Cloud technology is fairly new to school districts, but the steps that need to be taken to secure it are relatively similar to how an online account or physical device is secured. In part one of this two-part blog, we focused on implementing strong passwords and multi-factor authentication to improve security on cloud accounts.  Now we’ll shift into strategies to monitor for potentially compromised cloud accounts.

Watch for Unusual Behavior

There will be times when a person, whether it be an outside hacker or a student at one of your schools, will get unauthorized access to another account. When this happens, the easiest way to spot it is to get in the habit of watching the activity taking place in your cloud environment and keeping tabs on the usual trends.

One method that district IT leaders are increasingly implementing is the “Detect Function” of the NIST Cybersecurity Framework. By doing so, you can discover a cybersecurity event in a timely manner and take the appropriate action to mitigate the damage done.

For example, one district IT leader uses the term “low talkers” to identify accounts (student or staff) that usually have the lowest amount of activity. When these “low talkers” begin to show a lot of activity and use higher amounts of bandwidth, that change is taken very seriously. Below are some examples of activity that may need to be monitored closely:

1. A student or teacher account sending more emails than usual
2. An account sharing school files with a user outside of your district’s domain
3. Login attempts, both successful and unsuccessful, coming from outside the country
4. An increase in the number of applications being installed by a student or teacher

If you see these unusual trends in your district, it likely means the particular account needs closer watching and you may need to take action on it to respond to a cyber incident.

Finally, there is one more thing you need to keep in mind when securing your cloud environment.

Your Cloud Platform Does Not Secure Your District For You

When you bring on a cloud platform, such as Google Workspace (formerly G Suite) or Microsoft 365, remember that they don’t secure your cloud environment for you. While cloud providers have great security measures to protect their infrastructure and the data that lives in their environment—it’s your team and your district’s responsibility to take the appropriate measures to secure your app service and the data stored, accessed, and shared within it.

The analogy I use is to think of your Google and/or Microsoft environment as your house. It’s not up to the person who sold you the house to provide you with home security. You are responsible for protecting everything within by locking the doors and installing third-party home security. The same goes for your district’s cloud environment.