Leveraging Zero Trust to Reduce Cyberattacks in the Education Sector
- By Hernan Lendono
- 11/09/22
The
start of a new semester often brings anxious excitement to
students and faculty alike.
Unfortunately,
with the growing threat of cyberattacks across K–12 and higher
education, this sentiment leans more anxious than excited by the
year. In fact, according to the education nonprofit EDUCAUSE,
in nine of the last 10 years, cybersecurity has been a top-10 issue
for education institutions and the No. 1 concern for
the last seven.
Curbing
this concern runs far deeper than just making sure schools and
universities have the right information security hardware and software. It
also means considering how competition for IT and cybersecurity
talent contributes to weakened defense, as well as how regulatory
compliance related to state, federal and international laws like
CCPA, FIPA, HIPPA, GLBA, and GDPR complicates the ability to rapidly
build and support a strong security posture.
Even
measures like cyber-insurance have its drawbacks. Through increases
in premiums or deductibles, and increasing control and technical
requirements for underwriting, many institutions are finding
compliance difficult. This all is occurring in an environment where
education budgets are already flat or declining due to other issues
such as reduced enrollment and retention.
With
these constraints in focus, the question becomes what can the
education sector do to mitigate cyber risk?
The
adoption of a zero trust information security framework is a start.
What
does Zero Trust mean?
Far
from being the latest buzzword running around the cybersecurity
community, zero trust provides
an architectural approach to address the need for a unified security
solution in today’s fragmented space. Zero trust brings explicit
control to the IT environment where all devices and entities must be
known — authenticated and authorized; their behavior must be
explicitly allowed; and their actions must be understood and
monitored. These principles are in stark contrast to what most
organizations follow today.
For zero trust to work, an organization must first have three distinct
components in place: business controls, a common control plane and an
infrastructure that participates. Then, zero trust, which is
comprised of seven pillars, can automate the application of security
and business policy to protect the data. These seven pillars, as
defined by the U.S. Department of Defense, can be explained as two
distinct pieces: the infrastructure — the
user, device, network/environment, and application/workload pillars,
and the action
of automating the management of the infrastructure — the
visibility & analytics and automation & orchestration
pillars.
In
practical terms, this means that when the enterprise first
establishes business controls, an end user may only have access to
specific enterprise resources because of the user’s role or
requirements. For example, accessing certain types of data based on
approved credentials. With those “rules” established, the control
plane manages those decisions. Then, zero trust comes into play. So,
even if it’s an approved user, access may still depend on if the
request is coming from a recognized IP address via a recognized
device. If just one of those conditions is not satisfied, the user is
restricted from accessing it. An abnormal action like that gets
logged and provides telemetry.
It
becomes “visibility” that either signals the automation to do
something or is used to construct AI and machine learning models so
that the enterprise can better understand good and bad behavior, and
ultimately improve the automation.
The Longevity of Zero Trust
So,
the question remains: What can K–12 school systems and higher
education institutions do to implement a zero trust environment to
provide long-lasting secure networks?
The
first thing to understand is that there is no zero trust product or
single solution. Instead, there are products or solutions that support, advance and implement the principles outlined in zero trust.
Because
of its flexibility, an organization can start architecting zero trust
principles in a phased approach. Institutions can start by covering
users or workloads, for example, until optimally covering all seven
principles previously mentioned. An organization should also
prioritize its critical usage cases and address those first.
Examples such as student and employee data, campus security
automation, and campus or district-wide computer networks should be
near the top of the list. While applying zero trust should ultimately
be completed for all use cases, it is important to note that due to
the nature of denying implicit trust, a breach will have much more
difficulty spreading from one workload to another when core workloads
are protected.
The
key thing to remember is that because it is a cybersecurity
framework, zero trust is meant to be flexible, and as such, is best
used in combination with other popular cybersecurity frameworks such
as the Cybersecurity
Framework | NIST,
CMMC
2.0,
CIS
8.0
and others to achieve maximum benefit.
Steps
to Take Today to Secure Education Institutions
While
implementing a zero trust framework is ideal, the truth is it will
take most school systems and higher education institutions time to
adopt zero trust and integrate it with existing security measures.
However, there are some steps that organizations can take immediately
to protect teachers and students.
With
the awareness that threats continue to evolve at a rapid pace,
institutions should:
- Assess
internally where zero trust enabling technology is already present
in the organization.
- Identify
gaps and prioritize areas where zero trust should be implemented
first.
- Work
in a phased approach to first apply zero trust principles to
critical use cases and workload.
- Seek
the guidance of a trusted cybersecurity partner leveraging a common
and proven zero trust framework.
It’s
a crucial time for our education leaders to support a modernized
cybersecurity posture grounded in a strategy that still allows for
dynamic organizational innovation. While there is not one universal
entry point for implementing zero trust, there are many equally valid
ones that K–12 and higher education institutions can take. The most
important step is simply taking one so that your institution can
safeguard itself against today’s evolving threat landscape.