Continue the Conversation: Campus Cloud Security Shared Assessments

Our Campus Cloud Security Shared Assessments session at the 2016 EDUCAUSE Security Professionals Conference in Seattle was a hit! We had a full room and attendees were actively engaged in the hour-long discussion. Our presentation is now available, so if you’re curious, please check it out and contact us if you have any questions.

The main issue is appropriately assessing the ever-growing number of campus cloud services for security. Even if a campus has established a cloud security assessment methodology and has the resources to assess many of their cloud services, it is rare to have sufficient resources to assess all cloud services. This is where the higher education community has an opportunity to save time and resources by sharing the methodologies and results of these assessments.

We informally polled the audience to determine which institutions did application security reviews, performed assessments as part of contract reviews, and had enough staff to perform the reviews. Most campuses are doing application security reviews, but even the largest campuses are strained by the resources needed to adequately address the speed of cloud services. Mature review programs appear to use nearly 30% of their information security staff resources in the area of cloud security assessments.

Throughout the presentation, we actively engaged with the attendees to get their feedback and ideas on how shared assessments might work. Some of the topics we discussed included:

  • What questionnaires or tools are already in use
  • How sharing assessments could save service providers time by avoiding the need to complete multiple unique questionnaires
  • How we might provide feedback to the community about the security of a cloud service provider
  • How to provide support for information security or IT staff reporting back to their campus about these shared assessments

Given all of the support and enthusiasm expressed by session attendees, EDUCAUSE, Internet2, and the REN-ISAC will be collaborating to host a new HEISC working group that focuses on shared assessments. The three organizations are currently working with the chair (Jon Allen) to create a charter and establish a short-term, lightweight plan for the working group to get started. We will be reaching out to interested campuses to coordinate a kick-off call soon. If you have any questions about this new working group, please send an e-mail to

Jon Allen is the assistant vice president and chief information security officer at Baylor University.

Nick Lewis is the NET+ program manager for security and identity at Internet2.

© 2016 Jon Allen and Nick Lewis. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.