There are plenty of creative ways to illustrate zero-trust security. Joseph Potchanant, the director of the cybersecurity and privacy program at EDUCAUSE, constructs a house.
“Zero trust would be like building your home completely out of concrete, with no doors, no windows, no access at all at first,” he says. “Then, after you’ve completed the building, make those cutouts for what your door’s going to be, what your ventilation’s going to be, what your windows are going to be.
“The overall building is going to be much more secure that way, because you intentionally built it with the idea that the rest of the building is impenetrable.”
Impenetrable networks are the dream of all IT security professionals — but, as they will surely tell you, it’s a fantasy that will never completely come true.
The sentiment is the same for zero trust. The philosophy is just that: a philosophy that no user or device is trusted without verification. It’s an aspirational goal and a way of thinking about security that can inform higher education institutions’ decisions on how to protect student, faculty and institutional information from cyberattackers who are eager to get their hands on it.
Click the banner below to find out how identity and access management paves the way to zero trust.
The challenge with anything as abstract as a security philosophy comes when institutions try to take real steps to get there. Information security professionals are not, of course, building a house. They’re not even building new networks or data centers in most situations.
So, how do colleges and universities that believe in the zero-trust philosophy take steps that abide by that belief? Here are three ways universities can shore up the cracks in their houses where intruders could enter.
Take These Steps to Implement Zero-Trust Principles
1. Start small and upgrade as opportunities present themselves.
IT departments regularly upgrade the hardware, software and systems they use. The timing of those upgrades varies from college to college and can be driven by a number of factors, not the least of which is budget. However, every IT department will eventually have an opportunity to improve upon some of the technology it is using.
When these arise, Potchanant says, take the time to make sure every new implementation aligns with zero-trust principles.
“The first thing is, No. 1, nobody has access to anything. It is not open,” he says. “Everybody has to have rights for that thing. It is not the idea that, ‘OK, everybody has rights, and then we’re going to start restricting.’ It’s the other way around.”
Institutions that are undergoing application modernization, operating a device program or in the midst of other types of digital transformation would be wise to consider zero trust from the start, before the cement on your new house’s foundation begins to set.
2. Rely on identity and access management tools that default to zero trust.
Some of the best tools available to colleges and universities are identity and access management solutions, including multifactor authentication. It’s why identity is one of the five pillars of zero trust, as defined by the federal Cybersecurity and Infrastructure Security Agency.
By design, these tools do not trust users inherently, relying on more than one form of verification before allowing access. IAM solutions provide a second layer of defense after the first level of user verification, and these can be as simple or complex as institutions need them to be.
Most universities already have an IAM solution in place. However, institutions may need to rethink how their solutions are being deployed or upgrade IAM offerings to ensure they align with a zero-trust philosophy.
3. Consider zero-trust principles when making decisions along the security spectrum.
There are several ways colleges and universities consider and implement cybersecurity solutions, and they exist along a spectrum. On one end are tools that keep intruders out of the network, such as IAM. On the other is data recovery and cyber resiliency for bouncing back after an attack. In between, things like endpoint detection, setting out honeypots and more are all part of a comprehensive cybersecurity solution.
The entire spectrum should be part of a zero-trust framework, regardless of how heavily invested institutions are at each spot across the board. To build a fully secure network and data house, every implementation should be done with the security of the entire network in mind.
In short, whenever you’re doing something new on campus, from installing new collaboration software or servers to constructing a new building, thinking about cybersecurity from the earliest stages will lead to the best outcomes and the most secure house.
“It’s really just a different way of thinking about it,” Potchanant says. “If you put in those doors, it’s a lot easier to accomplish if you go in with the mindset of, ‘OK, we’re going to essentially do security by design.’ Whatever you’re working on is going to be secure from the outset rather than something that you add on.”
And if buildings aren’t your thing, Potchanant has another analogy that works just as well.
“Security needs to be baked into the cake, not something that you put on top afterward,” he says. “It has to be part and parcel with the material itself.”
Line graphic background: Tatiana Magurova/Getty Images; Person holding tablet: Victor Torres/Stocksy