Two IT Professionals reviewing Zero-Trust model on a tablet

June 10, 2024

The Zero Trust Model in Higher Education – A Necessary Shift

By: Jacob Picart

In 2021, the White House revealed a new nationwide cybersecurity strategy focused on the concept of zero trust. This policy was a response to a series of devastating high-profile attacks on public entities and critical infrastructure.1

Now, almost two-thirds of organizations report that they have zero trust implementations in place. The remaining third reports they plan to adopt the framework within the next 18 months. 

At the same time, the 2023 CHLOE report shows that online and hybrid enrollment has grown by 36% and 20%, respectively.2 Nearly half of all higher education executives surveyed confirm that online and multi-modal learning is a strategic priority, yet few institutions have end-to-end security controls capable of protecting those new deployments.

These initiatives need to be supported and secured by zero trust architecture. However, a great deal of confusion still surrounds the concept. Campus IT leaders are aware of the need to shift to the framework, but many don’t have clarity on exactly what that means or how to do it.

What is zero trust and how does it apply to higher education?

Zero trust is an IT security framework that requires all users who interact with network assets to continuously authenticate and validate their activities before receiving permission to access private data and applications. It has a wide-ranging impact on technologies, policies, and operations.

In higher education, that approach extends to course materials, administrative systems, and more. This makes it much harder for insider threats to manipulate internal network assets. A classic example of this kind of threat would be a student who wishes to change their grades, disrupt an exam, or interfere with the faculty’s scheduling system.

Zero trust vs. castle-and-moat models

Most higher education organizations rely on the traditional castle-and-moat model. That model places the burden of security on the network edge. Anyone with valid credentials can pass the moat and enter the castle. Once inside, there is no need to verify those credentials again.

Under the zero trust framework, there is no network edge. Every asset, application, and network segment comes with its own authentication process. This idea is bolstered by the principle of least privilege, which establishes a minimum level of access for every role in the network. It prevents users from having widespread elevated or admin-level privileges. 

In a campus IT environment, that means most students, faculty, and staff cannot access all network assets. If an attacker gains access to one staff member’s account, it does not automatically grant them access to every other part of the network. If a breach does occur, it will be contained to the network segment where it occurred.

This combination of identity-based monitoring and authentication happens whether the user comes from inside the network or outside. On-site employees, remote workers, and third-party contractors all face the same level of scrutiny: “Never trust, always verify.”

What zero trust is not: Common misconceptions

Many vendors have their own interpretations of zero trust, leading to widespread confusion about the concept itself. This puts IT leaders at a disadvantage when considering the benefits it provides.

Zero trust is not a product or a service. It is not a technology that you can buy from a vendor. Therefore, implementation is not a one-time event, but a dynamic process that involves gathering feedback and making adjustments over time.

As a result, there is no one-size-fits-all solution for implementing zero trust. Every organization has to take its unique IT infrastructure, security risk profile, and access control policies into account.

That doesn’t mean that achieving zero trust is always costly and complex. In many cases, it can be built on existing infrastructure and often with existing technology.

How zero trust improves campus security

Zero trust is a significant departure from the castle and moat method traditionally used by higher education institutions. Instead of extending trust to users and devices inside the organization’s perimeter, it validates the activities and permissions of network assets on a continuous basis.

This leads to significant improvements in campus security:

Challenges to implementing zero trust in higher education

Identity-based security and policy management is especially important to higher education because academic institutions have large student bodies. Every individual student is a potential entry point into the network, and may represent insider risk.

This makes higher education fundamentally different from the commercial enterprise environment many security tools are built for. Enterprises do not generally deprovision a quarter of their user base and replace them with new users every year—yet many four-year universities do.

At the same time, higher education institutions have much tighter budgets than similarly sized commercial enterprises. Obtaining the resources and funding necessary to implement a fully zero trust environment may seem financially unfeasible for many campus IT leaders.

However, there are practical steps universities can take to implement this framework. Obtaining best-in-class security and compliance is possible when proactive security is understood as an investment that generates value instead of a simple cost.

How can campus IT leaders achieve zero trust?

Eliminating automatic trust in a complex higher education environment takes time and effort. The process will not happen overnight, but each step on the way will lead to meaningful security improvements. Maintaining this process over time requires planning ahead and establishing a viable strategy first.

  1. Achieve buy-in from institutional leadership

The framework is not limited exclusively to security implementations. Since it impacts the usability of network assets, it requires complete buy-in at every level.

Stakeholders and institutional leaders need to see the value of adopting identity-based security policies for them to work. Faculty and staff must adhere to policies that may not come easily to them, particularly in academic contexts where the free flow of information is culturally encouraged.

