Secure hosting for universities comes down to six checkable things: institutional identity integration (SSO), role-based access with delegation, a patching and monitoring regime someone actually operates, tested backups, clear data residency, and certifications presented honestly — distinguishing what the provider holds from what its data centre holds.
Identity first: hosting should join your SSO
Standalone hosting passwords are the classic weak point: unmanaged credentials that outlive the people who set them. Hosting platforms that authenticate through institutional identity — Microsoft Entra sign-in, with conditional access where institutionally configured — keep access inside the governance IT already runs.
Role separation and delegation
Everyone-is-admin is how student hosting estates rot. Look for role models that give lecturers day-to-day visibility of their own cohorts without infrastructure access, and give IT policy control without becoming the helpdesk for every password reset.
Operations: patching, monitoring, backups
Security is mostly maintenance. Ask who patches, on what cadence, within what maintenance windows — and whether those windows respect term dates and marking periods. Ask how backups are taken, where they live and when a restore was last exercised.
Data residency and lifecycle
Know where the data physically sits (UK residency matters to most UK institutions) and how accounts end: suspension at module close, archival per policy, and clean deletion. Orphaned accounts are unmonitored attack surface.
Reading certifications honestly
Certification claims deserve one sharp question: who holds it? A provider's own certification (for example Cyber Essentials) and its data centre's certifications (for example ISO 27001 held by the facility operator) are different assurances. Both are useful; a provider that conflates them is telling you something about its other claims.

