The University of Oklahoma Is a Premier Institution for Education and Research
The University of Oklahoma (OU) is a public research university in Norman, Oklahoma. Founded in 1890, it had existed in Oklahoma Territory near Native American Territory for 17 years before the two Territories became the state of Oklahoma. Today it is a bustling institution serving nearly 30,000 students across three campuses within the state as well as several locations and OU campuses overseas. The university employs nearly 3,000 faculty members.
OU is classified as an “R1” doctoral university with very high research activity. The school offers 152 baccalaureate programs, 160 master’s programs, 75 doctorate programs, and 20 majors at the first professional level.
The independent nature of the many programs and research projects led to a siloed approach to cloud use. Each department or researcher could acquire the cloud resources needed for their own purposes. Groups were free to adopt SaaS applications as needed. This direction continued until the pandemic when the institution’s IT administrators realized that remote work and learning could be better supported by cloud-based applications and more centralized management. They acknowledged that a more holistic approach to cloud usage, security, and governance was needed.
OU Was Looking to Mature Their Overall Cloud Security Posture
Aaron Baillio has been serving the university in various security roles for more than seven years. He has served as the Chief Information Security Officer (CISO) for the past three. His main mission is to grow the maturity level around the university’s security controls.
“When we talk to the board and our governance committees, we talk about our position from a maturity perspective across all organizations of the university,” says Baillio. “Some departments may be more mature than others, but we look at it institutionally. Do we have a policy on what’s going to govern our cloud infrastructure? How disjointed is that between central IT and some of our distributed IT groups or other campuses? All of that builds a story, a maturity score, that we can tell the board, ‘Overall, we’re at level two. Here’s the residual risk and the resources we might need to take it up to level three,’ or from a one to a two, whatever that level is. Those are the kinds of conversations we’re trying to foster with our leadership.”
In going to the cloud, the loss of control caused some unease. Baillio says there was still a perception that they may not have the same level of security in the cloud that they would have behind a traditional on-premises security stack. “As a CISO, I always wanted to drive more to the cloud,” says Baillio. “With the right approach, we can still secure our assets in the cloud. It just took some research and analysis, some reaching out to partners and finding out what people are doing to protect cloud infrastructure.”
The university already had a CASB tool in place, but that was mostly for the largest SaaS products. As OU looked at putting applications in AWS, they needed something beyond CASB. “We had to expand our approach and look at some of the posture management and vulnerability analysis tools that exist for cloud infrastructure and cloud native applications, even down to the container level,” says Baillio. “Our big question was how to protect an ephemeral instance of a piece of an application or operating system.”
Orca Delivered Actionable Insights from the Very Start
The security team’s research led them to Orca Security and it became one of the top products they wanted to evaluate. “We did PoC trials with the vendors who would let us. Some vendors ignored us for being too small but Orca was very engaging from the start,” Baillio says. “The sales team gave us plenty of time with the tool to test some things. From the first day we had it running, we fed information to the development team, which was able to act based on the information we gave them.”
“From the start, we had actionable intel that helped secure school applications, which was great.”
Baillio says it’s key that they are able to send Orca’s insights to adjacent groups like DevOps and the infrastructure team. “As a security team, we don’t own the applications and it’s not our infrastructure,” he says. “We’re another microservice, if you will, on that whole stack. Being able to quickly share intel findings in a meaningful way that’s easy to process and comprehend was a big selling feature of the Orca Platform. We can throw those findings over the fence to DevOps or create a ticket and manage it that way.”
Orca’s configuration management function is quite helpful to the teams as well. “I think a lot of larger institutions, especially when it comes to the cloud, lose track of configuration management and ensuring that things are done systematically,” says Baillio. “I’ve seen so many different reports of open S3 buckets or repositories that are open with visible credentials. We have this major student application in AWS running containers and Lambda functions. My biggest fear was that we would misconfigure something or the teams would neglect to report changes through established processes. Orca reports on vulnerabilities like those open buckets and the credentials in places that are open to the public. We are able to immediately identify those openings and it is a check against our procedures to make sure they are running the way they ought to be in the environment.”
“Misconfigurations and failure to follow procedures were a top concern for me. Now Orca shows us where those vulnerabilities are so we can close the gaps.”
The reporting feature is very important to Baillio because he’s not actually in the tool from day to day. “We can report by service or account what the findings are. We see what we need to work on and what we should pass over to another team,” he says. “This is information we didn’t have before and could not come up with on our own.” Moreover, the Orca Security Score provides OU with an objective assessment of the university’s cloud security posture, which helps in reporting security progress and results to the board of governors. This aligns perfectly with Baillio’s focus on growing maturity around security controls.
OU is still in the early stages of its cloud adoption, but with the right security in place, Baillio feels they can forge ahead confidently.