The Big Pivot: A Shift to the Cloud and Third-Party Vendor Risk Assessments

Fil Santiago, Director of Technology and Administrative Services, West Orange Public Schools

1. What are some of the major challenges and trends that have been impacting the education space lately?

In this day and age, K–12 education institutions must operate under modern, scalable IT environments that can flex to support teaching and learning in dynamic instructional and administrative spaces—personalizing anytime, anywhere learning.

The emergence of cloud computing and storage in education to reduce costs and streamline operations raises important questions about data privacy and security. We are all facing the same challenge: striking a balance between using technology to transform teaching and learning while safeguarding data to ensure privacy and individual rights.

The shift to hybrid and virtual learning environments, hosted services, and cloud-based data storage, which was accelerated by the COVID-19 pandemic, has perpetuated an environment ripe for exploitation by nefarious actors—an increase in attack vectors. There are inherent security risks when most or all of your data is hosted and/or managed off-premise by third parties. 

The exponential growth of cloud services also raises important questions about the current role and function of IT staff, who have traditionally been responsible for managing an organization’s network and servers/data in-house: What happens when most or all of your data is stored off-premises and managed by someone else? Will our networks eventually serve as simple pipes or conduits that connect users to external services? How do we upskill our IT personnel to handle these changes and remain current and relevant?

As we continue enhancing the methodology for monitoring and using data and analytics to identify and respond to potential cyberthreats, we must also adapt and redefine the future roles and skills for the members of our team; some will need to transition from the traditional role of Director of Technology or Network Manager to that of a CISO or Risk Manager who is able to implement risk-management processes in order to minimize financial, legal, operational, and reputational risks.

2. What keeps you up at night when it comes to some of the major predicaments in the education space?

There are two main things that keep me up at night, both equally important to ensuring that our students, faculty, and administrators are protected in both virtual and physical spaces.

1. Cyber Security: The ongoing threats to all sectors (public/private) serve as a reminder that we need to be diligent and vigilant in every aspect: zero trust. Here are some of the things that come to mind: Management of cyber risk via internal policies/procedures, mitigation strategies and operational tactics to minimize exposure and risk, security awareness training and prioritization to combat cyber security threats and the challenges of the trending shift to off-premise services (SaaS).

“Given the increasing shift to SaaS and cloud-based hosting, we migrated the vast majority of our services and data off premise. Most of our services are accessed via a SaaS distribution model, and we are currently in the last phase of our data migration process”

2.  School Safety and Security: A high priority for school communities has been the range of unique threats, hazards, and security challenges. The digitization of security and surveillance systems has increased the reliance on IT departments to install, manage, and maintain systems that assist with the prevention of, intervention in, response to, and recovery from school emergencies and crises: visitor and emergency management systems, surveillance cameras, access control, mass messaging communication tools, panic buttons, and online student safety management systems that support BTAM (Behavior Threat Assessment Management).

There is an increasing level of responsibility being placed on IT departments to support these two critical areas, often requiring IT departments to absorb the additional workload with limited financial and human resources.

3. Can you tell us about the latest project that you have been working on, and what are some of the technological and process elements that you leveraged to make the project successful?

Given the increasing shift to SaaS and cloud-based hosting, we migrated the vast majority of our services and data off-premise. Most of our services are accessed via a SaaS distribution model, and we are currently in the last phase of our data migration process. The remaining data from our in-house servers has been transferred to Google Drive, where it is centrally stored and managed under Google's Education Plus Services with cloud-to-cloud backup.

During this multi-phased migration period, we have simultaneously established a risk assessment program to ensure third-party vendors who host or manage our data follow best practices and meet industry standards for privacy and security.

We partnered with a company called Privva, which was recently acquired by Entreda, to conduct external risk and compliance assessments. The first phase focused on the assessment of third parties who managed our crown jewels: systems with the most sensitive and confidential data. We also initiated an onboarding process for all new vendors who provided us with SaaS.

One of the challenges that we continually face in our profession is Shadow IT: the use of information systems, software, and applications without explicit approval by the IT Department.  This is particularly problematic when your objective is to identify all the applications and services being used by staff and students to assess your IT risks.

To address this problem, we piloted and started using a solution called CatchOn, which is now an integrated part of our LightSpeed Content Filtering Solution. This solution provides us with real-time, expansive analytics to monitor and track the usage of all software and applications and assist with identifying unapproved software and services that must be blocked or go through the formal vendor risk assessment process.

4. What are some of the technological trends that excite you for the future of the education space?

I am excited about the possibilities of AI chatbots. The recent release of AI ChatGPT has caused both excitement and hesitation of the evolution of AI, with some experts pointing to existential risks.  There are infinite possibilities and benefits to using this nascent technology.

As AI chatbots become less robotic and more human-like, we must carefully embrace the technology and learn to evolve with it.

Using the words of William Gibson, “The future is already here—it’s just not evenly distributed yet.”

SaaS

Financial

Storage

Cloud Computing

Legal

Emergency Management