Jan 29 2024

What Is Zero-Trust Security? Key Principles of the Model

Zero trust is a security model in which every attempt to access an organization’s network and resources is vetted continuously. CISA recommends focusing on five “pillars” as you create a zero-trust environment.

In the face of increasingly intelligent cybercriminals and rising threats, K–12 organizations must protect their networks and online environments from attacks. Cybersecurity remains the top priority for K–12 IT leaders, according to CoSN’s “2023 State of EdTech Leadership” report, with more schools prioritizing training for IT staff and end users last year than in 2022.

IBM’s 2023 “Cost of a Data Breach” report ranks social engineering techniques such as phishing scams as one of the top causes of security breaches, making training a vital component of any school’s cybersecurity posture. But training alone won’t protect a network from criminals.

As a result, more schools are turning to zero-trust security strategies.

Click the banner to learn more about implementing zero trust in your school.

Zero trust, which started as an alternative to the “trust but verify” method of cybersecurity, has become a popular buzzword for IT teams and tech users. Here’s what it really means for a school’s security approach, and how K–12 IT leaders can get started:

What Is a Zero-Trust Security Model in K–12 Education?

Zero trust is a security model in which access into an organization’s network and resources is monitored continuously. It is a cybersecurity mindset, not a final state of security that schools can hope to achieve.

In a zero-trust architecture, every attempt to access a school’s network, data or applications must be verified and approved. This applies to internal and external requests for access. This means that all users, including students and staff, should be vetted when attempting to access a school’s network and materials for online learning.

According to the Cybersecurity and Infrastructure Security Agency (CISA), the implementation of zero trust should span five pillars: identity, devices, networks, applications and workloads, and data.

CLICK HERE TO DOWNLOAD AND SAVE THIS INFOGRAPHIC.

ZT Infographic

 

Applying the Seven Tenets of Zero Trust in K–12 IT Environments

In addition to five pillars, there are also seven tenets of zero trust that IT leaders should follow, as described in the National Institute of Standards and Technology’s SP 800-207 Zero Trust Architecture. They are:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy — including the observable state of client identity, application/service and the requesting asset — and may include other behavioral and environmental attributes.
  5. The organization monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization is dynamic and strictly enforced before access is allowed.
  7. The organization collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

For K–12 schools, these tenets apply to all staff and student devices, as well as all the data they generate and all the applications they access. Often, school IT teams don’t have the resources to adopt all these tenets overnight. Therefore, IT teams and users must approach zero trust as a journey.

MORE ON EDTECH: Anchor your security strategy with these four focuses.

Zero-Trust Security Is a Journey with Levels of Implementation

There are ways to measure each stage of a school’s journey from traditional security through optimal zero-trust maturity. CISA has mapped each of the four stages of maturity against its five pillars, giving K–12 organizations the opportunity to grow their cybersecurity strategies over time.

Traditional: Most schools will begin the zero-trust journey at this first stage. In a traditional model, most security processes will be manual. Schools may have manual deployments of threat protection solutions, manual configurations, minimal encryptions and static access controls.

Initial: As schools begin to evaluate their security posture through a zero-trust lens, they should aim to move to the initial model. In this environment, schools can begin to implement automation for protections like access expiration and some threat protection.

Advanced: The next stage is the advanced zero-trust maturity model. Here, schools will take into account protections such as phishing-resistant multifactor authentication, session-based access, encrypted network traffic and data at rest, and redundant but highly available data stores with static data loss prevention.

Optimal: An optimal model features full automation with self-reporting solutions, least privilege access and centralized visibility with situational awareness. This level features continuous user validation, access controls with microperimeters and continuous data inventorying with automated data categorization.

It’s unrealistic for schools, or any organization, to strive for an optimal environment right out of the gate. Achieving optimal zero trust is a long-term goal that IT professionals can plan for and work toward, securing their environments through smaller changes along the way.

For schools that are only just considering zero trust, and for those that have already begun to forge ahead, the best place to start is with a security assessment. This helps to establish a baseline by offering visibility into their current security landscape.

UP NEXT: Plan for zero trust in your K–12 organization.

ArtemisDiana/Getty Images
Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT