7. Deploy multi-factor authentication mechanisms and SIEM solutions to manage access and monitor systems that contain sensitive data.
According to the CSA cloud security “compromised credentials and broken authentication” is a major cloud security issue. Jennifer Nowell, national director for State, Local Government & Education at Symantec told eCampus News that “It’s not to say that passwords shouldn’t be used, but think of passwords as level one, with today’s campus needing two or three levels of security protection that can clearly identify when an attack happens via system behavior and where it happens—all without compromising ease of use or access.” [Read: “The IT issues that will dominate 2016.”]
Curtis Hillegas, associate CIO of Research Computing at Princeton University noted that security has to enable research, not hinder it and one way to do this is to stop relying solely on passwords and working within new data security models that provide a secure network infrastructure.
“Authentication is based on a pretty simple set of principles,” explained Wethington. (A) something you know like a password/passphrase; (B) something you “are” like Biometrics; and (C) something you have like MultiFactor authentication with a phone number/email address.
“Unfortunately, these systems are all easily bypassed by someone who has access to even a small amount of information about you,” he continued. “Credentials should be changed regularly, at least every 90 days if not less. Multi-Factor authentication is a must have today. If institutions are not requiring at least 2 or more levels of authentication then the identity of the user cannot be trusted.
Wethington said there are a variety of layers that can be instituted beyond this for systems that are more sensitive, and would include IP-based “White-Lists,” Network Access Controls, Limited Remote Access, and behavior based security analytics.
“While the solutions are interesting, the vast majority of breaches today are due to a failure in the fundamentals of security practice,” he said. “Focus on getting the basics of Identity correct by instituting regular password changes, larger entropy, complex passwords, multi-factor authentication, and encrypting traffic between endpoints, especially during credential exchanges.”
8. Educate students, faculty, staff and contractors/vendors on the proper storage, management, and deletion of sensitive data.
According to J.R. Santos, executive VP of Research for the CSA, “instead of being an IT issue, cloud security is now a boardroom issue. The reasons may lie with the maturation of cloud, but more importantly, higher strategic decisions are being made by executives when it comes to cloud adoption.”
It’s a sentiment strongly mirrored by Wethington, who explained that security, in general, is a boardroom issue, with cloud security as just another component of a larger problem boardrooms are facing.
“Shareholders are holding the board responsible for their failure to protect their fiduciary interests when a breach occurs,” he said. “These breaches cost organizations billions of dollars a year in fines, lost revenue, lost good will and more. What [board members] don’t know or don’t want to know may be knocking on the boardroom door sooner rather than later, and when it does ‘ignorance will be no excuse for the shareholders, customers or the regulators.’ Boards should look at the data they have within their organization as the most precious asset they possess. The monetization of that data on the black market is very real and so are the threats to its security.”
9. Institute policies and procedures for breach notification and incident response. Then practice them once a month.
10. Monitor OSINT (Open Source Intelligence) streams for potential data leaks that may affect your institution. The sooner you detect the breach the sooner you can plug the hole.