In 2021, the White House revealed a new nationwide cybersecurity strategy focused on the concept of zero trust. This policy was a response to a series of devastating high-profile attacks on public entities and critical infrastructure.1
Now, almost two-thirds of organizations report that they have zero trust implementations in place. The remaining third reports they plan to adopt the framework within the next 18 months.
At the same time, the 2023 CHLOE report shows that online and hybrid enrollment has grown by 36% and 20%, respectively.2 Nearly half of all higher education executives surveyed confirm that online and multi-modal learning is a strategic priority, yet few institutions have end-to-end security controls capable of protecting those new deployments.
These initiatives need to be supported and secured by zero trust architecture. However, a great deal of confusion still surrounds the concept. Campus IT leaders are aware of the need to shift to the framework, but many don’t have clarity on exactly what that means or how to do it.
What is zero trust and how does it apply to higher education?
Zero trust is an IT security framework that requires all users who interact with network assets to continuously authenticate and validate their activities before receiving permission to access private data and applications. It has a wide-ranging impact on technologies, policies, and operations.
In higher education, that approach extends to course materials, administrative systems, and more. This makes it much harder for insider threats to manipulate internal network assets. A classic example of this kind of threat would be a student who wishes to change their grades, disrupt an exam, or interfere with the faculty’s scheduling system.
Zero trust vs. castle-and-moat models
Most higher education organizations rely on the traditional castle-and-moat model. That model places the burden of security on the network edge. Anyone with valid credentials can pass the moat and enter the castle. Once inside, there is no need to verify those credentials again.
Under the zero trust framework, there is no network edge. Every asset, application, and network segment comes with its own authentication process. This idea is bolstered by the principle of least privilege, which establishes a minimum level of access for every role in the network. It prevents users from having widespread elevated or admin-level privileges.
In a campus IT environment, that means most students, faculty, and staff cannot access all network assets. If an attacker gains access to one staff member’s account, it does not automatically grant them access to every other part of the network. If a breach does occur, it will be contained to the network segment where it occurred.
This combination of identity-based monitoring and authentication happens whether the user comes from inside the network or outside. On-site employees, remote workers, and third-party contractors all face the same level of scrutiny: “Never trust, always verify.”
What zero trust is not: Common misconceptions
Many vendors have their own interpretations of zero trust, leading to widespread confusion about the concept itself. This puts IT leaders at a disadvantage when considering the benefits it provides.
Zero trust is not a product or a service. It is not a technology that you can buy from a vendor. Therefore, implementation is not a one-time event, but a dynamic process that involves gathering feedback and making adjustments over time.
As a result, there is no one-size-fits-all solution for implementing zero trust. Every organization has to take its unique IT infrastructure, security risk profile, and access control policies into account.
That doesn’t mean that achieving zero trust is always costly and complex. In many cases, it can be built on existing infrastructure and often with existing technology.
How zero trust improves campus security
Zero trust is a significant departure from the castle and moat method traditionally used by higher education institutions. Instead of extending trust to users and devices inside the organization’s perimeter, it validates the activities and permissions of network assets on a continuous basis.
This leads to significant improvements in campus security:
- Deep visibility into security threats and risk: Generate meaningful log data when threat actors attempt to access sensitive assets, making threat investigation more accurate and thorough.
- Consistent access control policies: Identity-based access policies are clear and enforceable, extending to all users, devices, and applications, regardless of their location.
- Improved remote learning and work capabilities: Consistent access control policies enable remote learning and remote work. Students, faculty and staff no longer depend on strictly on-site workflows.
- Faster and more comprehensive threat response: Robust security architecture and microsegmentation make threat detection and response much more efficient. Analysts spend less time combing through unstructured data and more time making meaningful security decisions.
- Better performance against malicious insiders and credential-based attacks: Traditional security tools can’t distinguish between legitimate users and insider threats. The identity-based approach enables new security capabilities that directly address these high-severity risks.
Challenges to implementing zero trust in higher education
Identity-based security and policy management is especially important to higher education because academic institutions have large student bodies. Every individual student is a potential entry point into the network, and may represent insider risk.
