K–12 Schools Are Betting That Cloud Providers Can Better Secure Their Data

Today, the 7,000-student, 13-school district has shifted nearly every workload away from its data center and into the cloud, which has resulted in cost savings, more efficient operations and improved redundancy and security.

“Most school districts like ours don’t have a full-time CISO or a team of security experts. So, the solution is to put it in the hands of cloud providers and software companies that have that,” Santiago says. “They will protect it better than we can because we may not have the skill sets and tools needed to keep up with the challenges of cyberthreats and attacks.”

In a survey by the Consortium for School Networking, school IT leaders revealed that cybersecurity remains their No. 1 priority because they typically have understaffed IT teams, which make them easier targets for cybercriminals. The same survey also found that 1 in 3 districts have at least one IT person focused on cybersecurity.

While many districts still prefer on-premises data centers, an increasing number are migrating their key applications and most sensitive data to the public cloud and SaaS providers. One key reason is that it strengthens their security.

“It takes a lot of day-to-day operational risks out of your hands by putting it in cloud providers’ hands,” says Amy McLaughlin, CoSN’s cybersecurity project director. “Running a data center is their bread and butter. It’s what they do, and leveraging their services definitely has a great ability to improve your cybersecurity.”

LEARN MORE: Get started on transitioning your school’s data to the cloud.

West Orange Bolsters Security Through Risk Assessments

West Orange Public Schools took a phased approach to cloud adoption, prioritizing the most important apps first. The IT department completed the last major portion of its cloud migration last year when it moved file servers to Google Workspace for Education.

The district has kept a few applications in-house that are not cloud-friendly. It is also running Active Directory and domain controllers on-premises and storing security camera video in its data center. However, the majority of its data is in the cloud.

To bolster business continuity, the district backs up Google Workspace files to Google Vault and then a second time through backup cloud provider Backupify. The district’s other SaaS providers back up the district’s data as part of their services.

Even though the cloud providers are in charge of securing West Orange Public School’s data, Santiago’s team still needs to oversee the district’s entire security operation. He evaluates the security of the district’s cloud providers by hiring a third-party company to conduct risk assessments, focusing on vendors that host data with the most sensitive Information.

“Just because you pay for them to host and manage your applications and data, it doesn’t mean you’re not liable,” Santiago says. “You have to ask them questions and vet them properly to make sure they are doing what they’re supposed to be doing.”

Cloud vendors must answer security questions, such as how they manage access control, what their data recovery strategy is, and whether they do background checks and provide their employees security training. They need to follow certain industry standards and practices.

Santiago reviews the assessment results and asks the cloud vendors to address concerns. “When we find weaknesses, we want the vendors to fix them and clean up their processes so we feel comfortable with moving forward,” he says.

West Orange Public Schools has also invested in a robust, secure network infrastructure to provide staff and students high-quality service and the bandwidth they need to access applications. The district hired CDW to run a security audit of its IT infrastructure and has implemented recommendations, including the installation of a new Ruckus wireless network with stronger authentication features, he says.

The district has deployed Sophos endpoint security and upgraded to new Cisco firewalls. It also uses tools such as Lightspeed Digital Insights, which helps IT administrators with monitoring, identifying and restricting the use of unapproved applications.

To further safeguard data, the district has set up two-factor authentication for Google Workspace and is working to deploy data loss prevention to protect sensitive HR, financial and other administrative data within their Google Workspace environment, he says.

Despite his efforts, Santiago is under no illusions that he’s fully secure — not when major corporations that have the means for large IT security teams still get hacked, he says.

“We are in a better place. I think we increased the probability of securing our students’ and employees’ private data, but there are no guarantees,” he says. “All you can do is put the best safeguards in place and monitor regularly. We’re doing the best we can with the resources we have.”

DISCOVER: Learn more about how protecting data in the cloud can deliver a smooth recovery.

Michigan Schools Make Themselves a Tougher Target with the Cloud

The Kalamazoo Regional Educational Service Agency provides IT support for 18 entities, including school districts and charter schools in southwest Michigan. Six years ago, KRESA began moving its infrastructure to Amazon Web Services. Today, about 80 percent of the schools’ applications and data are hosted in the cloud.

KRESA embraced the cloud to reduce costs, bolster security, and improve uptime, reliability and scalability, says Michael Coats, KRESA’s IT infrastructure manager.

“We knew that the cloud is more secure. The number of zeros in Amazon’s security budget is far more than ours,” he says.

However, cloud security is better only if IT administrators properly secure their cloud workloads, and that includes ensuring that virtual machine permissions are set up properly in AWS.

“The big difference is, if I have a firewall on-premises and if I mess up my VMware permissions, you have to be in the building to get access to it. If I mess up in the cloud, everyone has access to it,” Coats explains.

He made a priority of certificate training to manage and secure systems in AWS. Instead of forcing his staff to do it on their own time, he allowed staff to gain their certifications during work hours. “It’s that important,” he says.

One reason security is much improved in the cloud is because AWS gives access to security tools that KRESA could not afford otherwise. “A good example is Amazon Inspector. It does continuous vulnerability scanning all of our AWS instances, and it costs like $1.25 per machine, per month. I couldn’t afford to do that onsite,” he says.

Coats’s efforts at KRESA have been so successful that he’s working with other regional educational service agencies on a statewide initiative, called the Michigan Collaborative Hub, to provide shared IT services. That includes an effort called MiCloud to help Michigan schools migrate away from data centers to the public cloud, and a cybersecurity effort called MiSecure.

Matt McMahon, director of MiSecure, believes hackers prefer to attack easier targets — specifically, districts that use internal data centers.

“If you put systems in the cloud, that’s one big hurdle hackers are going to have to get over. They’re probably going to look for somebody that’s not in the cloud,” he says.

DIVE DEEPER: Learn how school districts can successfully shift to the cloud.

Rocklin Schools Use the Cloud to Secure Backups

Not every district wants to migrate everything to the cloud. Many still rely on in-house data centers, but some, like Rocklin Unified School District in California, back up their data in the cloud for disaster recovery and security reasons.

Having a good data backup and recovery strategy is critical for safeguarding data from cyberthreats and natural disasters, says RUSD CTO Ryan Johnson.

The district, with 11,500 students across 17 schools, takes a hybrid cloud approach. While it uses some SaaS providers and public cloud platforms, it also houses workloads in an onsite data center. For security, RUSD encrypts its backups at a secondary data center and sends encrypted backup files to the cloud with third-party tools.

However, Johnson doesn’t assume data is automatically secure because it’s stored in the cloud. The district still must follow basic security measures and maintain good security hygiene, he says.

Backing up the district’s Google Workspace data to SysCloud, a data backup cloud provider, is key, he says; if Google Workspace files are deleted or corrupted, IT staff can quickly recover the files from RUSD’s SysCloud backup.

As part of its incident response and disaster recovery plan, if the district’s data becomes inaccessible, having quick and effective ways to get back up and running is critical. SysCloud’s encrypted backups align with this plan in a simple and effective way, Johnson says.

“You don’t want to think about it, but if needed, we follow our incident recovery process and get back up,” Johnson says. “That’s the importance of a hybrid cloud.”

UP NEXT: Uncover how HCI and cloud solutions can benefit K–12 IT professionals.