As educational organisations shift systems to the cloud, cyber security professionals must also shift their focus to identity-based protection.
Every element of an educational organisation, from teaching to HR and finance, can now be managed with applications and storage based in the cloud via data centres that give instant access to the tools people need wherever they are.
The cloud offers efficiencies and new capabilities that could help to tackle a host of challenges the educational sector faces. These include improving data governance, boosting blended learning options, and scaling administration and assessment systems to handle increased student numbers.
For security professionals in the education sector, cloud computing presents challenges which require an approach which aims to protect systems via rigorous identity protection.
On-premise versus cloud security
Traditionally, education and enterprise organisations hold information and run critical systems ‘on-premise’. This means having servers on a site owned by the organisation.
In terms of security, this infrastructure usually has an ‘edge’ comprising a perimeter firewall/s to prevent bad actors getting access to critical systems via network-based connections. This means that on-premise solutions are easier to protect: they have a much smaller “attack surface” (points of weakness attackers can exploit).
But this does not mean that educational organisations should avoid transitioning to a cloud-based setup. Cloud solutions provide flexibility for staff and students and opportunities for improved data governance, learning solutions, and even estate management that an on-premises solution would struggle to deliver.
To manage the world of cloud computing, security teams must use the latest identity management solutions to maximise threat mitigation, while reducing friction for staff and students.
How identity is managed in the cloud
These interfaces allow different applications to connect and use each other’s resources – accessing a database, or getting real-time information from estate management systems, for example.
APIs are a crucial part of an organisation’s security architecture. If an attacker gets access to one, it can be easy for them to gain system-level privileges to all parts of a network, causing potentially catastrophic damage.
Therefore, ensuring identity is protected and controlled is one of the most critical aspects of securing cloud environments.
Authentication, authorisation and accounting
We recommend using the authentication, authorisation and accounting (AAA) framework as an approach to systems’ identity management.
- Authentication: First, users must be authenticated to gain access to a system, generally via a username and password
- Authorisation: Users then receive authorisation to take actions within the system, usually via ‘permissions’ (settings that allow users to access different areas and tools within a network) which are automatically applied after authentication
- Accounting: A user must be audited (or tracked) to ensure they are acting within their permissions
Privileged access workstations
If an organisation uses Microsoft 365, the AAA framework can be taken further in the form of privileged access workstations (PAWs).
This preserves security by only allowing accounts with access to critical systems to log in via a secure, restricted device; this device should be separate from the one used for everyday activity and should only have the tools available to administer M365, such as PowerShell and Edge.
Cloud services often also use ‘managed identities’ to protect critical information and systems within Azure. A managed identity allows users to use files and systems with Azure active directory authentication without being asked to provide identification details via passwords, for example.
However, for this to be successful, organisations must utilise role-based access control (RBAC), which only allows users to access systems which they have both the need and permission to access.
Conditional access and defender for cloud apps
Modern educational organisations use multiple software as a service (SaaS) platforms – all accessible through the cloud and, potentially, increasing their attack surface.
We recommend using conditional access and defender for cloud apps to manage the access policies for these platforms. They monitor usage and threats to users and their identities.
To monitor suspicious activity across a network, Microsoft defender for identity allows a system-wide approach to monitoring access and identity, alerting security teams to threats and breaches in real-time.
Adding multi-factor authentication (MFA) – or requiring two or more steps to authenticate a user’s identity - is a vital part of improving cyber-security. This should be used as part of the authentication stage of the AAA process.
To add extra layers of protection, administrators can set MFA to take place on a registered physical device, such as a phone. These devices provide one-time passcodes using an algorithm to confirm the user’s identity.
Using authentication services can create the risk that attackers, should they gain full access, could lock security team members out of critical systems.
This is why we recommend creating an emergency “breakglass” account.
These accounts will have high-level access to critical systems, but their use should be heavily restricted. The account’s credentials should be stored in a secure location, which can only be accessed via multiple authorisations across a team.
Learning more about security in the cloud
We recommend applying the National Cyber Security Centre’s 14 cloud security principles to all cloud access. These principles are based on real-world experience and, when appropriately applied, help to significantly boost the cyber posture of an organisation.
Designed for senior leaders, Jisc’s 16 questions you need to ask to assess your cyber security posture (pdf) also includes several tips to help address identity as part of an improved cyber-security posture.
Richard Jackson will speak virtually at the Jisc Security Conference on November 9 on how to manage identity securely in the cloud. Find out more about the Jisc Security Conference.