This makes higher education fundamentally different from the commercial enterprise environment many security tools are built for. Enterprises do not generally deprovision a quarter of their user base and replace them with new users every year—yet many four-year universities do.
At the same time, higher education institutions have much tighter budgets than similarly sized commercial enterprises. Obtaining the resources and funding necessary to implement a fully zero trust environment may seem financially unfeasible for many campus IT leaders.
However, there are practical steps universities can take to implement this framework. Obtaining best-in-class security and compliance is possible when proactive security is understood as an investment that generates value instead of a simple cost.
How can campus IT leaders achieve zero trust?
Eliminating automatic trust in a complex higher education environment takes time and effort. The process will not happen overnight, but each step on the way will lead to meaningful security improvements. Maintaining this process over time requires planning ahead and establishing a viable strategy first.
- Achieve buy-in from institutional leadership
The framework is not limited exclusively to security implementations. Since it impacts the usability of network assets, it requires complete buy-in at every level.
Stakeholders and institutional leaders need to see the value of adopting identity-based security policies for them to work. Faculty and staff must adhere to policies that may not come easily to them, particularly in academic contexts where the free flow of information is culturally encouraged.
- Start small and expand capabilities over time
IT teams routinely upgrade network assets and applications to meet new needs. The timing of these upgrades is not always convenient, but every instance of IT application modernization is an opportunity to take a step towards zero trust.
Since it is an organization-wide strategy for addressing security risk, every technology and application has a role to play. Every new implementation involves assessing access rights and permissions. Configuring those implementations according to the principle of least privilege is a small but certain way to bridge security gaps.
- Enforce multi-factor authentication (MFA) and single sign-on (SSO)
One example of a zero trust technology that is relatively easy to implement is multi-factor authentication. MFA is already an included feature in many cloud-native applications. Enabling it puts the entire organization a little bit closer to full compliance.
Single sign-on allows users to log into multiple systems with one set of credentials. This improves the usability of highly segmented networks and prevents users from having to remember dozens of different usernames and passwords—which usually leads to them handling their passwords in an unsafe way, like writing them down.
- Implement tools that support identity-based policies
Identity and Access Management (IAM) tools support zero trust objectives by enabling identity-based access control policies. Managing access according to user identities is important because every individual user may have multiple devices and accounts.
Consolidating multiple devices and accounts into a single identity makes it much harder for threat actors to bypass security controls. It enables security teams to enforce custom rules that go beyond static device attributes like IP addresses.
- Apply conditional access policies to network assets
One of the ways IAM solutions improve security compliance is by enabling security teams to configure access controls for different roles. When network assets grant or revoke access based on a user’s identity, they become much harder to compromise.
For example, consider the university’s learning management system. Students should have one level of access, while professors may have more privileges. Staff members may need unique types of access based on their roles, and only the administrator should have full access to the entire system.
- Continuously monitor authenticated users
Campus IT staff need unlimited visibility into the organization’s IT infrastructure and how users interact with network assets. Continuous monitoring allows the team to flag suspicious behaviors before they become serious threats.
Security technologies that support this process include Security Information and Event Management (SIEM) platforms and User Entity and Behavioral Analytics (UEBA). These two technologies complement one another, triggering automated alerts when network assets exhibit unusual behavior.
Simplify zero trust implementations with outsourced security expertise
Implementing zero trust as a one-time rip-and-replace initiative is beyond the capabilities of most academic institutions. It requires specialist talent with deep knowledge of the technologies and concepts involved.
Instead of dedicating in-house campus IT resources to pursuing implementation as a one-time event, higher education leaders can build a comprehensive long-term security strategy that includes identity-based monitoring and access control.
Reputable managed service vendors like Apogee, a Boldyn Networks company, provide expertise and scalable, on-demand resources for zero trust implementations. Rely on your Apogee team to improve your organization’s security capabilities and make the best use of limited internal resources.
1 Biden, Joseph R., White House, “Executive Order on Improving the Nation’s Cybersecurity,” May 2021. Accessed April 11 2024.
2 CHLOE. “CHLOE 8: Student Demand Moves Higher Ed Toward a Multi-Modal Future,” August 2023. Accessed May 7 2024.