Top 3 Cloud Security Risks for Higher Education

Colleges and universities are top targets for cyberattacks, from malware to ransomware to data theft. Besides being attractive to threat actors – in part because they store large quantities of personally identifiable information (PII), research data and intellectual property -- higher education institutions may lack necessary security infrastructure, IT skills and staffing.

The ongoing transition from on-premises datacenters to cloud services has exacerbated this situation. Cloud-hosted applications (SaaS), infrastructure (IaaS) and data storage can increase the security risks facing a college or university in three areas: attack surface, software vulnerabilities, and identity and access management (IAM).

This blog discusses why these cloud security exposures can pose a high risk.

Expansive and Rapidly Changing Cloud Attack Surface

The typical cloud attack surface for colleges and universities comprises SaaS, IaaS, data storage and users, who may include students, faculty, staff and third parties such as donors, alumni, adjunct professors and research partners. This attack surface changes constantly as faculty and staff create websites and other assets to support new educational offerings or initiatives. Ease of provisioning makes cloud environments a popular tool for developing courses or managing research projects. However, without a deep understanding of cloud security, web creators can inadvertently increase exposures.

Further, these websites and other web-facing assets, such as domains and sub-domains, are often linked to sensitive internal resources. For that reason, the larger the number of domains, the greater the chances of a data breach. Security risks associated with a large number of domains increase when the network includes sites that remain connected to the internet but are not being maintained – for example, following the conclusion of a project.

A fluctuating user base also expands the attack surface. As new students matriculate and external experts join a teaching team or project, new exposures open up. In particular, exposures can result from the use of personal devices, operating platforms and connections that may lack adequate security protections. As students graduate and depart, their permissions may not be terminated immediately, allowing formerly affiliated users to continue accessing cloud resources.

To bring the cloud attack surface into control, institutions should:

• Perform ongoing penetration testing on cloud environments.
• Use network scanners to identify exposed systems and devices.
• Complete quarterly asset inventory and security assessments of cloud services and resources.
• Scan for vulnerabilities and misconfigurations on all cloud assets before deploying to production.
• Document that only the latest versions and patches of containerized applications can be deployed to production.

Unpatched Vulnerabilities

Unpatched vulnerabilities in cloud production source code can open the door to cybercrimes such as ransomware attacks. For example, The State of Ransomware in Education 2023 from Sophos reported that in higher education, exploited vulnerabilities were the most common root cause of ransomware attacks.

According to Palo Alto Networks’ Cloud Threat Report Vol. 7, “Nearly two-thirds (63%) of the codebases in production have unpatched vulnerabilities rated High or Critical (CVSS >= 7.0), and 11% of the hosts exposed in public clouds have High or Critical vulnerabilities.” Further, in a cloud environment, a single vulnerability can be replicated to multiple workloads.

The IBM X-Force Cloud Threat Landscape Report from 2022 stated that vulnerability exploitation remains the most common way to achieve cloud compromise. This report claims new cloud vulnerabilities increased by six times over the previous six years.

In addition to production source code, other sources of vulnerabilities include cloud misconfigurations like excessive account permissions and containers exposed to the public. Vulnerabilities can also be found within the cloud infrastructure itself, such as hypervisor weaknesses or an application or service shared by users from different organizations. However, infrastructure vulnerabilities are the responsibility of the cloud provider, and customers have little control over them, except to perform due diligence during selection of a cloud service.

Beyond the protections listed in the section above, institutions should also:

• Deploy and properly configure cloud workload protection.
• Create alerting, prevention, and secure handling policies for identified malware.

Improper Management of Identity & Access Management Policies

Identity and access management (IAM) is a particular problem for colleges and universities for several reasons. The main issue is complexity. Institutions enroll and graduate hundreds or thousands of students each year, and their identities must be promptly added to or removed from the system. In addition to students, faculty and staff, higher education institutions typically provide access to cloud-hosted resources for third parties, such as visiting lecturers, research organizations and government agencies. And each of these users may require access to different cloud resources, or fill multiple roles requiring access to a different combination of workloads or data sources.

Adding to this IAM complexity is the continuing popularity of online learning, which can contribute to access problems due to unsecured personal devices and education platforms and the use of social media. Finally, IAM procedures in a college or university can vary by physical location, business unit or area of study, leading to security gaps.

To maintain a secure cloud, proper IAM policy creation is essential. Consider implementing the following security measures:

• Create alerts for any modification or deletion of IAM roles and policies, and creation of new IAM users, roles, and policies.
• Define a least privilege architecture for each IAM policy or role. This could mean using a single-use isolated service account for all cloud development.
• Prevent long-lived credentials by automating IAM credential cycling.

Looking ahead

As cloud computing adoption by colleges and universities continues, several technology trends may further complicate the security landscape. These include multi-cloud environments that require security integration and visibility across private and public clouds; cloud-hosted artificial intelligence (AI) systems, which can exponentially increase data volumes; and new regulations governing security, compliance and data privacy in cloud systems. 

As cloud continues to shape higher education, get a deeper understanding of cloud footprints and how other are deploying and securing their cloud assets in Cadre’s SANS survey on Securing Infrastructure Operations.