extension is simply a different type of proxy. Traffic is still directed through it, and they suffer from the same pitfalls as other CASBs. Furthermore, Google is planning a major overhaul of Chrome extension support that could throw the whole technology through a loop.

Cloud application security platforms, on the other hand, work as a nearly native feature within each cloud application. They develop deep one-to-one integrations using the cloud applications APIs (often in close partnership with the application provider). Only changes in API protocols can impact the effectiveness of a CASP, and those changes are continuously documented and updated for developers.

[SEE IT IN ACTION] Watch A Pre-Recorded API Cloud Security Demonstration On-Demand >>

APIs Play A Much-Needed Role in Cloud Security

Something else we learned from the 2018 Cybersecurity Insider Report is 35% of IT security professionals don’t think they are capable of keeping pace with SaaS application changes.

The good news is CTOs, CTsO, and CISOs can leverage API-based cloud application security platforms to roll with the punches without skipping a beat. These sophisticated platforms can also easily detect existing and/or new risks in cloud applications based on changes in OAuth permissions settings, customer complaints, security reports, and so much more.

Who’s In Charge Of Cloud Application Security, Really?

The shortest answer is the SaaS vendor and the customer (you!). But contrary to popular belief, the application vendor does not take responsibility for the security of your data through it’s services.

The SaaS vendor is responsible for securing the application’s infrastructure, as well as its APIs. This means that they are responsible for the security of the servers, networks, and code that makes the application a product for customers.

You are accountable for setting everything up the right way and making sure it’s all configured correctly. You’re also in charge of establishing and maintaining a zero trust security program. It’s also your job to monitor access to your cloud environment and control it with data loss prevention policies, phishing and malware protections, and so on.

For example, if a hacker hijacks one of your user accounts and starts to download sensitive information, send phishing emails to other users, etc. it’s your responsibility to detect and remediate that activity. Your SaaS provider is not responsible or accountable for the data that is exposed or any of the damages a breach incident may cause.

Cloud security is a top risk factor that IT managers cite as a major barrier to cloud transformation. But, for the vast majority of organizations and industries, the benefits far outweigh the risks. There are many facets to building an effective cloud computing security infrastructure, and securing the data created, stored, and accessed in company cloud applications is a big part of that.

What often ends up being lost in the cloud computing story is just how secure cloud computing actually is compared to on-premise. When an organization transitions to the cloud, it is outsourcing some of the more difficult infrastructure and server security operations to another vendor (often, to a vendor with a much larger and better funded security team such as in the case of Google and Microsoft).

Cloud computing is still relatively new, and the security risks are largely misunderstood. If your organization is using cloud applications, or you are planning a transition to the cloud, you need to understand what is required to properly secure it. You will also need to access the visibility and control, over access and use, that you had with on-premise software.

Cloud Application Security In Action - Demo On-Demand Blog CTA XXL

5 Google Cloud Security Best Practices

Google Cloud Security Best Practices That Keep Your Organization’s G Suite Apps Protected

Google Cloud Platform security features cover a range of Google’s products and services, such as the popular G Suite applications. These products and services are built on one of the most secure data infrastructures in the world. But, it’s still your responsibility to make sure your Google apps security settings are set up properly. This is where the following five Google Cloud security best practices come in.

[FREE CHECKLIST] Get Your G Suite Data Loss Prevention & Cloud Security Best Practices Checklist Here >>

1. Set Up Your Google Cloud Organizational Structure

When you first log into your Google Admin console, everything will be grouped into a single organizational unit. Any settings you apply to this group will apply to all the users and devices in the organization. Planning out how you want to organize your units and hierarchy before diving in will help you save time and create a more structured security strategy.

G Suite super admins and Cloud Identity customers automatically have access to an Organization resource. The Organization resource is the core of the Google Cloud hierarchy. It helps to create a structure for teams and/or projects within your company.

In order to plan your Google Cloud organization structure, the super admin will:

  • Assign the right users the Organization admin role
  • Act as the main contact in need of data loss and recovery
  • Control the lifecycle of the Organization resource

Then the GCP Organization admin will:

  • Define IAM policies
  • Create the Resource Hierarchy structure
  • Assign responsibilities and roles

2. Set Up Account Identity Management

It’s important to set up account identity management to ensure your information is protected from intruders. In order to do this, Google offers various security options that keep your login infomation and devices secure.

