Is Cloud Storage Compromising Your School's Security? -

Is Cloud Storage Compromising Your School's Security?

Publish date:

Most faculty are well aware of the free and low-cost storage and sharing services like Dropbox, Box, Google Drive, Sky Drive, and others, and are inclined to make use of them in their day-to-day work. These services provide a simple way to share with colleagues everything from course materials to exams to research and lab notes. Since they're free and easy to use, why not take advantage of them?

The majority of faculty are unaware of the potential security risks involved in using these services, and don't understand how to protect themselves and their content within that environment. Many do not realize the dangers of weak passwords, password re-use on multiple sites, or mobile downloads using public or unencrypted connections.

More troubling is the fact that university IT departments are often unaware that their clients are using these services. Given the incidences of credential theft and information leakage involving these services that has occurred in the recent past, security-conscious IT departments are now making a concerted effort to minimize their organizational exposure to these services. Some are even attempting to create their own Dropbox-like services.

The security risk of Dropbox and other like services for educational units is very real. For example, in response to a number of publically embarrassing attacks in 2011 and 2012, Dropbox implemented a healthy set of security policies. The company encrypts users' data on their servers using the AES-256 standard, and all transmissions travel from the desktop to Dropbox via 256-bit SSL secure connections. More recently they recently implemented two-factor authentication to help users protect their login credentials. These are all Good Things. However, there are still several problems with Dropbox that prevent it from being secure enough.

Users' encryption keys are stored on Dropbox's servers, along with their data. That opens up the potential for a rogue employee to potentially decrypt and expropriate users' data, and represents a risk simply not worth taking when dealing with sensitive data. A better alternative is for the user to hold the key rather than the vendor.

The two-factor authentication option, while highly effective, is not yet mandatory, leaving it to users to decide whether to turn on this often inconvenient feature. While the company's Dropbox for Teams product allows an administrator to see who is using two-factor and who isn't, the starting price of $800 per year for five users makes that administration an expensive option.

Finally, data that is stored only on Dropbox is typically not available to IT or administration under most circumstances, especially in the case of small personal accounts established by a faculty member. So when that individual moves on to greener pastures, it is possible that access to that information will simply be lost. Most of the commercial storage/sharing products suffer from one of more of the same issues as does Dropbox; some suffer from all of these and still more.

Recently I was asked to help prepare a questionnaire regarding faculty use of off-site cloud storage, in an effort to discover which vendors' services are used, how the data is being used, and whether university information is being stored and shared off-campus. The results of this survey will help define the depth and breadth of the problem, and should suggest some possible solutions. The rumor is that the IT department is considering an outright ban on the use of these services, and given the increasing number of IT-oriented attacks it would be foolish not to do so.

At the same time, it should be possible (and well worthwhile) to consider building an in-house storage and sharing solution that could provide the same services, but would allow IT access and oversight. Given the occasionally secretive nature of faculty when it comes to their research and course materials, I expect some feathers may be ruffled along the way.

Steve Cunningham is an associate professor of practice at USC’s Thornton School of Music.


How to Pick the Right Cloud Structure for You

The cloud market is incredibly diverse, making it difficult to decide which platform or structure is right for your business, especially for startups. Should you use a private or public cloud? What about a hybrid cloud versus using cloud services from multiple providers? The choices are virtually endless.

Apple's OS Changes Create Management Migraines

As I've noted previously, I'm partly responsible for managing the computer lab in the school where I serve. Each year—normally during late summer, shortly before the beginning of a new semester—we rehab all existing computers by creating a disk image, reformatting the hard drive, and applying the new image to each machine in turn.

Academic Tech Departments Must Mandate Stronger Passwords

It's been difficult to avoid the recent news stories about stolen and decrypted IDs and passwords. LinkedIn,, and have famously lost control of users' passwords in the past few months. Even Apple has been hit, as several million Apple IDs are still circulating on the Internet. The pity is that many of these passwords were encrypted (technically they were hashed), but given the powerful GPU-based "rigs" the hackers have at their disposal today, the decryption game moves much faster than in the recent past.

EdTech Managers: Is Your Dorm Stuck in the Dial-Up Era?

If you live in, or were responsible for, a dorm in the 1980s, you probably remember that electricity was as scarce as beer was ample. That’s the era when students increasingly showed up with microwaves, computers, TVs and high-wattage stereo systems with woofers the size of rims and liquid-cooled tweeters. For those who were students at the time, the latter two examples might have been your first taste of AV integration.

Videoconferencing in Schools: A Remote Possibility

The school in the remote town of Assin Foso, Ghana, might be the last place you’d expect to find a videoconferencing system—for one, there’s no broadband service—but there it is. The story of how it got there is worth reading for any technology manager faced with projects such as setting up a videoconferencing system on short notice because a science teacher landed a virtual interview with an astronaut.