Continuing a longstanding and successful collaboration, GÉANT and EUNIS (European University Information Systems) recently held an online workshop to discuss data control and security in the cloud, featuring presentations from NRENs and universities.
Data Control and Security in the Cloud
Cloud services in academia offer significant advantages for R&E institutions in terms of scale, cost and agility. Alongside though there can be numerous challenges, particularly in terms of control and security. Using cloud services comes at a loss of direct control over specific locations and hardware, and it can also mean more complicated and ambiguous ownership and responsibility for services, software and data, as well as dispersed access and usage protocols and security measures.
Throughout the first part of the workshop, different universities shared how these challenges affect their work, and how they try to proactively address them, particularly in relation to ID and access management, data classification, compliance, copyright, pathing, cloud migration.
Espen Grøndahl, head of security at the University of Oslo introduced the experience of this large university with the gradual migration to the cloud of their services, broadly used throughout the education and health sectors in Norway. While most of these services are still on-prem, their transition to the cloud progressed steadily but slowly, due to scale and cost and to particular care to legal compliance and security aspects.
Grøndahl also expounded on the importance of proper log system planning for cloud services, which are not inherently built in, or are overlooked when there is not enough collaboration between users, vendors and university operations. The university addressed this by maintaining a very large on-prem log solution, with management aspects and deletion rules. Other solutions put into place included a thorough checklist to decide on the use of new cloud services, as well as an application process requiring managers to approve them. In addition, the university created a colour-coded classification system – now standard in Norway – to label the sensitivity level of data, and a storage guide to map the use of on-prem and cloud solutions against the defined colour coding.
Asbjørn Reglund Thorsen from Sikt and co-leader of the EUNIS Special Interest Group on security presented Sikt’s challenges as an organisation rapidly moving to the cloud after its formation via the merger of former NREN Uninett, NSD and Unit. This transition was quite complex since each organisation brought their own specificities and practices with them, many of which were new to others and had a steep learning curve. Looking back at Sikt’s journey, Reglund Thorsen underlined the importance of thorough planning, of aligning with best practices for cloud security and of enhancing competence and capabilities.
Dr. Christoph Glowatz, Chief Information Security Officer at Hochschule Düsseldorf (HSD) University of Applied Sciences shared his experience with the university’s migration to the cloud, in particular towards MS365. The transition started from the student’s mailboxes, and progressively expanded to employees throughout the COVID pandemic. In the case of employees mailboxes, a DPIA (Data Protection Impact Assessment) was requested by the executive committee before the migration. Main challenges at HSD included mastering the manifold aspects of MS365 security, and ensuring GDPR compliance while making use of security monitoring and data collection features. All in parallel to dealing with stakeholders, from the executive board and university senate, to members of staff, teachers and students.
Security Baselines and Checklists
The second part of the workshop focused on international (GÉANT), national (NRENs, as SURF and HEAnet) and local (University of Stuttgart) approaches to cloud management and security, for instance via security baselines and cloud security checklists.
Abdul Altawekji, product manager at the Dutch NREN SURF gave a short demo of the SURF security baseline. He explained how SURF had initiated the work on the security baseline in response to different needs, both from the organisation and from the sector. For instance, process owners and system owners needed clear sets of rules to secure their processes and systems. Institutions had many different information security requirements for vendors, which could have been better addressed by SURF centrally rather than by vendors dealing with each institution. Finally, SURF procurement specialists needed security support for tenders and of course, SURF security staff needed to carry out assessment on suppliers and wanted to share the results of these assessments with institutions. As such, the SURF security baseline was established to have clear and concise security measures for all the Research and Education sector in the Netherlands. It consists of a set of more than 100 measures (called controls) divided into 15 categories, such as network security and logging. SURF staff, institutions and suppliers can filter measures based on responsibility and on the CIA triad (Confidentiality, Integrity and Availability), to ensure that systems and applications meet minimum security levels.
Sandy Janssen, Product Manager and Legal Counsel SURF Vendor Compliance within the team of Procurement and Contracting at SURF, shared SURF’s hands-on experience in using the Security Baseline so far. She explained how initially one of the most challenging aspects was getting vendors on board and ensuring that they had precise understanding of requirements and processes. With time and effort however, it became clear that filling the security baseline and collaborating with SURF on other compliance work such as DPIAs and DTIAs was serving the general interest of both vendors and institutions, as it helped vendors to meet the needs of institutions and increase their revenues, while also contributing to improving the services’ security and privacy at a European scale. Particularly noteworthy is the case of Zoom, which – thanks to the collaboration with SURF – improved its data privacy approach. SURF published a DPIA with the collaboration with Zoom in 2022, further enhanced in 2024.
Following on, Alf Moens, security lead at GÉANT, presented the GÉANT security baseline, a security maturity model developed specifically for NRENs, and explained how this was recently used especially to help smaller organisations in the community to reinforce their security stances. “Ultimately, every organisation should choose to use the security baseline that is most appropriate for their case and sector”, said Alf. “It’s fundamental however to agree on how and where the baseline should be used in practice and to align on its use with the people and organisations involved.”
Finally, Oliver Göbel, CISO at the University of Stuttgart, and Garvan McFeeley, Brokerage Services Manager at HEAnet and Task Lead of the Above-the-net Services Delivery Chain in the GÉANT project, showcased different but parallel approaches to cloud security checklists. Both the checklist created by the University of Stuttgart and the GÉANT Cloud Security checklist break down generic and essential security requirements for the use of digital services and can be used by organisations to ensure that all appropriate technical and organisational measures are in place.