Require 2-Step Verification (2SV)

2-Step Verification adds an extra layer of security to your Google Cloud account, it prevents criminals and hackers from getting into your account and obtaining sensitive information. 2SV will require the user to go through a two step process in order to log in for the first time, in new locations or on new devices. First the user will enter their password, then they will need to verify their identity by sending an access code to their phone or inputting a physical key.

Set Up Single Sign-On (SSO)

A Single Sign-On will let a user access multiple applications after logging in with a single set of login credentials (name and password). This is beneficial because it reduces risk by minimizing weak and repetitive passwords, not to mention the amount of time it saves employees. It also creates a consolidated system that is easier to manage and protect.

Additional Reading: Learn more about Google Apps Security >>

3. Configure G Suite Data Loss Prevention Policies

Data Loss Prevention in G Suite is a set of policies, processes, and tools that are put in place to ensure your sensitive information won’t be lost during a fire, natural disaster or break in. You never know when tragedy will strike, that’s why you should invest in prevention policies before it’s too late.

4. Integrate Cloud Malware Threat Protection

Malware attacks, phishing, and spam reports are on the rise. A malware attack is when malicious software takes over a computer and spreads a bug into the device. Malware can enter your device through your cloud based application and it can spread to other files and devices connected to your Google Cloud organization.

Malware is commonly sent via email, a file share, messenger app, or social media. Once the account is taken over, hackers have access to the organization’s sensitive information and systems. This can lead to data loss and pose a serious threat to your organization’s customers, employees, trade secrets, and more. It is critical that you secure access to your Google Cloud account with cloud-specific malware threat protection.

5. Google Cloud Security Monitoring & Audits

Because there are many potential Google Cloud security issues, it is vital to monitor your system and audit your Google Cloud security settings.

There are 4 Google Cloud monitoring capabilities you need for G Suite:

1. Monitor for Data Loss Prevention

By monitoring your Google Cloud account, you’ll be able to track the activity that occurs within the application and identify a security breach. Then you will receive alerts when there’s suspicious behavior, such as unrecognized or suspect login attempts and phishing attempts. It will also help secure sensitive files so they can’t be improperly shared or downloaded.

2. Monitor for Account Takeovers

Implementing a Google Cloud monitoring solution will also help avoid account takeovers or hijacks. A Google cloud access security CASB will regularly scan your account, detect unusual behavior, and cut off and quarantine any threats. It will then alert the admin on the account that a threat occured and provide details to help with compliance reporting and prevent future incidents.

3. Monitor for Cloud Malware Threats

Because email is the most common source for malware threats, you will want to find a solution that scans the sender info, subject line, email body, attachments, links, and images for threats. A good Gmail Cloud threat protection solution can identify phishing and malware threats in emails and provide advanced protection.

4. Automate Google Cloud Monitoring

Google Cloud monitoring should be a 24/7 service. Find an automated platform that will monitor your Google Cloud account and take corrective action when needed. Your monitoring service should also automatically provide system audit reports to ensure visibility and compliance within the platform.

Why Are Google Cloud Security Best Practices Important?

It’s important to implement these Google Cloud security best practices to ensure you aren’t at risk for devastating data loss issues. It also allows you to incorporate visibility and control into your G Suite. Through the right structure and management tools, you can keep your company organized and running efficiently.

Plus, Google Cloud makes your life easy. Google makes it simple to invest in protection packages through their security partner marketplace, so you can worry less about data loss, malicious threats, and unsecure information.

G Suite Security Best Practices Checklist

Google Cloud Platform Security Features

Sleep soundly knowing that your data is protected by these Google Cloud Platform security features

Many IT leaders and managers are still nervous about moving their organizations to cloud computing, mainly citing cloud security concerns. However, Google Cloud Platform security features are among the best on the market, including traditional network security. It is important for IT security managers to know that a Google cloud infrastructure security breach is extremely rare. It’s also important to keep in mind that Google’s security team is among the best in the world.

The main thing that people tend to get wrong about Google cloud security issues is the difference between infrastructure security and Google Apps security. While Google retains responsibility for securing the infrastructure that Apps services, such as G Suite, are built on, it’s the customer’s responsibility to secure their own instance of that service.

Cloud computing offers companies and organizations greater flexibility, collaboration, and productivity. Resisting the transition to the cloud could actually be doing more harm than good. Let’s take a deeper look into the layered security features available to Google Cloud customers.

