Out with the old, in with the properly-vetted third-party apps!
In the spirit of spring cleaning, we’re helping you clean up your school district’s cloud environment. And one of the messiest items on the agenda? Third-party cloud applications.
To help you understand the role vendors—and, specifically, the cloud apps they provide—play in your school district, we’ll guide you through everything there is to know about third-party applications, including why they’re important, how using them without a third-party app security policy can be risky, and what you can do to keep them in check.
Why you should be vetting your third-party vendors
Before you start breaking out the broom and sweeping away any third-party threats, you’ll need to know exactly why they require cleaning in the first place.
You might be wondering: What are third-party applications? Simply put, a third-party app is any cloud service provided to you by an outside vendor, such as Google Workspace or Microsoft 365. At the onset of the pandemic and the necessity for hybrid learning that followed, many school districts accelerated their journey to the cloud.
In fact, according to Edweek Research Center, more than 90% of K-12 schools are already operating in the cloud, with 93% using Google Workspace, Microsoft 365, or some combination of them both. Given the incredible cost-effective, operational, and educational benefits of the cloud, it’s no wonder that so many schools made the leap. And that doesn’t include the plethora of additional cloud-based SaaS applications being used in school districts today, including instruction, human resources, building operations, and finance tools.
But in the process of that leap, most districts skipped investing in third-party app security. Only 20% of school cybersecurity budgets are being allocated to protecting data in cloud storage.
Here’s why that’s a major problem: Third-party applications are storing a lot of your sensitive data. When you deploy a cloud application, you’re entrusting that vendor to keep your data under lock and key. If their defenses are weak or their data handling procedures are sloppy, your sensitive material could be leaked or stolen by malicious hackers.
And even worse? When their security fails, it’s your district that’s held accountable by law. The Family Educational Rights and Privacy Act (FERPA) requires you to use “reasonable methods” to protect student data from accidental and intentional data loss.
Of course, noncompliance is just the tip of the iceberg: Risky third-party applications could have real-life consequences for your students, staff, and their families, too. That’s why it’s important to identify your cloud vulnerabilities and the ways they can be used to access confidential information.
Third-party app security challenges, risks, and vulnerabilities
It’s no secret that cybersecurity is a hot-button issue in 2022, but you may be surprised to learn that it’s especially problematic in education.
According to Microsoft’s tracker of global threat activity, education is far and away the most targeted industry of the past 30 days. Of the nearly 8.6 million devices that have encountered viruses, malware, and other cyber risks, education has contributed to over 83% of them.
That’s more than 7 million educational devices that have come in contact with a threat of some kind in the past month alone. That staggering number begs the question: Where are these attacks coming from?
One of the first places you should look is the cloud. According to Verizon’s 2021 Data Breach Investigations Report, “Compromised external cloud assets were more common than on-premises assets in both incidents and breaches.” Unsecure third-party apps have the potential to expose your district in a number of ways:
- OAuth: OAuth is an open-standard authorization framework. It allows you to log into new apps using credentials from another system, like Google or Facebook. Hackers abuse OAuth to mine tokens and credentials from unsuspecting users, paving the way for them to access sensitive data stored in email and other applications.
- SQL injections: Malicious code embedded in third-party apps can open a backdoor into your cloud environment and expose sensitive data to prying eyes.
- Phishing scams: False applications may aim to fool unsuspecting students or staff members into providing personal information under the guise of a legitimate service.
As cyber criminals grow more sophisticated, it’s likely they’ll use a combination of all three. But on top of these malicious cyberthreats, there’s also the risk of human error:
- Unsanctioned apps: If students download or install unauthorized third-party apps to your cloud environment, they could open a backdoor for an accidental data leak or malicious breach.
- Security misconfiguration: Even legitimate apps can be poorly written. If an app’s security protocols are lackluster, they could be easily abused by a hacker.
- Third-party data handling: When you entrust a third-party with your data, you’re also putting trust into their security posture. If they’re not careful, it’s your data they put at risk.
- Inappropriate use: Vendors may use student data to serve advertisements to students. They may also sell that data to other companies, create profiles of each student, or store that data for unknown purposes.
Between hackers and human error, your district is under a lot of pressure to keep data safe in the cloud. In combination, that task is almost insurmountable. Luckily, cloud-based data loss prevention (DLP) can take the weight off your shoulders.
How to protect your cloud environment from third-party risk
Cloud DLP takes a strategic and automated approach to securing data stored in your cloud environment. With a cloud-based DLP solution, you can mitigate both internal and external third-party risks.
You can think of cloud DLP as an effective force multiplier. Why? Because you can’t be in two places at once, but a DLP solution can. In other words, it monitors your cloud infrastructure for any activity that might put the district or students at risk, whether it be improper file sharing, inappropriate content, or signs of self-harm, cyberbullying, and violence.
As for third-party applications, DLP will secure your tech stack in a few key ways:
- Application risk scores: Cloud DLP can score the riskiness of your cloud apps based on certain criteria, including required admin privileges, authorization status, and written permissions.
- Automated threat identification: Cloud DLP will automatically recognize unsanctioned apps as they appear in your cloud environment and respond quickly thanks to 24/7 monitoring.
- Access control and policy enforcement: You can set policies for both users and apps that, when violated, will send you a real-time notification of the incident and allow you to mitigate risk immediately. You can revoke access to and unsanction apps quickly from a single user interface.
7 third-party app security tips, tricks, and best practices
By now you might already be clutching your metaphorical broom and getting ready to sweep your risky third-party apps into the digital dustpan. Before taking out the trash, here are a few tips that may help you improve your district’s third-party app security and keep your cloud environment clean for many seasons to come:
1. Perform a self-assessment
Auditing your cloud applications that already exist in your environment is the best way to get ahead of the curve and put a stop to any security gaps that are currently being exploited.
2. You get what you pay for
In a recent webinar, Marlo Gaddis, chief technology officer at the Wake County Public School System, told us that free edtech tools are only as free as a puppy.
“You know when you get a free puppy the work isn’t over,” she said. “It’s just begun.”
School budgets can be tight and tedious to workaround, but there’s no cost greater than jeopardizing your student data. Set off on the right foot and seek out quality third-party vendors with a proven history of certified security, even if they cost you a small piece of the budget.
3. Develop a vetting process
4. Develop a formal data sharing policy
Refer to FERPA recommendations and create a formal policy for how you’ll agree to share data with third-party applications. Most importantly, share this information with parents, staff members, and students for full transparency.
5. Monitor your domains
Be sure that students and staff members aren’t attaching their school accounts to unauthorized third-party applications, services, and other unsanctioned websites.
6. Teach everybody proper data protection
Do what your school district does best and start teaching everyone – students and staff – the basics of data protection. Risk management isn’t the responsibility of just one small security team — it takes everyone making an effort. With everyone on the same page, you’ll be much better off in the long run.
7. Invest in automation
Cloud data loss prevention software can be an extension of your district’s security team by automating the detection and remediation portions of your third-party app security. It empowers you to monitor your cloud apps, automate remediation, and squeeze an additional layer of security between your students and the prying eyes of the outside world.