Jan 30 2024

What Is Zero-Trust Security? Key Principles of the Model

Zero trust is a security model in which every attempt to access an organization’s network and resources is vetted continuously. CISA recommends focusing on five “pillars” as you create a zero-trust environment.

In the face of increasingly intelligent cybercriminals and rising threats, higher education institutions must protect their networks and online environments from attacks. Cybersecurity remains a top priority for higher ed IT leaders, according to InsideHigherEd's "2023 Survey of Campus Chief Technology/Information Officers," report, with 92 percent of respondents noting that they have updated their software to improve their cybersecurity practices within the last 12 months.

IBM’s 2023 “Cost of a Data Breach” report ranks social engineering techniques such as phishing scams as one of the top causes of security breaches, making training a vital component of any institutions’s cybersecurity posture. But training alone won’t protect a network from criminals.

As a result, more schools are turning to zero-trust security strategies.

Click the banner to learn more about implementing zero trust at your institution.

Zero trust, which started as an alternative to the “trust but verify” method of cybersecurity, has become a popular buzzword for IT teams and tech users. Here’s what it really means for a school’s security approach, and how higher ed IT leaders can get started:

What Is a Zero-Trust Security Model in Higher Education?

Zero trust is a security model in which access to an organization’s network and resources is monitored continuously. It is a cybersecurity mindset, not a final state of security that colleges and universities can hope to achieve.

In a zero-trust architecture, every attempt to access an institution’s network, data or applications must be verified and approved. This applies to internal and external requests for access. This means that all users, including students and staff, should be vetted when attempting to access a school’s network and materials for online learning.

According to the Cybersecurity and Infrastructure Security Agency (CISA), the implementation of zero trust should span five pillars: identity, devices, networks, applications and workloads, and data.


Zero Trust Infographic


Applying the Seven Tenets of Zero Trust in Higher Ed IT Environments

In addition to five pillars, there are also seven tenets of zero trust that IT leaders should follow, as described in the National Institute of Standards and Technology’s SP 800-207 Zero Trust Architecture. They are:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy — including the observable state of client identity, application/service and the requesting asset — and may include other behavioral and environmental attributes.
  5. The organization monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization is dynamic and strictly enforced before access is allowed.
  7. The organization collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

For colleges and universities, these tenets apply to all staff and student devices, as well as all the data they generate and all the applications they access. Often, school IT teams don’t have the resources to adopt all these tenets overnight. Therefore, IT teams and users must approach zero trust as a journey.

MORE ON EDTECH: Follow these steps to modernize your identity and access management program.

Zero-Trust Security Is a Journey with Levels of Implementation

There are ways to measure each stage of an institution’s journey from traditional security through optimal zero-trust maturity. CISA has mapped each of the four stages of maturity against its five pillars, giving colleges and universities the opportunity to grow their cybersecurity strategies over time.

Traditional: Most higher ed institutions will begin the zero-trust journey at this first stage. In a traditional model, most security processes will be manual. They may have manual deployments of threat protection solutions, manual configurations, minimal encryptions and static access controls.

Initial: As colleges and universities begin to evaluate their security posture through a zero-trust lens, they should aim to move to the initial model. In this environment, they can begin to implement automation for protections like access expiration and some threat protection.

Advanced: The next stage is the advanced zero-trust maturity model. Here, institutions will take into account protections such as phishing-resistant multifactor authentication, session-based access, encrypted network traffic and data at rest, and redundant but highly available data stores with static data loss prevention.

Optimal: An optimal model features full automation with self-reporting solutions, least privilege access and centralized visibility with situational awareness. This level features continuous user validation, access controls with microperimeters and continuous data inventorying with automated data categorization.

It’s unrealistic for any organization, to strive for an optimal environment right out of the gate. Achieving optimal zero trust is a long-term goal that IT professionals can plan for and work toward, securing their environments through smaller changes along the way.

For higher ed institutions that are only just considering zero trust, and for those that have already begun to forge ahead, the best place to start is with a security assessment. This helps to establish a baseline by offering visibility into their current security landscape.

UP NEXT: Plan for zero trust in your higher ed institution.

gorodenkoff / gettyimages

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.