  1. Start small and expand capabilities over time

IT teams routinely upgrade network assets and applications to meet new needs. The timing of these upgrades is not always convenient, but every instance of IT application modernization is an opportunity to take a step towards zero trust.

Since it is an organization-wide strategy for addressing security risk, every technology and application has a role to play. Every new implementation involves assessing access rights and permissions. Configuring those implementations according to the principle of least privilege is a small but certain way to bridge security gaps.

  1. Enforce multi-factor authentication (MFA) and single sign-on (SSO)

One example of a zero trust technology that is relatively easy to implement is multi-factor authentication. MFA is already an included feature in many cloud-native applications. Enabling it puts the entire organization a little bit closer to full compliance.

Single sign-on allows users to log into multiple systems with one set of credentials. This improves the usability of highly segmented networks and prevents users from having to remember dozens of different usernames and passwords—which usually leads to them handling their passwords in an unsafe way, like writing them down.

  1. Implement tools that support identity-based policies

Identity and Access Management (IAM) tools support zero trust objectives by enabling identity-based access control policies. Managing access according to user identities is important because every individual user may have multiple devices and accounts.

Consolidating multiple devices and accounts into a single identity makes it much harder for threat actors to bypass security controls. It enables security teams to enforce custom rules that go beyond static device attributes like IP addresses.

  1. Apply conditional access policies to network assets

One of the ways IAM solutions improve security compliance is by enabling security teams to configure access controls for different roles. When network assets grant or revoke access based on a user’s identity, they become much harder to compromise.

For example, consider the university’s learning management system. Students should have one level of access, while professors may have more privileges. Staff members may need unique types of access based on their roles, and only the administrator should have full access to the entire system.

  1. Continuously monitor authenticated users

Campus IT staff need unlimited visibility into the organization’s IT infrastructure and how users interact with network assets. Continuous monitoring allows the team to flag suspicious behaviors before they become serious threats.

Security technologies that support this process include Security Information and Event Management (SIEM) platforms and User Entity and Behavioral Analytics (UEBA). These two technologies complement one another, triggering automated alerts when network assets exhibit unusual behavior.

Simplify zero trust implementations with outsourced security expertise

Implementing zero trust as a one-time rip-and-replace initiative is beyond the capabilities of most academic institutions. It requires specialist talent with deep knowledge of the technologies and concepts involved.

Instead of dedicating in-house campus IT resources to pursuing implementation as a one-time event, higher education leaders can build a comprehensive long-term security strategy that includes identity-based monitoring and access control.

Reputable managed service vendors like Apogee, a Boldyn Networks company, provide expertise and scalable, on-demand resources for zero trust implementations. Rely on your Apogee team to improve your organization’s security capabilities and make the best use of limited internal resources.

1 Biden, Joseph R., White House, “Executive Order on Improving the Nation’s Cybersecurity,” May 2021. Accessed April 11 2024.

2  CHLOE. “CHLOE 8: Student Demand Moves Higher Ed Toward a Multi-Modal Future,” August 2023. Accessed May 7 2024.

Jacob Picart

ABOUT THE AUTHOR

Jacob Picart

Vice President, Security Services Jacob Picart joined Apogee in 2023 as member of the Executive Leadership Team. In his current role, Jacob is sharing his extensive experience in security compliance and related technologies, Amazon Web Services and Microsoft Azure cloud services, and network services for the benefit of Apogee and its higher ed clients. He is responsible for expanding the company’s comprehensive portfolio of information security services for colleges and universities. He is also responsible for continuously improving internal security processes and procedures at Apogee. Prior to joining Apogee, Jacob held various roles including serving as a cyber security architect, cloud solutions architect, and network and system engineer; leading a Managed Services Provider practice; and serving as an adjunct instructor of technology at a San Francisco-based business school, where he taught classes on Cisco-based networking, wireless, Microsoft and Linux server administration, infosec security, and ethical hacking. Picart is a member of the CompTIA Community and a past member of the EC Council. He has earned multiple AWS and Azure cloud certifications. He also has attained Certified Ethical Hacker (CEH), Microsoft Certified Professional (MCP), Microsoft Certified Security, Compliance and Identity Engineer, AWS and Azure Solutions Architect, CompTIA Network+ and Security+ certifications including various designations from industry leaders such as Splunk, Palo Alto Networks, and Brocade. Most recently, Picart obtained the Certified Information Systems Security Professional (CISSP) certification from the International Information System Security Certification Consortium (also known as ISC2).

Read Full Author Bio