Feb 16 2023

Could Zero-Trust Architecture Help K–12 Schools Fend Off Ransomware Attacks?

Zero trust is not a panacea for school cybersecurity, but it can definitely help in some areas.

Starting in May 2021, zero-trust network and security architectures became a requirement for federal government IT teams. With some K–12 IT experts looking to the feds for best practices and inspiration, it’s natural to ask how zero trust can help with ransomware and other cyberthreats.

How Does Zero Trust Help Schools Rethink Cybersecurity?

Zero trust is new approach to security in which every network, every bit of traffic, every user and every system is considered a potential threat that should not be trusted. Previously, IT teams built networks focused on a perimeter of firewalls and encrypted VPN tunnels. Zero trust keeps bad actors at bay by requiring them to earn trust to gain access.

Zero trust reduces the inside-the-perimeter trust, but it also opens access outside the perimeter. In a world where everyone is connected to the internet all the time, zero trust allows complete outsiders to at least attempt to access applications and services.

By combining strong authentication, device posture checking and other contextual information, such as time of day or geographic location, zero trust reduces the likelihood that someone, even with stolen credentials, can break in.

In a full implementation, zero trust also protects server-to-server communications and can require a redesign of data centers to provide isolation and control points everywhere in the network.

Click the banner below to learn the latest threat management strategies by becoming an Insider.

Can Zero Trust Help Solve Ransomware?

At first glance, zero trust would not appear to address ransomware. Old-school ransomware was delivered as a payload in email or by tricking a user into downloading some malware. 

Yet, looks can be deceiving. A solid zero-trust implementation helps with ransomware in four ways: by reducing infection; blocking lateral network movement; blocking exfiltration of stolen data; and alerting to suspicious network activity.

RELATED: Here’s why more schools are choosing zero trust.

How Does Zero Trust Keep Users From Infections?

Authentication is a critical step, but a full zero-trust architecture also includes posture checking to verify the state of the client, ensuring software patches, OS updates and security controls are enabled.

While everyone knows that anti-malware is important, it’s common to see infections when a user turns off anti-malware and forgets or decides not to turn it back on.

Zero trust relies on existing anti-malware tools and ensures the client is protected before giving access. If a teacher, administrator or student disables anti-malware, zero trust will block them from all other applications — a strong incentive to keep protections in place.

A zero-trust implementation also provides K-12 IT teams an opportunity to re-evaluate anti-malware. The next generation of anti-malware tools — extended detection and response, or XDR — builds a strong infrastructure around alerts and information coming from client workstations. 

Client tools do more than just identify and stop malware. They also feed information to consoles, which then deliver instructions back to the clients to block network traffic or remediate an infection.  

Zero-trust projects require modern and capable client anti-malware tools. A full zero-trust implementation will include assessing both client anti-malware and client management tools for capabilities and compatibility.

How Does Zero Trust Block Lateral Movement And Data Loss?

Ransomware has evolved to not only encrypt but also exfiltrate data, giving the criminals a powerful extortion opportunity.

Zero trust’s inspection and control of network traffic stops ransomware from spreading laterally or shipping sensitive data off-campus. Because zero trust controls what flows over the network, even within the data center, connections to unauthorized servers or suspicious internet sites or unapproved protocols will be blocked or throttled, and admins alerted.

For school-owned systems, such as laptops issued for home use, required anti-malware protection can extend the same restrictions to the device.

DIG DEEPER: Here’s what you should know about FERPA, CIPA and other student data privacy laws.

With the Family Educational Rights and Privacy Act and the Protection of Pupil Rights Amendment mandating student privacy protections, guarding against data breaches is a top priority for K–12 administrators.

In support of academic freedom and exploration, K–12 IT teams have traditionally observed a relaxed policy for outbound connections from internal networks. But zero trust doesn’t work well with this approach, which means that IT teams may have to navigate conflicting requirements between security needs on one side and students and teachers on the other.

Another issue that may rankle students and educators is that zero trust increases monitoring of network activity. Because the internal network, its servers and its users are less trusted than before, zero trust calls for a higher level of monitoring and control, even on wireless networks traditionally open to guests. K–12 IT teams implementing zero trust should make sure that this change in network posture is communicated to all users to eliminate surprises down the line.

Isn’t Zero Trust Too Complicated For K–12 IT Teams?

Zero trust isn’t a single policy or a single architecture with a single set of products. It’s a different approach to building networks and application access. 

K–12 teams can re-imagine and secure their networks using zero-trust concepts and ideas from outside education, just as they’ve borrowed from other sectors in the past. K–12 IT should see zero trust as a journey, one they can undertake gradually, at their own pace.

That said, simply adopting a zero-trust attitude for networks and applications will deliver big wins, not only in reducing the risk of ransomware but in overall security for every user. 

UP NEXT: 5 things to consider when making a wireless upgrade.

Getty Images/Tomekbudujedomek (five), Garrett Aitken (door viewer)

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.