Information Security in K–12

Leveraging Zero Trust to Reduce Cyberattacks in the Education Sector

• By Hernan Lendono
• 11/09/22

The start of a new semester often brings anxious excitement to students and faculty alike.

Unfortunately, with the growing threat of cyberattacks across K–12 and higher education, this sentiment leans more anxious than excited by the year. In fact, according to the education nonprofit EDUCAUSE, in nine of the last 10 years, cybersecurity has been a top-10 issue for education institutions and the No. 1  concern for the last seven.

Curbing this concern runs far deeper than just making sure schools and universities have the right information security hardware and software. It also means considering how competition for IT and cybersecurity talent contributes to weakened defense, as well as how regulatory compliance related to state, federal and international laws like CCPA, FIPA, HIPPA, GLBA, and GDPR complicates the ability to rapidly build and support a strong security posture.

Even measures like cyber-insurance have its drawbacks. Through increases in premiums or deductibles, and increasing control and technical requirements for underwriting, many institutions are finding compliance difficult. This all is occurring in an environment where education budgets are already flat or declining due to other issues such as reduced enrollment and retention.

With these constraints in focus, the question becomes what can the education sector do to mitigate cyber risk?

The adoption of a zero trust information security framework is a start.

What does Zero Trust mean?

Far from being the latest buzzword running around the cybersecurity community, zero trust provides an architectural approach to address the need for a unified security solution in today’s fragmented space. Zero trust brings explicit control to the IT environment where all devices and entities must be known — authenticated and authorized; their behavior must be explicitly allowed; and their actions must be understood and monitored. These principles are in stark contrast to what most organizations follow today.

For zero trust to work, an organization must first have three distinct components in place: business controls, a common control plane and an infrastructure that participates. Then, zero trust, which is comprised of seven pillars, can automate the application of security and business policy to protect the data. These seven pillars, as defined by the U.S. Department of Defense, can be explained as two distinct pieces: the infrastructure — the user, device, network/environment, and application/workload pillars, and the action of automating the management of the infrastructure — the visibility & analytics and automation & orchestration pillars.

In practical terms, this means that when the enterprise first establishes business controls, an end user may only have access to specific enterprise resources because of the user’s role or requirements. For example, accessing certain types of data based on approved credentials. With those “rules” established, the control plane manages those decisions. Then, zero trust comes into play. So, even if it’s an approved user, access may still depend on if the request is coming from a recognized IP address via a recognized device. If just one of those conditions is not satisfied, the user is restricted from accessing it. An abnormal action like that gets logged and provides telemetry. It becomes “visibility” that either signals the automation to do something or is used to construct AI and machine learning models so that the enterprise can better understand good and bad behavior, and ultimately improve the automation.

The Longevity of Zero Trust

So, the question remains: What can K–12 school systems and higher education institutions do to implement a zero trust environment to provide long-lasting secure networks?

The first thing to understand is that there is no zero trust product or single solution. Instead, there are products or solutions that support, advance and implement the principles outlined in zero trust.

Because of its flexibility, an organization can start architecting zero trust principles in a phased approach. Institutions can start by covering users or workloads, for example, until optimally covering all seven principles previously mentioned. An organization should also prioritize its critical usage cases and address those first. Examples such as student and employee data, campus security automation, and campus or district-wide computer networks should be near the top of the list. While applying zero trust should ultimately be completed for all use cases, it is important to note that due to the nature of denying implicit trust, a breach will have much more difficulty spreading from one workload to another when core workloads are protected.

The key thing to remember is that because it is a cybersecurity framework, zero trust is meant to be flexible, and as such, is best used in combination with other popular cybersecurity frameworks such as the Cybersecurity Framework | NIST, CMMC 2.0, CIS 8.0 and others to achieve maximum benefit.

Steps to Take Today to Secure Education Institutions

While implementing a zero trust framework is ideal, the truth is it will take most school systems and higher education institutions time to adopt zero trust and integrate it with existing security measures. However, there are some steps that organizations can take immediately to protect teachers and students.

With the awareness that threats continue to evolve at a rapid pace, institutions should:

• Assess internally where zero trust enabling technology is already present in the organization.
• Identify gaps and prioritize areas where zero trust should be implemented first.
• Work in a phased approach to first apply zero trust principles to critical use cases and workload.
• Seek the guidance of a trusted cybersecurity partner leveraging a common and proven zero trust framework.

It’s a crucial time for our education leaders to support a modernized cybersecurity posture grounded in a strategy that still allows for dynamic organizational innovation. While there is not one universal entry point for implementing zero trust, there are many equally valid ones that K–12 and higher education institutions can take. The most important step is simply taking one so that your institution can safeguard itself against today’s evolving threat landscape.