Colleges and universities are finally catching up.

Until about three or four years ago, cloud adoption in higher education was well off the pace set by most other industries. Rooted in concerns about security and control — not to mention major investments already made in on-premises solutions — the sector’s hesitation was understandable and, perhaps, not unexpected.

Gradually, however, that resistance faded, and now a large majority of college IT leaders agree that cloud’s pull is undeniable. Moving to the cloud, they say, enables them to deploy services and applications faster and more reliably than they can through onsite infrastructure. They also tout cloud’s unlimited scalability and the efficiencies gained by accessing resources on demand. And finally, of course, there’s the issue of security: Like any structure or technology, they’ve realized, the cloud is generally as safe as its users make it.

That was the thinking Nick Watson brought to the table when he recently sat down with his colleagues to discuss their own cloud strategy. As associate vice president of IT at Westminster College in Fulton, Mo., Watson leads a team of three IT professionals, none of whom are cybersecurity specialists.

“We’re a small department responsible for a lot of things, and that’s one of the big challenges we face,” he says. “We have to wear multiple hats.”

When it comes to Westminster’s use of the cloud, Watson says that for the past five years the college has relied primarily on Microsoft Office 365. In 2020, however, as the pandemic set in, it wound up expanding its cloud footprint substantially with a variety of online learning platforms and videoconferencing technologies such as Microsoft Teams and Zoom.  

The liberal arts college, he explains, had just launched a one-to-one program (called “Digital Blue”) that supplied every student with an Apple iPad device at the beginning of the fall semester. When students were forced to leave campus in the spring, they brought their devices with them and put them to work connecting to the campus systems and cloud services that they needed.

For his team, Watson notes, the pivot to remote learning meant that they would also have to leverage new cloud solutions, including one — Nutanix Clusters — that he says proved critical to the college’s COVID response. The platform, which runs on Amazon Web Services (AWS), allows them to manage their entire computing infrastructure — on-premises or in public clouds — through a single console. They set up a VPN between that service and the Westminster College campus, and with the majority of the school community working from home, “our faculty and staff could securely access the resources they needed, and we could safely deliver applications to students,” he says.

If the pandemic drove Westminster College to quickly expand its use of cloud-based platforms and services, it was another event that led it to CDW and a project designed to bolster its cybersecurity posture.

Back in early 2017, Watson explains, an employee using a college email account responded to a request for employee W-2 statements that appeared to come from another person on staff. The documents were delivered as directed, and subsequently the college joined the ranks of countless organizations that have fallen prey to third-party phishing scams. The perpetrator, college officials later learned, had used the W-2s to file fake tax returns.

“That got the attention of our president and board,” Watson recalls, “so they came to me and asked what we could do.”

Nick Watson, Associate Vice President of IT, Westminster College

Before long, his team had launched an extended product and vendor vetting process, during which they considered at least 50 solutions for countering cyberattacks and breaches. They ultimately decided to work with CDW, he says, “because they really understand the security space, and they always keep their focus on the end customer.” 

With help from a CDW team of network security engineers and solution architects, they settled on a suite of solutions Watson says are suited to his staff. “What we really needed was integration — to be successful without adding any labor,” he says. Because cybersecurity is not their top strength, “we looked for tools that would provide some automation and that we could use as regular IT people.”

Before the breach, he recalls, the school’s cloud security strategy mostly entailed trusting providers to protect the data held by their systems. They reassessed that approach in the months that followed, and now they have a different take on the college’s cybersecurity posture.

“The security of your environment, wherever your data is, that’s on you,” Watson notes. “It’s kind of like when you lease a car. It’s up to you to lock it up. You have to put it away in the garage at night.” Today, he says, they would never rely solely on their email provider for email security. Instead, he says, “we’re proactive about cloud security, and we treat it like we do any device on-prem.”

Being proactive about security, of course, requires that you have solutions in place that provide visibility into the cyberthreat landscape. Toward that end, one of the most important solutions Westminster decided to implement was a pair of PA-3250 firewalls from Palo Alto Networks, says CDW’s Kyle Lopez, who served as the network security engineer on the project.

“The main advantage with these firewalls is they’re able to check and verify everything coming in, including on the application layer,” Lopez says. A network administrator, he explains, can set controls to determine “who goes where, and who has access to what,” and then “dig into the traffic to see specific computers and endpoints that are reaching out to IPs that could be malicious.” Another key feature built into the two units is Palo Alto Networks' WildFire tool, which leverages machine learning and cloud connectivity to analyze and protect against malware. “If there’s a firewall on the other side of the world that gets attacked, it will automatically update all firewalls across the Palo Alto environment,” Lopez says.

A second important component of Westminster’s new data security strategy is a Palo Alto Networks’ Cortex Data Lake product. A cloud-based, centralized repository, the Cortex tool automatically collects and integrates the college’s log data from both on-premises systems and cloud services. 

Now, Watson explains, the school’s firewalls and anti-virus software “all send their data up to the Palo Alto Networks cloud, and then they use artificial intelligence to put it all together and monitor for irregularities.” Beyond these deployments, Westminster has also turned to three services from Proofpoint that together provide comprehensive email security. Proofpoint Email Protection, Watson says, also relies on AI and machine learning — in this case, to detect and block fraudulent emails. Meanwhile, Proofpoint’s Threat Response Auto-Pull automatically quarantines malicious email post-delivery. And finally, Watson says, Proofpoint’s Targeted Attack Protection service identifies dangerous links and attachments to keep questionable content out of inboxes in the first place.

“One of the great things about all of these services is that if something does actually happen, there are things we can do about it,” Watson says. If someone’s computer is compromised, for example, “the system will automatically isolate it and create an incident report that we can use to take action.” Or, for instance, if a bad email gets through — “nothing works 100 percent,” Watson notes — the system automatically responds by pulling the message out of every inbox it managed to infiltrate.

“My guys and I, we sleep at night,” Watson says, “and we’re able to do that because we have these tools covering for us 24/7.”

Nick Watson, Associate Vice President of IT, Westminster College

In the time since Westminster completed its security upgrade, Watson says his team has seen only a single case in which a user’s account was temporarily compromised. “It was the Targeted Attack Protection service from Proofpoint that clued us in” to the breach, he notes. The user was identified by the software based on login locations, and that allowed his team to regain control and quickly eliminate the threat.

When he thinks about the phishing attack the college suffered in 2017, Watson says he doubts the breach would have happened if his department had the tools it has today. “We would at least know that the attack was taking place, and that would have allowed us to do something about it.”

That knowledge of “what we should be worried about” is the biggest asset his team has today compared with where they stood a few years ago, Watson says. “And the thing is, there is a lot to worry about, but at least we have some help from vendors who really know what they’re doing.”

The way he sees it, they now have the support and the security know-how to protect their data wherever it resides, whether on campus or in the cloud. “We’re much better off now than we were before,” he adds. “So far, so good, it seems to me.”

Photography by Dan Videtich