[READ MORE] 5 Google Cloud Security Best Practices >>

Google-Cloud-Platform-Security-FeaturesGoogle Cloud Platform Security Infrastructure

The Google Cloud platform infrastructure uses multiple layers of security. Because redundancy is built into the progressive layers of security, no one incident can take down the Google Cloud infrastructure. Google Cloud security layers includes everything from physical security at data centers to some of the most advanced cybersecurity technology and professionals available in the world.

Google Cloud Platform Infrastructure Security Features Include:

  • 24/7/365 operations, device security detection and response from both internal and external threats
  • Data in-transit encrypted communication to and from Google’s public cloud, including layered defense redundancies to protect customers from denial-of-service (DoS) attacks
  • Identity protection and management through multiple authentication factors
  • Data at-rest storage security using encryption against unauthorized access and distribution for reliability
  • An entire hardware infrastructure created, built, controlled, and secured by Google including servers, networking equipment, and security chips

Google Cloud Platform Security Products

Google has not only built the most secure cloud platform available as a service, but also provides security products to customers. These security products help any type of organization secure operations and communication in the cloud. Some Google Cloud security products are provided through G Suite licenses, while others are purchased separately.

Google Cloud Platform Security Products Features Include:

  • Infrastructure Security: Google’s “secure-by-design” infrastructure security product includes features such as hardening, configuration management, and vulnerability management for Google Cloud customers.
  • Network Security: Google Cloud’s network security products include Virtual Private Cloud, Cloud Load Balancing, Encryption, and Application Layer Transport Security to help customers define, enforce, and secure their perimeter.
  • Endpoint Security: The number of endpoints in organizations have exploded over recent years! Google Cloud Platform can help secure endpoints with device management, patch and vulnerability management, and device hardening for Chromebooks, Chrome OS, Chrome Browser, and G Suite Device Management.
  • Data Security: Google Cloud provides a wide range of data security features at different license levels to support discovery G Suite data loss prevention, data governance, and more.
  • Identity & Access Management: Identity and Google Cloud access security features authentication and identity management in G Suite, system access management and more. Add-on Google Cloud security products include Cloud Identity, Cloud Identity-Aware Proxy, and Security Keys.
  • Application Security: Google Cloud application security is a necessity for any organization storing sensitive employee, customer, and/or intellectual property information in Google Cloud (including G Suite applications such as Gmail, Drive, and Shared Drives).

Google Cloud Platform Security Transparency & Privacy

Simply put, Google Cloud Platform is not going to Zuckerberg your business data. It is absolutely critical to their business model to keep your data private and secure both in-transit through the Google Cloud network and at-rest in data servers.

Google is committed to keeping customers’ data private. The company has outlined its commitment to transparency, privacy, and trust by publishing six Google Cloud Trust Principles.

6 Google Cloud Security Trust Principles

  1. Your security comes first in everything we do. Google commits to promptly notifying system admins if a security breach is detected that may have compromised your data.
  2. Control what happens to your data. Google Cloud customers maintain total control of their data at all times; it can be accessed or removed at any time. Customer data is processed by Google in accordance to your instructions.
  3. Customer data is not used for advertising. It’s no secret that a big chunk of Google’s revenue is made in advertising. However, data stored in Google Cloud is completely separate from that business and is never used for advertising purposes.
  4. Know where Google stores your data and rely on it being available when you need it. Google’s data center locations are publicly available. They are distributed throughout the world to insure against natural disasters and are protected by the most advanced security team on the planet.
  5. Google’s security practices are independently verified. Google Cloud security practices are audited, certified, and validated by independent auditors to ensure strict adherence to international security and privacy standards.
  6. Google will never give any government entity “backdoor” access to customer data. Google actively rejects invalid government requests for data and publishes a transparency report of government requests

Google Cloud Platform Security Partners

Google Cloud Platform security features are robust and constantly improving. Yet many customers decide they need to augment Google security features with third party vendors. This could be for a variety of reasons, including security redundancy, cost, and ease of use. Recognizing this, Google Cloud Platform now supports a significant Partner program to help customers find identity certified and verified Google cloud vendors.

The Google Cloud Platform (GCP) Partner Program doesn’t just include security vendors. It incorporates any type of product or service a customer may need to effectively use Google Cloud products. It includes resellers, services, technology, and training partners for every Google product. Partner network capabilities include application development, cloud migration, data analytics, IoT, security, and much more!

Google cloud monitoring free trial Blog CTA XXL

Portfolio Items