The start of a new school year often brings anxious excitement to students and faculty alike.

Unfortunately, with the growing threat of cyberattacks across K-12 and higher education, this sentiment leans more anxious than excited by the year. In fact, according to the nonprofit education EDUCAUSE, in nine of the last 10 years, cybersecurity has been a top 10 issue for education institutions, with it being the number one concern for the last seven. 

Curbing this concern is far deeper than just ensuring schools and universities have the right cybersecurity hardware and software. It also means considering how competition for IT and cybersecurity talent contributes to weakened defense and how regulatory compliance related to state, federal and international laws like California Consumer Privacy Act (CCPA), Florida Information Protection Act (FIPA), Health Insurance Portability and Accountability Act (HIPPA), Gramm-Leach-Bliley Act (GLBA) and General Data Protection Regulation (GDPR) complicates the ability to rapidly build and support a strong security posture.

Even measures like cyber insurance have their drawbacks. Many institutions are finding compliance difficult through increases in premiums or deductibles and increasing control and technical requirements for underwriting. This all occurs in an environment where education budgets are already flat or declining due to other issues, such as reduced enrollment and retention.

With these constraints in focus, what can the education sector do to mitigate cyber risk? 

The adoption of a zero trust cybersecurity framework is a start.

What does zero trust mean?

Far from being the latest buzzword running around the cybersecurity community, zero trust provides an architectural approach to address the need for a unified security solution in today’s fragmented space. Zero trust brings explicit control to the IT environment where all devices and entities must be known — authenticated and authorized; their behavior must be explicitly allowed; and their actions must be understood and monitored. These principles are in stark contrast to what most organizations follow today.

For zero trust to work, an organization must first have three distinct components in place: business controls, a common control plane and an infrastructure that participates. Then, zero trust, which is comprised of seven pillars, can automate the application of security and business policy to protect the data. These seven pillars, as defined by the U.S. Department of Defense, can be explained as two distinct pieces: the infrastructure — the user, device, network/environment, and application/workload pillars, and the action of automating the management of the infrastructure — the visibility & analytics and automation & orchestration pillars.

In practical terms, this means that when the enterprise first establishes business controls, an end user may only have access to specific enterprise resources because of the user’s role or requirements — for example, accessing certain types of data based on approved credentials.

With those “rules” established, the control plane manages those decisions. Then, zero trust comes into play. So, even if it’s an approved user, access may still depend on whether the request comes from a recognized IP address via a recognized device. If just one of those conditions is not satisfied, the user is restricted from accessing it. An abnormal action like that gets logged and provides telemetry. It becomes “visibility” that either signals the automation to do something or is used to construct AI and machine learning models so that the enterprise can better understand good and bad behavior and ultimately improve the automation.

The longevity of zero trust 

So, the question remains — what can K-12 school systems and higher education institutions do to implement a Zero Trust environment to provide long-lasting, secure networks? 

The first thing to understand is that there is no zero trust product or single solution. Instead, there are products or solutions which support, advance and implement the principles outlined in zero trust. 

Because of its flexibility, an organization can start architecting zero trust principles in a phased approach. Institutions can start by covering users or workloads, for example, until optimally covering all seven principles previously mentioned. An organization should also prioritize its critical usage cases and address those first. Examples such as student and employee data, campus security automation, and campus or district-wide computer networks should be near the top of the list.

While applying zero trust should ultimately be completed for all use cases, it is important to note that due to the nature of denying implicit trust, a breach will have much more difficulty spreading from one workload to another when core workloads are protected.

The key thing to remember is that because it is a cybersecurity framework, zero trust is meant to be flexible, and as such, is best used in combination with other popular cybersecurity frameworks such as the Cybersecurity Framework | NIST, CMMC 2.0, CIS 8.0 and others to achieve maximum benefit.

Steps to take today to secure education institutions 

While implementing a zero trust framework is ideal, the truth is it will take most school systems and higher education institutions time to adopt zero trust and integrate it with existing security measures. However, there are some steps that organizations can take immediately to protect teachers and students.

With the awareness that threats continue to evolve at a rapid pace, institutions should:

• Assess internally where zero trust enabling technology is already present in the organization
• Identify gaps and prioritize areas where zero trust should be implemented first
• Work in a phased approach to first apply zero trust principles to critical use cases and workloads
• Seek the guidance of a trusted cybersecurity partner leveraging a common and proven zero trust framework.

It’s crucial for our education leaders to support a modernized cybersecurity posture grounded in a strategy that still allows for dynamic organizational innovation. While there is not one universal entry point for implementing zero trust, there are many equally valid ones that K-12 and higher education institutions can take. The most important step is simply taking one, so your institution can safeguard itself against today’s evolving threat landscape.