Higher Education Cloud Security Is The Most Critical Topic of 2019

As more colleges and universities transition to the cloud, higher education cloud security can no longer be treated as an elective

As they say, “the writing is on the wall” for the eventual transition to cloud computing in higher education. Like many organizations, colleges and universities are moving to the cloud to reduce the costs of storing data, improve productivity, and enable collaboration. Approximately 70% of higher education institutions have transitioned to cloud-based email systems, while 50% are adopting cloud collaboration systems. But leadership and IT security in academia have many barriers in front of them to make this transition, not the least of which is the cost of changing, as well as the on-going management of a new cloud infrastructure. But the big topic on everyone’s mind is security. Higher education cloud security is much more complicated than other industries that have already embraced the transition. IT leaders have to deal with a large amount of protected data being stored and accessed by a broad range of stakeholder groups, paired with a high level of government regulation, on relatively low budgets.

Data security makes transitioning to the cloud is particularly risky for higher education institutions. Colleges and universities collect a massive amount of personal information from students and parents. Higher education institutions also need to protect the information infrastructure, intellectual property, and personal information of staff, security information, and more. This information quickly becomes targeted by cyber criminals looking to profit from sales of stolen information on the dark web.

Cyber Criminals Targeting Higher Education Data

“We need not to think, ‘Will a data breach happen at my institution?’ but ‘When will it happen and how will I be prepared?’”

Susan Grajek
Vice President for Communities & Research

Colleges and universities are tempting targets of cyber attacks due to the amount of data that can be obtained and the relative lack of cybersecurity. With relatively new cybersecurity infrastructures that lack the sophistication of private organizations of similar sizes, for cyber criminals the risk is low and the rewards are high.

EDUCAUSE research reports that information security is increasingly a top issue for IT departments in higher education. As school demographics have shifted to tech-native students and faculty, expectations for easy accessibility exacerbates data security.

The proof is in the data. Lost, stolen, or compromised data records increased in higher education by 103% in the first six months of 2017 compared to the last half of 2016. There were a reported 118 successful cyber attacks on higher education institutions, representing 13% of all breaches that took place in the first half of 2017.

The Rising Cost of Data Breaches for Higher Education

The financial impact of security breaches on higher education institutions, students, and faculty is measured in the millions of dollars. Ponemon Institute reports that the average total cost of a data breach increased by 6.4% in 2018, and that the average number of records stolen increased by 2.2%. In 2018, the average total cost of a single data breach for an organization across all industry sectors topped $7 million.

For higher education institutions, these costs also need to take into consideration the costs and long-term damage that student identity theft due to data breaches inflict. Students, in particular, are usually just beginning to build their financial futures. An identity theft due to a data breach at school has lasting impacts, which can include the delay or cancellation of student loans, credit score downgrade, time invested in identity theft remediation rather than studies, psychological and emotional stress.

Government Regulations Impacting Higher Education Data Security

There are several laws governing student privacy and information security that higher education institutions must comply with. Until recently, state laws either relied on or mostly mirrored federal regulations. This is beginning to change as information security and privacy are becoming more important issues in the digital age.

Federal regulations such as FERPA, HIPAA, HITECH, COPPA, and more require high standards of security for student data storage. Information collection and retained by higher education institutions that fall under these requirements include personally identifiable information (such as social security numbers), personal health and medical information, and personal financial and credit information.

higher education cloud security - state laws map

Source: FERPA Sherpa

With many high-profile data breaches and other information collection issues deepening public concerns, states are also getting into information privacy and security regulation. According to FERPA Sherpa, the number of state laws regulating student privacy has dramatically increased since 2014. Two main regulations that have been adopted in whole or in part by many states include SOPIPA and SUPER. Both laws prohibit companies from sharing student data and using it for targeted advertising for non-educational purposes.

Finally, the much-hyped European Union General Data Protection Regulation (GDPR) has the potential to have an impact on higher education institutions in ways that many are unaware of.

Higher education institutions that accept student applications, collect alumni donations, or communicate with faculty on sabbatical in the EU are subject to GDPR. Despite the hype, colleges and universities are unlikely targets for GDPR regulators—at least in the near term. Most agree that EU regulators will focus on cracking down on very large, global organizations and bad actors. Nevertheless, administration leaders should be aware that their institutions are, technically, required to comply with data management regulations outlined in GDPR and could face hefty fines to the tune of millions of dollars.

Higher Education Cloud Application Security

Many colleges and universities across North America are more than aware of the need to invest in their cybersecurity infrastructure. But there is a lot of misperception and confusion around how and with what. There are several all-in-one, enterprise-level solutions available. But few do everything well.

Cloud application security (also sometimes referred to as cloud access security broker [CASB]) is relatively new to the cybersecurity space. As more organizations move away from installed software to cloud applications for communication, collaboration, and storage, the need for an additional layer of security was created. IT administrators managing such transitions also find that they lose visibility and control of the users and information within their institutions cloud environment.

Higher education institutions working with applications such as Google G Suite and Microsoft Office 365 may think their communications and files stored in the cloud are protected. Further, many rely on cybersecurity giants such as Cisco and McAfee to provide a layer of protection to their information infrastructure. Unfortunately, many are finding that they are losing critical visibility and control of account activity in the cloud. And vendors that claim to “do it all” tend to over-complicate and, surprisingly, hinder IT’s ability to administer effective controls. As in other areas of security, redundancy and a multi-layered approach is most commonly recommended by cybersecurity consultants for an effective higher education cloud security infrastructure.

