What CISA Got Right (And Wrong) About Cloud Security

There’s no question that K-12 school districts are strained when it comes to cybersecurity. After years of increasingly devastating incidents, the court of public opinion seems to agree that something must be done to mitigate the problem.

Luckily, we’re witnessing a step in the right direction. In January 2023, the Cybersecurity & Infrastructure Security Agency (CISA) unveiled its multi-year research into data security challenges within the K-12 school system. Alongside its report, CISA released a list of recommendations — known as a “toolkit” — for institutions to better protect student data and uphold privacy standards across the country.

While overall the report is a net positive for districts that have been on the frontlines of these attacks, I wanted to focus on the topic of cloud computing—security in particular—because, well, that’s what we do! Let’s take a closer look at what spurred CISA’s research and what the agency got right and wrong about cloud security.

The K-12 cybersecurity problem

The state of cybersecurity in K-12 education has been a bit bleak. In fact, according to the K12 Security Information Exchange (K12-SIX), the average school district experiences at least one cyber incident per school day in the United States.

As cyber threats evolve and grow increasingly more sophisticated, it’s become exceptionally difficult for K-12 schools to keep up the fight. Whether it be a ransomware attack or a school data leak, incidents are hitting the headlines on a regular basis.

Finally, the federal government decided to take action. In October 2023, President Biden signed into law the K-12 Cybersecurity Act — a bipartisan bill that ordered CISA to conduct research into how schools can better protect their data. By law, the agency had 120 days to review the threat landscape and 60 days to create guidelines off the back of its results.

CISA’s key findings

According to CISA’s report, cyber incidents tripled during the pandemic as an onslaught of various threat vectors targeted their new technological advancements.

However, research also indicates that most districts lack staff with the expertise to match today’s cybersecurity challenges. Per the report, “most districts do not employ full-time cybersecurity personnel, and some smaller school districts may not even employ full-time IT staff.”

Furthermore, districts are highly concerned about managing their third-party vendors. Few districts have the time or resources to comb through vendor security policies. Worse yet, there are little to no standards or minimal requirements for K-12 suppliers, making it difficult for schools to access cloud services with confidence.

CISA’s K-12 Cybersecurity Report & Cloud Security

CISA’s landmark research has brought more attention to the many cybersecurity challenges that school districts are facing. It also provides some practical, effective solutions for districts to start moving in the right direction.

But I do have some (possibly controversial) opinions about the report’s characterization of cloud computing for schools.

What CISA got right about cloud security

1. Cloud migration improves infrastructure security: Notably, CISA report recommends that schools should be “urgently reducing the security burden by migrating to secure cloud environments.” Cloud data storage is indeed more secure than on-premises data servers for a number of reasons. For example, with cloud storage, there is built-in redundancy so you don’t have to worry about a single server in a basement closet somewhere going out. Additionally, you get a team of highly-paid experts focused entirely on the cloud server’s performance and security to rely on, versus needing someone on your team to put in the time and effort.
2. Cloud storage isn’t automatically secure: Digging into the report’s fourth step, the authors write “While it is not possible to categorically state that ‘the cloud is more secure,’ migration to the cloud will be a more secure and resilient option for many K–12 organizations.” (page 17) This is a correct and important disclaimer when planning your migration to the cloud. Cloud application vendors operate using a shared responsibility model, which basically means that they are responsible for some portions of security and you are responsible for others. A mistake that I’ve seen so many districts make is they assume that, say, Google or Microsoft is handling all of the security for them.
3. Collaboration is key: “No K-12 institution is an island,” says CISA — and I agree. It’s important that K-12 institutions and prominent organizations share information with K12 SIX and similar entities. This partnership can help coordinate a better understanding of cybersecurity and the specific challenges plaguing the industry.
4. Change must be top-down: It can’t all be on cybersecurity personnel and school administrators to keep data under lock and key. Legislators, regulators, and leaders need to align with school districts to actively mitigate cyber threats so that nobody bears the burden alone.

Where CISA got cloud security wrong

1. Ignoring K-12’s cloud revolution entirely: I had to start here, because this one really grinds my gears. If you do a word search for “cloud” in the full report, it is only mentioned 5 times. 5! And the few times it’s mentioned, it’s as if the authors don’t know that schools districts are already in the cloud. At this point, over 90% of school districts are using at lease some cloud services. Many are already almost entirely in the cloud. The K-12 cloud migration was already well under way pre-COVID due to the many cost, management, and access benefits that cloud applications provide. But the migration turned into a veritable tidal wave when school buildings were shut down.
2. Clouds aren’t inherently secure: It’s important not to perpetuate the notion that cloud domains are secure by default. This is already a common misconception throughout the education sector, as many districts mistakenly believe network and endpoint protections to include cloud services. Yes, Google, Microsoft, AWS, and other reputable cloud storage providers provide unbeatable infrastructure security. And they also have built-in security configuration and control features. But securing access to your district’s data is still your responsibility. And that’s were the majority of the issues come up for schools who aren’t properly configuring their settings and monitoring for issues.
3. No cloud-specific recommendations: Although CISA acknowledges the cloud isn’t categorically more secure than on-prem technology, its toolkit makes no mention of how schools can protect cloud services. This is a major blank space for K-12 schools that leaves them vulnerable to data leaks, loss, and attacks. Again, most districts are already in the cloud. So, not providing recommendations for monitoring and securing cloud data is an unfortunate miss in this report.

CISA’s Protecting Our Future report is great, and I encourage everyone to read it and start putting it’s recommendations in place—just getting started toward improvement is the key. It’s heartening to see the federal government and others finally beginning to take this issue seriously, and putting together practical, actionable resources for schools.

It’s important to keep in mind that there is no “easy button” when it comes to cybersecurity—no matter what industry you’re working in. This research won’t fix all our problems. But it is a step closer to the end goal, which of course is to keep sensitive student information safe at all costs.

Unfortunately, it lacks a clear and helpful representation of cloud security for K-12. With more schools operating in the cloud than ever before, this is a huge blind spot that can’t go undiscussed.

By implementing cloud layer of protection, your district can gain visibility into what is going on in your cloud domain. More importantly, you can safeguard information, detect threats, and more effectively keep students safe. At the end of the day, that’s what matters most.