Security

Q&A: Zero Trust Is Higher Education’s Best Defense for Valuable Research Assets

Continuous authentication and network segmentation minimize vulnerabilities while maintaining user-friendly collaboration.

Amy Burroughs

Amy Burroughs is an award-winning writer specializing in journalism, content marketing and business communications.

Higher education research is worth billions of dollars annually, much of it funded by federal partners such as the National Science Foundation and the U.S. Department of Defense (DOD).

EdTech spoke recently with Hunter Ely, a Palo Alto Networks field strategist specializing in higher education, about zero-trust architecture and why it’s an excellent security strategy for the unique needs of research computing environments.

EDTECH: What makes higher education unique in terms of research data and cybersecurity?

ELY: The teaching and learning mission is front and center, and in many schools, the research mission is also a top priority. Then there are all the other functions a university has to provide from an IT perspective. We have to be responsive to the complex nature of those networks because that’s the backdrop for the multimillion-dollar research happening on campuses.

Researchers worry about protecting intellectual property and complying with granting agencies’ data security requirements, as well as state and federal requirements. They also need to be able to collaborate with peers around the country and the world. So, research technology has to make it easy to collaborate while still providing the necessary security. Trust is incredibly important because researchers build their reputations on the integrity of the data they put out for review.

EDTECH: How would you describe the threat environment for higher education research?

ELY: Universities have a unique set of circumstances that lead to them being targeted. Every major research university is connected to a regional, state or education network that provides incredible bandwidth. Threat actors want access to these fast networks because they are ripe for exploitation for financial gain or as a steppingstone in a more complex attack. Universities also fall victim to ransomware, which is a huge threat given the complexity of the overall environment.

We see researchers trying to collaborate in a target-rich environment while they are working on intellectual property related to DOD research, lifesaving medical research and other projects. If that data is compromised, their research is potentially over, along with their ability to secure funding. Finding ways to help them meet research goals while implementing security in a proactive, efficient and simple way is what we’re striving for.

EDTECH: What has changed in this environment in recent years?

ELY: The Biden Administration’s January 2022 memorandum requires federal agencies to move to zero-trust architectures. If the federal government is taking a zero-trust approach, that ball will roll downhill, and granting agencies will require similar environments for their grantees.

Measures like the DOD’s Cybersecurity Maturity Model Certification are becoming more important to researchers. Granting agencies will start requiring CMMC compliance for researchers to get their money. Grantors are also requiring security plans as part of proposals. That’s relatively new, and it has forced researchers to work with their IT counterparts to build appropriate infrastructure and document security processes.

EDTECH: What are some of the risks that can occur in an environment not protected by zero trust?

ELY: A top-level concern is the human factor. If you are collaborating with researchers around the world and don’t have a strong authentication model, that’s the front-door risk. Not having complex passwords, multifactor authentication and other tools is a huge risk. We see data loss all the time through compromised credentials.

EXPLORE: Getting zero trust architecture right for security and governance.

Other concerns relate to properly segmenting the network. Zero trust brings to the forefront the idea of a protect surface. Building a virtual moat around the research environment can be highly effective and easy to use, but we often see a pool of researchers using a single system without proper segmentation. Leakage from one data set to another can be a huge problem when threat actors get into those systems via compromised credentials. Stronger authentication and smaller protect surfaces for individual projects are where research is heading.

EDTECH: What makes zero-trust security a good approach for these environments?

ELY: It’s important to remember that zero trust is not a product; it’s a philosophy. It’s a way of thinking about how you use, protect and access data and ultimately produce high-integrity results. Implementing zero trust is a process that starts with understanding your protect surfaces, building controls around them and mapping transactional flows so you can build an architecture that supports the way users will interact with data resources. Next, you create policies that support continuous user authentication. Finally, you monitor and adjust as needed, because zero trust should be iterative.

EDTECH: How would you summarize the value of zero trust for researchers?

ELY: Going back to where we started, universities serve various missions and carry out incredibly valuable work within a complex, interconnected environment. Zero trust is a way of breaking down that complicated environment into the most important assets to protect and the types of activities researchers need to do, and then building protect surfaces and policies that are responsive to specific use cases. This idea of creating the protect surface and building visibility from the ground floor enables universities to reduce real-world risk while providing valuable and highly protected research environments.

Brought to you by: