Q&A: Patrick Sullivan on Using Zero-Trust Networks to Boost Higher Ed Cybersecurity
Higher education institutions may need to rethink their network protection strategies to make sure student data is secure, and zero-trust networks may be the solution.
The education sector was particularly vulnerable to cyberattacks last year, a study found in mid-December, and security experts are concerned that 2019 will bring a new round of threats that are more sophisticated than ever.
“No industry or institution is immune from cyberattacks, not even Harvard,” says Akamai global director Patrick Sullivan. “Thousands of students — often from all over the world — access the internet at colleges and universities, and bring any vulnerabilities or malware their computers pick up off-campus with them.”
EdTech spoke with Sullivan about how a new network access structure may help universities better guarantee the privacy and protection of network users on campus.
MORE FROM EDTECH: Universities' network security agendas can benefit from an interdisciplinary approach.
EDTECH: What do you make of the state of cybersecurity in the education sector over the past year?
Sullivan: I would say there are two sides to security: One is the vulnerability side — in other words, how vulnerable a given organization is. The other side is what the threat landscape looks like for that particular group.
Photo: Courtesy of Akamai
If you have relatively poor security, but you know there is a lack of interested adversaries, that may not be so bad. But what jumped out at me most about education cybersecurity last year was that the assessment of security posture was considered to be so poor, despite so much interest on the part of adversaries to go after that, particularly in higher education.
Earlier this year, the Department of Justice went after nation-state actors overseas who had been pilfering terabytes and terabytes of highly valuable intellectual property.
These arrests can be interpreted as a trend of bad actors looking to infiltrate education institutions, where outside organizations are turning to them to be their outsourced R&D departments.
The issue is that the partner organization itself may have great security posture — it may be a government organization or a high-tech company — but if they're partnering with education and depending on them for some of the most critical elements of their research, which leads to the most valuable IP, that could potentially be a goldmine for adversaries.
EDTECH: What was it about higher education institutions that made adversaries so interested?
Sullivan: Well, education in general is a highly transitory kind of environment. The fact that you have people coming and going so frequently rather having a more stable environment presents a set of challenges.
This means typically there are less rigorous controls over things you can do on a university network. Usually security has a little bit of a lighter touch than what you would find on the other end of the spectrum at a financial firm or government organization.
EDTECH: Coming into 2019, what are some particularly important security practices universities will need to adhere to?
Sullivan: What we're seeing now is more of a move to identity-based security, rather than having a trusted network and giving somebody access to the network, because we found that adversaries abuse access to trusted networks.
With the notion of lateral movement, all they have to do is compromise one user that has access to a trusted network and then they are off to the races. If I am an adversary, I can just live within that trusted network indefinitely.
We just saw on the news that a big hotel chain had somebody in their network for at least four years. So there needs to be a shift to what's known in the industry as a “zero-trust architecture.”
This is where you do away with the notion of a trusted network. Rather than give somebody access to your network, you give them access only to a sliver of applications that they need as part of their day-to-day activities.
For example, a student maybe only has access to the productivity suite, some internet applications that are relevant to their courses and the sign-up application for the registrar's office, but would not have access to highly sensitive information.
So, rather than segmenting the networking lower in the protocol stack, do away with that trusted network, use proxies that have a very good understanding of identity and then limit access based on identity.
MORE FROM EDTECH: See how IAM is being used to limit cloud security pain points.
EDTECH: Why have universities not introduced zero-trust networks before?
Sullivan: Zero-trust is taking identity access management and going to the next step. IAM to connect to a trusted network has been around for some time, but what I think is more novel is doing away with trusted networks altogether.
This means using identity with more of a proxy level access to applications. So, really, the change is, rather than having a firewall that separates a trusted network and untrusted network, and then once someone is on the network they have opportunities to really do all kinds of nasty things, users would have access to a sliver of applications and that access would be indirect.
The network would use a proxy that would act as sort a traffic cop, terminating all user requests and then, on the back end, making requests on a user’s behalf only to the applications where their identity would be allowed to go.
This cuts down on the potential for human error, as well as some of the complexity of segmenting an entire network.
EDTECH: How would a university get started constructing a zero-trust network?
Sullivan: I think the first rule would be starting with a good understanding of the identity of users, which the university should have. If universities tie access to identity, you do away with some of the problems of a latent access, and then you would essentially begin publishing applications in what we call a “zero-trust model.”
This means you would give access to the proxy. So, of course, all traffic to a proxy would grant that access. Then, once you've made access available in a new model, you do away with the old capabilities.
Things like a VPN, which gives you access to a network, a very broad level of access, things like a trusted corporate or university Wi-Fi, those would go away in favor of just providing transport.
You would still have a Wi-Fi, but it would basically be like a Starbucks hotspot, meaning it would not be associated with privilege. We have seen major companies follow this path. Akamai has adopted this method, Google has gone down that path and so has Netflix.
Other controls that we see are for the students themselves. Universities are in a tricky spot because they have to provide internet access as part of the campus experience.
Wherever the student is, whether outside on campus or in their dorm, they want to be able to connect to the Wi-Fi. And as a university, you want to have some level of control over what your users are doing, but typically in an academic university climate you don't want to have a heavy hand. There's not a lot of appetite there on the part of the students for that type of regime.
So, we have seen a number of universities using some lightweight controls, looking at domain name systems, where universities can look to get an indicator of the type of sites somebody is going to and, if there is a request that IT teams recognize as part of a malware campaign, you can act fast. In fact, leading adopters are very fond of that type of technology because it is such a low-friction touchpoint.
That is an extremely lightweight way to improve security posture without enforcing a lot of controls on a group that likes to be pretty free.
EDTECH: Going into 2019, do you expect there to be a positive trend in cybersecurity improvement for education institutions?
Sullivan: Well, a real change in security effectiveness takes time. So, while the sooner they start the better, I wouldn't anticipate any major changes right away. It seems that now, higher education has been identified by adversaries as a really valuable target, and so I would expect to continue seeing the trend of high levels of loss in education.
However, I think with security there is a bit of a contrarian indicator. Anytime you have a report card that talks negatively, it will raise awareness. So, I think there's some benefit to be had immediately as decision-makers at universities see a poor 2018 cybersecurity report, which could lead to a number of new, ambitious security projects.