Continue the Conversation: How Risky Is the Cloud?

min read

This blog post is one of a series of posts designed to "continue the conversation" after the 2016 EDUCAUSE Security Professionals Conference, held April 18–20 in Seattle, Washington.

This year's conference, "Data, Intelligence, Risk, and Value: Security and Privacy in Higher Ed," included a number of formal and informal networking events, from organized birds-of-a-feather sessions to the famous "hallway track," where members can chat informally with their peers about information security issues.

A traditional networking event at the conference is lunchtime roundtable discussions. At the roundtable, participants can network with those who share similar interests or responsibilities and discuss topics of particular interest. One conference attendee hosts each roundtable and facilitates the discussion. Roundtable topics are preannounced in the conference program and this year included items such as attracting and retaining staff, using endpoint security, protecting research data, and learning about IT risk registers. This blog post summarizes the "How Risky Is the Cloud?" roundtable discussion.

Seven conference attendees attended the lunchtime roundtable discussion, and participants included a mix of higher education information security professionals and cloud vendors.

As more university data and services are moved into the cloud, it becomes important to understand the risks and the ways to mitigate these risks. Universities tend to accumulate PII (personally identifiable information), and the improper protection of that data can result if very expensive security breaches. Other themes explored during the lunchtime discussion included:

  • Comparing the risks of an on-premises application and moving the same to the cloud
  • Reducing risk in the cloud requires the same skill set as doing it in house

Members of the lunchtime discussion also focused on the type of risks present in the cloud (and to on-premises applications) and how best to deal with them. In general, the group concluded that the major component of application risk comes from the people using the application. This means that standard application risks, such as credential loss through phishing or compromised system, bad placement of data, sending sensitive data in unencrypted e-mail or over sharing of files, would still need to be addressed. From an information security standpoint, these risks are the same regardless of where the application sits (on-premises versus in the cloud). Thus, reducing risk in the cloud requires the same skill set as doing it in house. This means writing comprehensive information security policies, educating end users on good security practices, and implementing DLP tools. Log monitoring and other standard operational security practices are also needed.

The group also discussed that there are now vendors who specialize in cloud security and provide functions that would be hard to implement without their services. Some of these vendors were sponsors at the conference.

The Higher Education Information Security Council (HEISC) has created an Information Security Guide that contains a resource on cloud computing security. Other resources to review include:

The 2017 EDUCAUSE Security Professionals conference will be held May 1–3, 2017, in Denver, Colorado. The call for proposals for the 2017 conference will be released this fall. If you have ideas for lunchtime roundtable topics at the 2017 conference, please e-mail [email protected].

Joel Rosenblatt is the Director of Computer and Network Security at Columbia University.

© 2016 Joel Rosenblatt. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.