Build a zero trust security architecture to protect your district’s data stored in the cloud
Cloud productivity apps like G Suite and Office 365 are now standard across many school districts. It is not uncommon to see students and/or faculty and staff replying to an email or commenting on a document outside of the school network and using personal devices. This is because these kinds of apps are always available from any location on any device. The benefits are that they increase accessibility, productivity, and collaboration.
But, these cloud apps also pose problems for traditional security techniques that may be leading to the demise of a “secure perimeter”.
In the past, IT security professionals were able to put up firewalls and segment networks as well as prevent access to hosted apps from outside of approved networks. They are still able to extend these networks via VPN, however, using a VPN is an inconvenience and adoption is not common among users.
Zero Trust Security: Modern Security for Modern School Districts
Zero trust security is being adopted as a way to secure users and applications. Traditionally, zero trust security focused on user identity. Single Sign-On (SSO) through standards and/or Multi-Factor Authentication (MFA) are examples of this approach. There are many compelling products on the market that are providing SSO and MFA for organizations of all sizes. For instance, Google’s BeyondCorp initiative has pioneered the concept of access proxy, but its adoption is still in the early stages.
I would recommend that you pair your identity-based zero trust security approach with intelligence from SaaS apps. The most effective way to do this is via APIs. Here are three examples of how the two can work together with an API:
1. User access within Saas applications
Knowing locations, devices, ISPs, and times of a typical user logging into a SaaS application can offer valuable insight regarding unusual user behavior and if the user account is compromised, as in an account takeover. APIs offer an easy way to visualize all user access to better understand activity that might be cause for suspicion.
2. Company content sharing within SaaS applications
Your district’s documents now live in the cloud and are accessible from anywhere in the world by authorized users…and hackers. There is no firewall or proxy you can deploy that will ensure your data is secure from misuse. The best way to understand the use of any document is to understand who has been accessing the document, who it has been shared with, where it was downloaded from, who modified it, etc.
3. Phishing emails and compromised email accounts
In the past hackers would send phishing emails that appear to be from internal staff. Now hackers are sending emails that are coming directly from their email accounts. Hackers accomplish this by gaining access to student, faculty, and staff inboxes through an OAuth grant issued for supposedly useful apps such as games or restaurant tip calculators. Traditional anti-phishing defenses are no match for these targeted attacks because the compromised user’s actions are trusted by your security controls. An MFA can stop some of these attacks, but not all.
To help prevent these attacks you need visibility into every third party app that has access to your district’s G Suite and/or Microsoft 365 accounts. This information is available from SaaS vendors through APIs, when the two are paired with user access patterns you can form an improved defense against attacks.
These are just a few examples of how an API-based approach to SaaS security can complement and strengthen your district’s zero trust cybersecurity. There is no silver bullet when it comes to cloud security. You need an approach that leverages defense in depth.
The sooner your IT team moves away from an over-reliance on firewalls, proxies, and on-prem LDAP authentication, the sooner you can be prepared to face the threats to school district data systems that continue to emerge. Cloud applications that are always on and available from every device and location are a huge boon to K-12 schools. However, they also require IT teams to evolve and adopt new ways of addressing K-12 cybersecurity threats.