While colleges or universities should ensure the appropriate SLAs are embedded with contractual requirements to ensure the cloud vendor will protect their data. The organization should require “the right to audit” the service provider is stated in the contract as well. Along with requiring the service provider to show proof of external audits of its controls such as the SSAE16 (replaces SAS 70 for statement of auditing).
A cloud security capability getting a lot of attention called CASB, becomes an addional but important control to offer additional security. See Gartner’s definition of CASB:
Gartner definition of CASB
Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection/prevention and so on.
This capability would allow a college or university to enforce security policies since the CASB would serve as a gateway or broker between the on premise or remote users and cloud security providers services. It allows administrators to monitor user activity, enforce data loss policy and single sign online to improve efficiencies.
Educational institutions may want to learn more about CASB and how it would address privacy and security challenges while assisting them in meeting external mandates requirements.
---------------------------------------------------
Please stop by and see me at Educause October 25-28th in Anaheim, CA, Symantec will be at booth #1328 & #1330. I will be speaking with Helen Paton, CISO of The Ohio State University and Symantec’s Ben Orencia on Thursday, October 27th on the topic: What Does a Highbred CISO’s Playbook Look Like?
To learn more about Educause please visit: https://events.educause.edu/annual-conference
Join the conversation on social media: @Educause #EDU16