Key Finding 2: Recognize and actively address resource constraints (part 3)

  • 5 minutes

In this unit, you learn how you and your cybersecurity team can ensure that technology providers are providing the strongest security measures, by default, and how to utilize cloud migration to minimize on-premises security needs.

Ask more of technology providers

With the increasing reliance on technology in K-12 education, ensuring the security of these systems has become paramount. To address this need, K-12 organizations should rightfully expect that the technology solutions they use come equipped with robust security controls as a standard feature, without incurring any additional charges. By implementing strong security measures by default, educational institutions can safeguard sensitive student data and provide a safe and secure digital environment for learning.

During the technology procurement and renewal process, it’s crucial for K-12 leaders to advocate for strong security controls without incurring additional charges from vendors. This includes ensuring that features like multifactor authentication (MFA) and logs are included as part of the standard package, rather than being treated as costly add-ons. These are key terms and vendor practices to watch for.

  • Be vigilant about the practice of imposing an "SSO tax," where vendors charge extra fees to connect their services to the organization's single sign-on (SSO) portal.
  • Some software programs are set to unsafe default settings that can leave organizations exposed and vulnerable to cyber threats. Review and follow a product's "hardening guide," a comprehensive set of steps required to change a product’s default settings, to ensure the security of a software product.
  • Check for Role Based Access Control (RBAC) fees, which are charges incurred when an organization deploys advanced role-based access control.

Microsoft builds security features like phishing-resistant authentication, automatic macro blocking, and cloud technology right into our solutions. In fact, Microsoft often meets or exceeds expectations when it comes to built-in security and data protection.

Learn about how Microsoft builds secure products from the start.

Next steps

  1. Make a list of the current software systems you have in place. Review your security controls for unsafe default settings and potential fees or upcharges incurred during the technology procurement and renewal process for basic security features.
  2. In cases where vendors impose additional charges for security features, or if default settings are deemed unsafe, it’s recommended to initiate a dialogue with other schools and members of Information Sharing and Analysis Centers (ISACs) to collectively address these concerns with the vendor. If a K-12 organization identifies technology that falls short of their security expectations, they should reach out to their regional Cyber Security Advisor to initiate a conversation and explore available assistance from CISA.

Minimize the burden of on-premises security

Many K-12 organizations rely on their own IT systems, commonly referred to as "on-prem" or "on-premises" systems. These systems necessitate a significant investment of time to ensure regular patching, monitoring, and prompt response to potential security events. However, CISA findings report that many K-12 organizations lack the resources and expertise to effectively manage these systems. As a result, they face challenges in maintaining optimal security levels and staying on top of the ever-evolving cyber threats landscape. To address this challenge, CISA recommends that K-12 organizations prioritize the migration of their on-premises IT services to the cloud.

Cloud services often come equipped with robust security measures, including regular updates, patches, and automated monitoring, which can alleviate the burden on resource-constrained K-12 organizations. Cloud providers also invest heavily in state-of-the-art security infrastructure, leveraging their expertise and economies of scale to offer comprehensive protection against potential security threats.

Other benefits of cloud migration include:

  • Greater flexibility: Cloud-based systems offer the flexibility to access resources and applications from anywhere, allowing educators and students to work and collaborate remotely.
  • Scalability: Cloud solutions provide the ability to scale resources up or down based on demand, allowing schools to adapt to changing needs and accommodate fluctuating workloads effectively.
  • Remote access: Cloud technology enables easy and secure remote access to educational resources, ensuring uninterrupted learning and seamless collaboration regardless of physical location.
  • Resiliency: With cloud services, schools can ensure uninterrupted access to critical systems, applications, and data, even after a cyberattack.
  • Improved security posture: Cloud providers invest in robust security measures, reducing the burden on K-12 organizations to maintain and update their own on-premises security systems. This can lead to an overall improvement in the school's security posture.
  • Efficient resource allocation: By using cloud technology, schools can optimize the allocation of limited resources, redirecting IT staff's focus towards enhancing educational experiences rather than solely managing infrastructure.

Microsoft supports migration of some of your on-premises IT services to the cloud with Microsoft 365 and Microsoft Entra ID (formerly Azure Active Directory).

  • Microsoft 365 provides organizations with access to cloud-based productivity and collaboration tools for people, organizations, and schools, including Microsoft Teams, Word, Excel, and PowerPoint.
  • Microsoft Entra ID is an enterprise cloud-based identity service that provides single sign-on, multifactor authentication, and conditional access to guard against cybersecurity attacks.

A graphic depicting on-premises Active Directory / Microsoft Entra Connect cloud sync migrating to Microsoft Entra ID.

Next steps

  1. Look back on the list of software and IT services you wrote in the previous unit. Are there any that currently operate in the cloud? Identify which services, such as your user identity system or mail system, that you would like to migrate.
  2. Write the next steps you need to take for cloud migration and any points of contact you need to move forward.