Campus Cloud Security Shared Assessments Follow-up
By Jon, Joanna, Kim, and Nick
It was a dark and stormy night in a far away place… OK, so I was having a hard time getting this post started. There is a lot to summarize in one blog post!
Phase 1 Deliverables and Beyond
We’ve been very busy in the Cloud Security Shared Assessments working group since our last blog post in May of 2016. Jon Allen has been a dedicated, task-oriented leader, driving his motivated working group to get things done! In October 2016, we completed the first phase of our project deliverables and created what is now named the Higher Education Cloud Vendor Assessment Tool.
We would like to thank the following for their work on phase one and the tool:
- Jon Allen, Baylor University
- John Bruggeman, Hebrew Union College, Jewish Institute of Religion
- Charles Escue, Indiana University
- Joanna Grama, EDUCAUSE
- Karl Hassler, University of Delaware
- Todd Herring, REN-ISAC
- Nick Lewis, Internet2
- Kim Milford, REN-ISAC
- Craig Munson, Minnesota State Colleges & Universities
- Mitch Parks, University of Idaho
- Laura Raderman, Carnegie Mellon University
- Valerie Vogel, EDUCAUSE
We took a short pause after releasing the tool so campuses could incorporate it into their third party and vendor risk management programs. A couple of campuses have already started using the tool and provided us with some feedback. If you have any feedback or suggestions for future development of this tool, please contact Joanna Grama. We also talked with Internet2 about their Service Discovery Working Session in development and a couple of potential service providers as we began exploring options for the next phase of the working group.
Also during the phase 1/phase 2 break, Nick attended a session at the RSA Security Conference on “Cloud Security Assessments: You’re Doing It Wrong!” that seemed very similar to our work, but from the vendor/service provider’s perspective. They talked about the significant effort vendors must go through in filling out customer questionnaires and how it would be helpful if potential customers could agree on their questionnaires. So, it appears that the need for a common questionnaire is a more common problem that transcends higher education. This session seemed to further emphasize how important addressing this issue is for the higher education ecosystem and how we can help our vendors/service providers if we can all use this shared tool. If you’re a vendor/service provider and have feedback on our tool, please contact us.
Plans for Phase 2
We have started planning phase 2 of the working group, and we want to accomplish the following:
- Develop a survey to get additional feedback from campuses
- Discuss a HECVAT Lite version
- Map the HECVAT to other standards or questionnaires
- Draft more documentation on sharing and usage
- Figure out how we might better market the HECVAT
With the realization that we need to do more marketing and promotion, we have two upcoming presentations titled “Exploring the Future of Cloud Vendor Security Assessments” at the Internet2 Global Summit, April 25, 8:45am ET and the Educause Security Professionals Conference, May 2, 1:00pm MT.
We are excited to be out talking with the community and if you see one of us at the meeting, feel free to blame Nick for this blog post (or ask us questions)!