Campus Cloud Security Shared Assessments
One of the best things about working in higher education information security has been collaborating and working with colleagues nationally and internationally to work on addressing common information security challenges. One shared challenge in higher education information security is keeping up with the rapidly adopted and changing cloud services on our campuses and managing the associated risk. Campus information security teams assess software, services, and cloud services as rapidly as possible, but at times, it is difficult to devote sufficient resources to be proactive in order to thorough and timely.
Campus IT environments are rapidly changing and the speed of cloud service adoption only appears to be increasing. As campuses deploy or identify cloud services for use on their campus, they need to ensure the cloud services are appropriately assessed for security. Many campuses have established a cloud security assessment methodology and have the resources to assess many of their cloud services, but few campuses have sufficient resources to assess all of their cloud services. As a community, together we can assess more cloud services than an individual campus can on their own and share these assessments amongst each other to take advantage of that scaled approach. Shared assessments can be used by campuses to jump start their assessment and reduce the resources needed by the campus to perform due diligence—decreasing the time necessary to perform the assessment with the goal of freeing up time to dedicate back to critical information security functions.
Jon Allen, CISO at Baylor, reached out to Internet2 last year to see if we knew of anyone working on this approach and subsequently we have talked to several others in the community that are interested in working together on sharing security assessments. We’re interested in determining if there is enough community interest in developing a shared repository and who would actively access it and use it. Jon and I will be presenting a session at the EDUCAUSE Security Professionals Conference and are seeking community feedback with your ideas. Our goal is to determine if further collaboration is needed and of interest which could potentially result in a cloud security assessment working group or other form of community sharing.
These shared assessments would not replace your own individual campus assessment, but could be used as part of a local program, like a vendor risk management program, where your campus would use it as part of the risk assessment on the software or cloud service. There are commercial service providers in this space like 3PAS, community service providers like Shared Assessments and Cloud Security Alliance CSTAR, and the NET+ program. The goal would be to supplement programs by developing a complimentary solution for campuses.
The shared assessments repository could be as simple as a closed email list with archives to a full featured web application. The specific technical details of sharing will be different depending on how the content is shared, but the security requirements around the sharing won’t differ. For example, the assessment content would not be public, have some sort of lightweight access control, and not be under a non-disclosure agreement (NDA). Campuses would need to understand the materials would be published in an effort to assist other campuses and would not be an assurance on the security of the software or service.
For the shared assessments submitted by campuses, we could decide to use a specific questionnaire like CSA’s Consensus Assessments Initiative Questionnaire, Google’s Vendor Security Assessment Questionnaire, NIST 800-53v4, ISO27001, and many others, but not all campuses use these questionnaires. Campuses could submit the materials they already have with or without attribution to their campus all organized around the software or service. Certain details around the software or service, like name and version information, would need to be a specific requirement so a campus could find the materials.
Would your campus participate and use a community service like this? There are many challenges around doing taking this shared approach and campus resources around information security are scarce, so building something that would get used, and ultimately deemed beneficial, is critical.
If you are at the EDUCAUSE SPC, please join us on Tuesday April 19th at 4:30pm PT to discuss this topic with us and the other attendees! We are very interested in your feedback. If you can’t make it to SPC, please feel free to email Jon or me to let us know what you think.