Applying the Seven Tenets of Zero Trust in K–12 IT Environments
In addition to five pillars, there are also seven tenets of zero trust that IT leaders should follow, as described in the National Institute of Standards and Technology’s SP 800-207 Zero Trust Architecture. They are:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy — including the observable state of client identity, application/service and the requesting asset — and may include other behavioral and environmental attributes.
- The organization monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization is dynamic and strictly enforced before access is allowed.
- The organization collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
For K–12 schools, these tenets apply to all staff and student devices, as well as all the data they generate and all the applications they access. Often, school IT teams don’t have the resources to adopt all these tenets overnight. Therefore, IT teams and users must approach zero trust as a journey.
MORE ON EDTECH: Anchor your security strategy with these four focuses.
Zero-Trust Security Is a Journey with Levels of Implementation
There are ways to measure each stage of a school’s journey from traditional security through optimal zero-trust maturity. CISA has mapped each of the four stages of maturity against its five pillars, giving K–12 organizations the opportunity to grow their cybersecurity strategies over time.
Traditional: Most schools will begin the zero-trust journey at this first stage. In a traditional model, most security processes will be manual. Schools may have manual deployments of threat protection solutions, manual configurations, minimal encryptions and static access controls.
Initial: As schools begin to evaluate their security posture through a zero-trust lens, they should aim to move to the initial model. In this environment, schools can begin to implement automation for protections like access expiration and some threat protection.
Advanced: The next stage is the advanced zero-trust maturity model. Here, schools will take into account protections such as phishing-resistant multifactor authentication, session-based access, encrypted network traffic and data at rest, and redundant but highly available data stores with static data loss prevention.
Optimal: An optimal model features full automation with self-reporting solutions, least privilege access and centralized visibility with situational awareness. This level features continuous user validation, access controls with microperimeters and continuous data inventorying with automated data categorization.
It’s unrealistic for schools, or any organization, to strive for an optimal environment right out of the gate. Achieving optimal zero trust is a long-term goal that IT professionals can plan for and work toward, securing their environments through smaller changes along the way.
For schools that are only just considering zero trust, and for those that have already begun to forge ahead, the best place to start is with a security assessment. This helps to establish a baseline by offering visibility into their current security landscape.
UP NEXT: Plan for zero trust in your K–12 organization.