Why so Many Schools are Shifting to Zero Trust Security
The term “zero trust” doesn’t necessarily invoke a positive connotation. However, rephrased as “always verify,” the same principle takes on an entirely different sentiment. Semantics aside, it’s a serious security solution that schools can’t afford to ignore.
Don’t want to join the millions of institutions who had their network breached from within last year? Perimeter defences are no longer enough to keep your student data safe. Enter: zero trust security.
What is zero trust security?
With zero trust, it doesn’t matter whether an individual or device is inside or outside the network; an identity verification is required from anyone looking to access data and applications on your school network.
Since they don’t rely on network location, zero trust approaches authorise activity only after powerful authentication technology is able to verify a user. From that point, each grantee will only be able to access network resources based on their predetermined permissions. For instance, a technician would have the same access whether working from home or on site at different schools in the area.
Educational institutions looking to better understand this IT security model may also choose to think of zero trust as a castle-and-moat analogy. In the dark ages, castles relied on moats and walls to keep intruders out. However, they also had watchmen standing guard in case someone were to successfully breach the castle walls. Zero trust works the same way. It doesn't assume that the moat (firewall) alone will keep out the unwanted or trust everyone inside the gates (like traditional IT network security does). Instead, it employs defences at every level, including those on the inside.
How does zero trust security apply to the classroom?
By trusting individuals over networks, zero trust environments are more realistic for the demands of the modern classroom, especially hybrid and online classrooms.
As Security Boulevard points out, “Zero trust cybersecurity focuses on securing your data rather than just the perimeter of your network. This approach secures your school's data more effectively, regardless of the network or device a student, teacher or staff member is using. Taking this approach is particularly important for schools that are using remote or hybrid learning. In those environments, you have no way to know whether the networks that your users employ are secure or not.”
How can schools use zero trust security?
Said plainly, zero trust security protects schools from users on different networks and ensures educational institutions are prepared for emergencies.
Presently, that means safeguarding school data regardless of device or end user. Again, Security Boulevard, “You may be in one of the schools that were able to scramble to full 1:1 for the 2020/21 school year. But, it’s impossible for you to know if everyone accessing your school's Google Workspace [is] using their school-issued devices. It’s not unheard of for a student to leave a device at school, and then log in with their home computer to do homework.”
Most pressingly, multiple layers of security offer schools peace of mind that their student, faculty and school data are safe. That generally means deploying the following security principles:
- Continuous monitoring and validation
- Least privilege
- Device access control
- Microsegmentation
- Preventing lateral movement
- Multi-factor authentication (MFA)
Beyond identity and access management, all user activity and endpoints are closely tracked, monitored and flagged for any behavioural abnormalities.
Like building a castle, constructing a zero trust environment can’t happen overnight. Still, the sooner school’s start laying the foundation for this comprehensive security solution, the safer everyone will be.