As Cyber Attacks Increase, the Time is Right for Colleges and Universities to Consider Zero Trust Security Approaches

Okay, so this is clearly not an instructional technology topic, but as CIO and acting CISO at The College of Westchester, I appreciate the importance of making more school administrators and technical personnel aware of the idea of “zero trust”. – KW

Just like with many other professional sectors, higher education has evolved and benefited from technological advancements. The access and mobility for educational, research, and administrative purposes has made educational institutions more intuitive and productive.

While these advancements are positive, the open connectivity acts as an open doorway for cyber vulnerabilities to easily gain entry and access to networks containing highly sensitive information and personal data. Additionally, hackers can disrupt campus computing environments, bring school operations, research programs, activities, and more to a grinding halt.

It’s no surprise that university cyberattacks have been making headlines this year. Regis University, Georgia Tech, and others have experienced the unfortunate events of hackers exposing sensitive information of the schools, students, and/or staff. Additionally, earlier this year MIT and several other universities in the United States were urged to step up their security after a report revealed Chinese hackers attempted to steal military secrets from dozens of institutions.

The Current State of Cybersecurity in Higher Education

The 2018 Education Cybersecurity Report examined 17 different industries and found that the education sector was the least secure of them all. Particularly, the report notes the sector struggles with application security, endpoint security, and patching cadence.

Higher education tends to be harder to protect then let’s say corporations because for education purposes computer networks must allow for more open access to employees and students. Research universities and colleges have an additional challenge in that security teams may have very little visibility to the sensitive nature of some of the programs being run at their institutions, which makes their job particularly challenging. Research in diverse areas such as medicine and defense, as well as public policy, energy, and economics, can be prized targets for nation-state backed cybercriminals. Of course, sensitive personal information on students can be found everywhere within school’s IT networks, and we all know that type of information, wherever it resides, is extremely valuable and is always a target.

Hackers are finding creative ways to get into university networks and systems. For example, criminals use social engineering techniques to lure students and staff to malicious websites that download malware to their devices. They are also using sophisticated phishing emails with malicious embedded links that users carelessly click on. In both scenarios, hackers exploit their foothold on the endpoint by moving laterally in the school’s network to get to key systems and data.

So, in a space where there needs to be an open network for research and other educational and administrative tasks, how do higher education institutions find a middle ground in remaining safe online?

How to Improve Cybersecurity for Education Organizations

To help combat potential threats, universities should consider the Zero Trust Security concept. The objective of Zero Trust is to strengthen an organization’s data security by limiting the risk created by excessive user privileges and access, using a series of controls to ensure threats cannot enter, and move laterally within an enterprise’s infrastructure. In a Zero Trust environment, granular access policy enforcement based on user context, data sensitivity, application security, and the device posture, helps to limit the impact any security incident can have on an organization.

In simpler terms, Zero Trust is an approach in computing that teaches us to trust nothing – legitimate looking and questionable emails and file downloads – and assume everything has the potential of being a threat. And while this is a smart approach, users still need to be able to conduct their work, so the right security controls need to be in place to protect the school’s systems while enabling students and staff to get their jobs done.

Web and email access are two of the most vulnerable areas in a university’s IT environment. How can a university or college implement a Zero Trust framework to protect these assets? This is where a new secure web access approach called web isolation comes into play. Using this technique, web content is rendered in a cloud away from endpoints – that way, even if there is a threat, it never touches a user’s device. Whether a user browses to a malicious site on their own or reaches one by clicking a URL embedded in a phishing email, they’re completely safe since no web content is ever executed directly on the device.

Another technique school’s IT teams need to actively consider is microsegmentation. When they microsegment their networks, they create very granular segments within their IT infrastructure. By doing this, they effectively limit the size of their network’s attack surface by breaking it into a lot of small pieces. If a segment gets compromised, the other segments are “walled-off” and protected. Conversely, when an unsegmented network is penetrated, attackers have free reign to move laterally within it. The more granular your organization can make these segments, the less of an impact a security incident will have, since only that segment and the limited resources and data it contains will be exposed.

The Future of Cybersecurity for Higher Education

With more and more studies and news showcasing the vulnerabilities that education organizations are facing in terms of cyberthreats, it’s time that colleges and universities embrace new ways of thinking when it comes to their cybersecurity strategy. Universities should explore how a Zero Trust approach will give them a pragmatic blueprint which can be followed to dramatically improve their defenses. Within a Zero Trust framework, isolation and segmentation initiatives can help them operate safely and securely.