Zero Trust Takes Hold in Higher Education

Why Should Higher Education Institutions Adopt Zero Trust?

Higher education institutions are increasingly adopting zero trust, one of the most effective security strategies available to organizations today, but many are still early in their implementations.

In the past few years, the popularity of zero-trust has exploded into a nearly unanimous agreement that all cybersecurity should be approached in this fashion, says analyst John Grady of Enterprise Strategy Group.

“More are moving down the zero-trust path, but it can be a big, complex undertaking,” he says.

A zero-trust architecture is designed around the principle of “never trust, always verify,” requiring continuous authentication and verification of users and devices to access resources.

Zero trust also enforces least-privilege access, giving users only the minimum access needed for their jobs, and focuses on five pillars: identity, devices, networks, applications and workloads, and data. According to the Cybersecurity and Infrastructure Security Agency, visibility and analytics, automation and orchestration, and governance through policies and procedures are woven through the five pillars.

How Institutions Can Implement Zero-Trust Strategies

Many IT organizations adopt zero trust with targeted projects first instead of diving immediately into comprehensive, organizationwide efforts, Grady says.

Organizations should begin by identifying their most critical security gaps and highest areas of risk, then assess existing technologies that can support zero-trust principles before determining what new tools they need.

Starting with access controls makes sense because it’s typically an area of greatest need, particularly for organizations modernizing remote access following the pandemic, Grady says. Traditional on-premises and remote access methods are fundamentally broken and often represent the most outdated part of the entire technology stack, he says.

“It’s almost indefensible to argue that what we were doing before — with a publicly visible VPN where you had access to everything — worked great,” he says.

VCU’s Han describes it as the traditional castle-and-moat security approach: firewalls protecting everything inside where everything inside is trusted, while VPNs serve as drawbridges for remote access. But VPN gateways are publicly exposed, and once connected they provide broad network access. Cybercriminals that hack in with compromised credentials can then access the network.

DISCOVER: Identity and access management solutions are a crucial pillar of zero trust.

Grady says colleges and universities need to invest in technology to adopt zero trust, such as zero-trust network access (ZTNA), multifactor authentication, tools that enable network microsegmentation, user and entity behavior analytics to detect anomalies, and data loss prevention (DLP).

But zero trust goes beyond technology. Organizations must also create policies that map back to zero-trust principles, such as least privilege and continuous authentication, he says.

“You can put tools in place, but if you don’t write the policies the right way, you don’t have zero trust,” Grady says.

Unlock Exclusive Cybersecurity Insights

Complete the form below to be redirected to CDW's exclusive proprietary research report on Cybersecurity. Once the form is submitted, you’ll be opted into our Security email stream.

Zero-Trust Solutions Can Secure Remote Access

VCU adopted zero trust because the 28,800-student campus in Richmond, Va., had become a borderless organization. With many employees working remotely — some hybrid, some fully remote — the traditional security model was no longer sufficient.

Han had two primary goals: deploy location-agnostic security to ensure consistent protection regardless of user location and enable seamless yet secure access to resources, whether cloud-based or in the data center. The security team also needed continuous visibility into user activity on their devices.

In the office, the IT department safeguarded the network with traditional network security, such as firewalls and intrusion detection systems. But remote employees didn’t get the same level of protection. They had some protections, such as email filtering and endpoint security on laptops, but the security team lost visibility into device activity and user behavior.

To fix that, VCU implemented Zscaler’s ZTNA software to replace its VPNs. The software creates direct, encrypted connections between users and the cloud-based and internal apps they are allowed to access.

All traffic is first routed through Zscaler’s cloud-based security stack, including firewalls and intrusion prevention systems, which prevents users from downloading malware or going to phishing sites, Han says. ZTNA is more secure than VPNs because users only access the specific applications they are authorized to use, rather than gaining broad network access.

To manage application access, VCU used its HR system as the single source of truth, incorporating department IDs and job codes. These parameters allowed Han and his team to configure granular controls over what applications and data each employee could access.

