Higher education cybersecurity professionals have largely embraced zero trust as an outline for how to protect the complex data and networks they manage on a daily basis. Taking that outline and putting it into practice, however, can be challenging because zero trust is an aspirational target and not a tangible result colleges and universities can attain.
That’s not to say that there aren’t at least a few decent roadmaps out there that can help higher education and other institutions navigate their way to zero trust. In 2021, the Cybersecurity and Infrastructure Security Agency released its roadmap — the Zero Trust Maturity Model — in response to a White House executive order regarding cybersecurity for federal agencies.
Just 19 months later, CISA updated that model and released version 2.0 in April 2023. While the model itself is intended to inform governmental agencies, the insights it provides are relevant to any organization with cybersecurity concerns, including higher education.
Click the banner below to find out how identity and access management paves the way to zero trust.
What Are the 5 Pillars of Zero Trust?
CISA has broken down a zero-trust architecture into five pillars, all working in a complementary fashion to create a comprehensive cybersecurity posture.
- Identity: Confirming that users are who they say they are, and verifying their location and what they are trying to do, is the foundation of cyberdefense. Before institutions can properly allow, deny or reroute a user, they need to match a set of identifying attributes to that entity to confirm the user has not been compromised.
- Devices: This includes personal and university-owned devices, all of which need to be verified and secured. CISA notes that this means maintaining an accurate device inventory and having visibility into the software, firmware and more that power those devices, something that device management programs offer as institutions lean into automation.
LEARN MORE: How to optimize device management programs in higher education.
- Networks: In the past, protecting large-scale networks was an exercise in secure fence-building around the network in its entirety. With zero trust, network protection becomes more granular, focusing on protecting applications and data — in addition to broader network defenses — using what CISA calls a “defense-in-depth” approach.
- Applications and workloads: Along those same lines, zero trust demands colleges and universities deploy and manage user applications with a focus on security. An application modernization program can offer some assistance, as many of the latest apps and updates incorporate zero-trust principles.
- Data: In today’s modern campus infrastructures, data is often spread across a number of locations, both on-premises and in hybrid cloud environments. Assessing and understanding the full breadth of data and monitoring what’s happening to it is essential to maintaining security.
The five pillars are based on the seven tenets of zero trust developed by the National Institute of Standards and Technology. CISA’s 2.0 model also revised the maturity levels for each pillar, providing more detail and recommending that institutions transition to security solutions driven by automation. For the purposes of this article, though, the five pillars are the focus, and there’s one in particular that stands out beyond the others.
The Outsized Role of Identity in a Zero-Trust Framework
The complementary nature of the five pillars answers to a large degree why identity is the first pillar of a zero-trust architecture. Understanding and confirming users are who they say they are — while on the network, accessing data or using a connected device or software — is the start of zero-trust security and the initial step when addressing any of the other pillars.
Some of this can also been seen in CISA’s breakdown of maturity stages, represented as a pyramid. At the bottom of the pyramid are so-called traditional solutions, such as passwords, on-premises storage and permanent user access that is only reviewed periodically. As the pyramid grows narrower — in the initial and advanced maturity stages — incorporating things such as phishing-resistant multifactor authentication, the automatic expiration and assessment of user access, and limiting access by need or by session all become part of a security framework.
At the tip of the pyramid, in the optimal maturity tier, zero-trust institutions are implementing continuous authentication and risk analysis, along with individually tailored automated access and full-system integration of identity solutions.
All of those things have a role to play within the other four pillars of zero trust. Identity management is necessary to secure networks, applications, devices and data. If an institution’s only form of identity management is something as basic as a password, a single user’s weak or stolen password is all it will take for a bad actor to breach a network, device, data center or application. Without protections such as MFA, at a bare minimum, the rest of an aspiring zero-trust security architecture is vulnerable, no matter how many other tools are in place.