During COVID times, schools all over the country moved online to offer remote learning opportunities to students. This happened very quickly, and it made educational institutions undergo rapid digital transformations. As with anything that is done rapidly, thoughts about security comes last. In this post we will go through a very reliable security framework for K-12 institutions called Zero Trust.
What is Zero Trust?
Zero Trust is a security model in which every access to the entire organization’s network is monitored continuously. So, in this security model, every attempt to access a school’s network is firstly verified and approved. This Zero Trust security model is a requirement for Federal government IT teams, and the Pentagon has an aim to make the entire agency operate on the Zero Trust architecture by 2027.
In simple terms, Zero Trust believes that every single traffic, every single user, and every single system connected to the network is a potential threat that should not be trusted. Zero Trust gives equal opportunities to outsiders and insiders to access network services, but only the ones with the correct credentials will be allowed in. This is done so by using strong authentication, device posture checking and other contextual information, such as time of day and geographical location. With Zero Trust, it is highly unlikely that even someone with stolen credentials will be able to break into the system.
Zero Trust and Ransomware?
Ransomware is usually delivered as a payload of an email, and/or by tricking users to download malware. Zero Trust can also help your educational institute to fight ransomware by reducing infection, blocking lateral network movement, blocking exfiltration of stolen data, and alerting suspicious network activity.
Zero Trust reduces infections by including posture checking to verify that state of the client, ensuring software patches, OS updates and security controls are enabled. If anyone in the network turns off anti-malware applications, they are immediately blocked from all other applications to ensure protection.
Ransomwares steal data and exfiltrate them to a criminal’s server to give them more bargaining power. Zero Trust does not allow this to happen because it has control over the flow of information over the network. This makes sure that even lateral network movements are controlled, and all suspicious activities identified, and the admins immediately alerted.
What is the Process of Adapting Zero Trust?
The implementation of zero trust needs to span five pillars, which are, identity, devices, networks, applications and workloads, and data. According to the Zero Trust Architecture there are seven tenets that needs to be followed by IT professionals when designing the architecture:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy - including the observable state of client identity, application/service, and the requesting asset - and may include other behavioral and environmental attributes.
- The organization monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentications and authorizations are dynamic and strictly enforced before access is allowed.
- The organization collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
These tenets are required to be followed for every staff and student device available in the network, as well as all applications and resources they access. IT professionals in an educational institute will not be fully equipped to handle all the tenets from day one, so it is very important to view the Zero Trust framework as a journey.
Let’s look at how your institute will progress while adapting Zero Trust into your educational institution.
Traditional: This is where your institution is probably at when you are just starting out. All security measures are manual with manual deployments of threat detection, and minimal encryptions.
Initial: This is the first step in the journey of adapting Zero Trust. You will need to look into implementing automation for protections like access expiration and threat protection.
Advanced: This stage will include protections like phishing-resistant multifactor authentication, session-based access, encrypted network traffic and data at rest, and redundant but highly available data stores with static data loss prevention.
To go more into details about this step, multifactor authentication is a type of security measure that enables users to verify their identity through multiple sources, such as text messages, or authenticator apps. It is highly recommended to not use traditional text messages as a multifactor authenticator because it can be easily tapped by a hacker in what is known as a Man-in-the-Middle Attack (MITM).
Optimal: This is the level where the Zero Trust framework is fully functional with self-reporting solutions, least privilege access and centralized visibility with situational awareness. By this level, you will need to incorporate continuous user validation, access control with microperimeters and continuous data inventorying with automated data categorization.
Wrapping Everything Up
Zero Trust is a framework for cybersecurity that is highly recommended to be put in place by educational institutions due to the fact that those institutions have a lot of personal data of students which should not be leaked. As the name implies, Zero Trust has zero trust in any device, system, or person being connected to the network. It makes sure that the device/service/person being connected to the network is the device/service/person without a doubt, or it will not give access to the device/service/person being connected.
Zero Trust will also help the network by dealing with ransomware by reducing infection, blocking lateral network movement, blocking exfiltration of stolen data, and alerting suspicious network activity.
Zero Trust is not a singular product, or a simple step that can be taken to magically get cybersecurity protection. It is a series of steps and different products you can implement to get the desired goal. That is why Zero Trust needs to be seen as a journey that will lead to an end, and not something that can be implemented in a single day.