Access provisioning is now fully automated. When users log in to their laptops, Microsoft Entra ID (formerly Azure Active Directory) authenticates them and automatically retrieves their information from the HR system. Entra ID then feeds that data to Zscaler, which grants or restricts access to specific applications based on each person’s role.

A protocol called SCIM (System for Cross-Domain Identity Management) allows VCU’s HR system and security tools to communicate and sync employees’ identity information and access permissions.

“We layered access that way and used different things, such as department IDs, department codes and employee job codes, to automate access provisioning and deprovisioning for individuals,” Han says. When HR records change, users automatically gain or lose access to different resources.

“This is how we’re able to limit the blast radius,” he says.

VCU installs a Zscaler agent on every university-issued laptop. It collects device and network telemetry data, providing security teams visibility to monitor device health and detect potential security threats.

“The perimeter now is really the computer itself,” he says.

Moving forward, VCU plans to implement enhanced authentication and validation for sensitive systems and use its CrowdStrike endpoint detection software to generate zero-trust health scores, allowing Zscaler to revoke access if devices become compromised during sessions, Han says.

The university also plans to beef up zero trust in the data layer by deploying data classification tools and advanced DLP, he says.

“We have traveled quite far down this path, but zero trust is a never-ending journey,” Han says.

KEEP READING: How to balance data exfiltration risks with open access in higher education.

OSU Implements a ‘Smart Access’ Security Initiative

Two factors drove Oregon State University’s zero-trust efforts. First, the 36,000-student university needed to upgrade identity and access management (IAM) in preparation for the IT department’s plan to replace its legacy, on-premises enterprise resource planning solution with a cloud option.

Second, an unsuccessful cyberattack stemming from a compromised IT administrator account highlighted the need to improve IAM controls, says OSU Deputy CISO Marjorie McLagan.

“This cyber event was a catalyst for us to pursue both the identity and device pillars in the CISA Zero Trust Maturity Model,” she says.

To resolve its identity management challenges, the Corvallis, Ore., university spent a year replacing old, unwieldy homegrown scripts with Saviynt’s identity governance and administration tool. Launched in June 2023, the IGA software automatically provisions employee and student accounts, and provides automated access to several enterprise services based on their relationship with the university.

To reduce risks further, OSU adopted additional modern features in its Cisco Duo multifactor authentication tool, she says. Duo is required for employees and students, and a small subset is using passwordless authentication with Microsoft Authenticator.

One issue with the cyberattack was that OSU’s -security operations center had limited visibility into devices. To resolve that, OSU deployed Microsoft Defender endpoint protection and response software, which provides increased visibility, McLagan says.

In addition, OSU adopted Microsoft Intune, a cloud-based device management tool that manages Windows updates and security patches on devices. The university also migrated from on-premises IAM to the Microsoft Entra single sign-on solution to leverage cloud-based advantages.

“We can monitor and provide granular access based on identity and devices, meaning access based on who you are, the device being used and where you are located,” McLagan says.

OSU’s messaging strategy helped gain user buy-in. In focus groups, people disliked the term zero trust, saying that it implied they were untrustworthy. So, the university branded the initiative as Smart Access, and it resonated with users, McLagan says.

“We responded, ‘We do trust you, and we want to protect you, your data and the institution,’” she says.

OSU is three years into its zero-trust journey. As for the remaining zero-trust pillars, the network was already highly segmented. A data group is working on a project around appropriate management controls to protect data, she says.

The university plans to expand the IGA tool’s capabilities and enable the IT department to deprovision users when they leave OSU. The university will also incorporate volunteer management systems and integrate physical access controls. In the future as new employees arrive, OSU can streamline onboarding to include applications and buildings they require access to, she says.

“We are in a much better place and still have work to do,” McLagan says. “Between the enhancements to the identity and endpoint pillars, we have improved visibility such that we can detect and respond very quickly to things happening in our environment.”