School of Phish

School of Phish: Common myths or misconceptions of security in the cloud

James Scott from the Institute for Critical Infrastructure Technology, aptly commented that “there is no silver bullet solution with cybersecurity, a layered defense is the only viable defense.” His premise is accurate, especially in education and now more so than ever.

The Cybersecurity and Infrastructure Security Agency saw a notable increase in malicious activity with ransomware attacks against educational institutions in 2020. The K-12 Cybersecurity Resource Center has found in recent research that the privacy of 100+ million children, families, and young adults remains unprotected. Cybersecurity professionals claim that data loss and the threat to data privacy are among their top cloud security challenges.

These are staggering facts and likely not new information to you. Remote learning has made everyone more susceptible to attack and that is irrefutable. The attack surface is simply bigger than it has ever been before. 

So why are we talking about this now? Why speak to this when it has been covered ad nauseam in conferences, white papers, and discussed in forums? We want to cut through the noise and clutter. Cloud adoption rates in education top that of every other industry measured. The risks correspondingly increase as well.

There is an astounding volume of content on this subject since the beginning of the pandemic. We want to simplify the cloud security piece here. The concepts, implementation, and implications are anything but simple, but what we can do is provide actionable information and identify gaps in your cloud security stack. 

Here is some (phish) food for thought :

  1. Cybersecurity is not one large amorphous concept nor is it synonymous with cyber safety

  2. Education technology leaves districts susceptible to further risk because when there are more apps, there are more access points

  3. An Audit of your cloud environment is key to identifying vulnerabilities – risk management is critical to security

But I have a firewall and a filter, surely I’m safe? Negative ghost rider.

One of the most common misconceptions is that a web content filter is an adequate solution for data security. That is simply not accurate. Content filters focus on online safety and ensure students and staff do not access harmful or inappropriate content. Filters play a critical role in student safety and security but they are not a one-stop solution to secure district data, particularly when that data is stored in the cloud. With access to cloud data off-premise, your perimeter technology does not provide sufficient coverage either. Physical or on-premise hardware filter appliances only protect traffic when students are in your schools. Same for cloud/extension filters. Extension filters still work during remote learning, but only when signed into Chrome.

So how do I fill that gap? By adding a cloud security solution to your stack.

  • Cloud security technology analyzes and controls data housed in the cloud, based on policies defined by you. This technology can not only detect a threat and send alerts but can also act on those threats and block activities that violate set policies.

  • Cloud security can eliminate the sharing of sensitive data externally whether it be with malicious intent or simply accidental. 

  • The government mandates, through legislation, and regulatory means, that districts protect students and their families from harm. Cloud security partner solutions allow a district to remain compliant with these requirements. 

Google is secure by design, right? In the right conditions.

While cloud technology is agile and scalable, it evolves at a quick pace. It is yet another misconception that a district’s cloud vendor is responsible for the lion’s share of securing data. Google is constantly investing in its technology to give districts the safest experience in the cloud. However, the onus lies on the districts to implement these changes effectively. An audit of your current settings is not only prudent but essential to identifying vulnerabilities and maintaining high standards of security.

There is a veritable alphabet soup ( FERPA, HIPPA, COPPA, PPRA) of state/provincial and federal regulations that a district must comply with and an even greater responsibility to make sure that students and staff are protected. The threat vectors increase as the scope of education technology expands. Be sure to secure, protect and prevent. Implement a layered defense. The threat is not singular, the response should not be either.

“Scientia potentia est,” knowledge is power.

When it comes to evolving security measures, “scientia potentia est” or “knowledge is power.” Invest in continuing education. Our Amplified admin family of Google for Education technical certifications build your skills and knowledge around security and beyond. 

Now that we’ve reviewed the top myths or misconceptions of security in the cloud, you probably have questions.  Take a look at a recent live stream  Google Workspace Admin: Security and Compliance where we addressed many of these topics. Or, if you are ready to learn more about custom solutions for your district, schedule a call with one of our Google for Education technology experts.

  • Tanya Holloran
    Specialist Sales Lead

  • About the Author:

    Tanya finally found her happy place at Amplified IT in 2019 after an extensive career in media research. She has over a decade of experience in SaaS sales and at Amplified IT Tanya is able to apply her skills by leading the Specialty Sales Team managing third-party partner solutions. Tanya is also a Google Cloud Certified Google Workspace Administrator. 

    Tanya graduated from Old Dominion University with a Masters in International Studies and she calls both Virginia Beach and Mumbai home. When she is not chasing her two kids and two pups, she is a voracious reader, a Virginia Tech Hokies fan, and a passionate volunteer and advocate for the Children’s Hospital.