Learn how information security leaders are taking higher education cloud security seriously with ManagedMethods’ effective, easy, and affordable cloud application security solution

Cyber Security in Higher Ed: How to Avoid Becoming the Next Target

New regulations should reduce number of costly attacks

Higher education institutions are major targets for hackers. Their databases contain a perfect trifecta of personal information, financial and health data for what’s considered high-value targets on the black market. Last year, a hacker known as Rasputin breached over 60 universities and government agencies and the tally continued to grow into 2017, becoming one of the largest higher education breaches in history. This sole cybercriminal made news, but hacks are really just the tip of a very large iceberg of breaches that are primarily caused by negligence.

In 2016, the U.S. Department of Education said they would require colleges and universities to comply with requirements laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are designed to protect the confidentiality of “controlled unclassified information.” The first compliance deadline schools must meet is December 31, 2017.

Colleges and universities have a wide array of vulnerabilities, but in the interest of brevity and relevance, we’re going to focus on a few recent cloud email and storage related events in higher education that will be addressed by several of the 800-171 requirements.

Oregon Health & Science University

After Oregon Health & Science University (OHSU) suffered its fourth major breach in 2012, two employees were placed on administrative leave for the “unlawful release” of 22,00 pages of records from the university president’s office. These records included confidential information on faculty, staff, and students. The data was stored in Google’s Gmail and Drive applications by resident physicians and discovered by another faculty member in 2013. In addition to the 1,361 individuals facing significant harm due to their diagnoses being leaked, credit card data, payment information, procedures, photos, driver’s license numbers and Social Security numbers were included in the breach for thousands of others.

The OHSU breach is about as bad as they come since it included both HIPAA and FERPA violations. To prevent future breaches, the university agreed to a four-point strategy:

  1. Identify and isolate sensitive and/or regulated data
  2. Encrypt the data
  3. Monitor and restrict access to the data
  4. Educate campus community on best practices

The remediation process, fines, and strategy cost the university $2.7 million. This entire event could have easily been prevented with a cloud security solution that monitored files for sensitive data. However, given that this situation was handled beginning in 2013, OHSU was able to get ahead of about 99% of their fellow universities that have been dealt one blow after another in more recent years.

University of Oklahoma

This year, the University of Oklahoma (OU) experienced a similar data leak to OHSU. OU uses Microsoft Office Delver, an internal intelligent search engine. In just 30 of the hundreds of documents made publicly discoverable on Delve, there were more than 29,000 instances in which students’ private information were made available to users within OU’s email system. With a simple Delve search, student journalists discovered four spreadsheets that included students financial information along with the amounts of money they received in scholarships, grants, loans or waivers from 2012 through 2016! But wait, there’s more:

Another series of spreadsheets listed students who had received a grade of incomplete during the six semesters starting Fall 2014 through Fall 2016. One document listed the names and social security numbers of 30 students, including the names of athletes now playing professionally. It’s not clear why the document existed or how these students were related.

Two other documents listed the visa statuses of more than 500 international students. Several documents included information about current OU athletes’ scholarships and their eligibility statuses, including one that listed which students were barred from practice this past summer due to failed drug tests, recruiting violations, or academic misconduct.

These files were easily discovered by the student journalists who reported it, so the impact and breadth of the leak are still unknown and the investigation is ongoing.

Washington State University and the University of Ottawa

At this point, you might be dismissing these examples, since all these breaches took place in the cloud. But this year there have also been several instances of physical theft. A Washington State University (WSU) researcher noticed that an 85-pound safe that contained a hard drive was missing from a WSU storage unit. The drive contained names of about a million people, and the social security numbers and health history of some of them.

Think this is just a one-off? The University of Ottawa also found itself the subject of an investigation after the information of some 900 students was exposed when an external hard drive went missing. The data included people with disabilities and mental health issues.

In both cases, the hard drives are assumed to be unencrypted and investigations are ongoing.

What comes next?

A new set of federal regulations is set to tighten the cybersecurity practices of colleges and universities. There are six major steps higher education leaders can take to develop a program that fulfills new contractual obligations required for continuing federal grants, research contracts and other transactions in which institutions receive data from the federal government, which is most of them, according to Deloitte and EDUCAUSE:

  1. Form a working group with representatives from each of the institution’s three main business units: academics, administration, and research. The working group should have top-down support and the sustained engagement of leadership.
  2. Analyze the impact and scope by determining the applicable contracts and identifying data that must be controlled.
  3. Assess the current state of security and understand where CUI data resides (in on-premise campus systems and in cloud systems) and how it’s processed from the point of receiving through the lifecycle.
  4. Develop a plan to achieve compliance and mitigate existing gaps by defining roles and responsibilities to achieve and maintain compliance.
  5. Establish responsibilities and efficient processes to achieve sustained compliance over the long haul.
  6. Employ third parties to provide a thorough review of current practices across the entire academic enterprise.

What are the 800-171 requirements?

There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests in which affected programs must meet.

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

For a complete list of policy tests included under each of the 14 categories, please refer to the NIST SP800-171 web page. A deadline to comply or to report delays in compliance has been set for December 31, 2017.

Learn more about how cloud security can help your institution or company prevent breaches and maintain compliance with Cloud Access Monitor and then request your free trial.

Portfolio Items