While the move from perimeter-based defense to zero-trust security remains high on most CISO’s priority lists, it’s been arguably more of a challenge for colleges and universities, given the complexity of their operations, the constant turnover of users, and the relentless budget pressures they continue to face.
For Kent State University, deciding the best way forward came down to a decision — either take the “blue pill” or the “red pill,” recalls Bob Eckman, Kent State’s chief information security officer.
Channeling a pivotal scene from the 1999 sci-fi film, “The Matrix,” Eckman tells the story in a new FedScoop podcast, how he and his IT associates agreed to abandon their waterfall approach to security project development, in order to implement a zero-trust environment by capitalizing on an existing Microsoft enterprise platform.
“The blue pill was the old way of doing business. The red pill is the new way of doing business. And the new way of doing business for us was moving more to an agile model that really mirrored Microsoft’s approach to development,” says Eckman in the podcast, which was underwritten by Microsoft.
“And when we did that, what we found is we were able to stay in step with Microsoft more succinctly. We were able to implement changes more effectively… and much more smoothly. So it wasn’t just looking from a technical perspective. It was looking from a process, program and cultural perspective as well.”
Zeroing in on zero trust
Eckman, who’s also earned recognition for his accomplishments in the classroom, teaching graduate level cybersecurity courses, recalls that Kent State’s journey to zero trust was a natural and necessary response to the growing threat landscape the university faced.
Ohio’s second largest university, Kent State now operates in a number of different countries, serves upwards of 30,000 active students on five regional campuses, while also supporting 400,000 active identities, when alumni, faculty and researchers are added in.
“The zero trust environment really allows us to have that adaptive, flexible environment outside the zero-trust enclave, while at the same time, giving us that ability to put a solid perimeter around what is most important to us,” Eckman says. “It was critically important that we look at our technologies from a risk perspective and understand what is most important to the organization. We all know that it’s not a matter of if you get compromised, but when. So our approach has really been zero trust and defense in depth,” he says.
“One of the things that jumped out to me about what Kent State has been able to do,” says Corey Lee, zero trust architect at Microsoft, “is their ability to look across their entire digital estate and really have a solid understanding of what they have on premises, in the cloud and in their hybrid environment. Whether that’s endpoint devices being used by students, or cloud services that are being leveraged in their digital ecosystem — just the ability to really understand that digital estate and to be able to map controls to that digital estate,” have been central factors to adopting zero trust, Lee says during the podcast.
Another factor Lee points to is Kent State’s use of trust zones — “knowing those areas where assets may exist within the environment, and how there may need to be different types of controls in place in order to provide different layers of protection, or intelligent security controls, to provide holistic security for the digital estate.”
Making the business case for zero trust
Eckman highlights during the podcast some of the key steps he took to winning buy-in for zero trust security with the university’s administrators and to implementing his strategy.
“We’ve federated [upwards of 100] third party applications with our Microsoft environment. And we were able to actually show, using just some basic calculations, that implementing that technology — allowing for that seamless sign-on integration for the user experience —saved us about a minute or so per login over a period of a year. When you’ve got 8000 individuals interacting with your technologies on a weekly basis, that can equate to upwards of two-to-four FTEs a year,” he says.
“The second big piece is resiliency. When you talk about compliance, and… regulation, these are all great tools to maintain what I would call a baseline security program,” especially given the range of compliance rules universities have to meet. In many cases, universities operate “as healthcare facilities, we are financial [institutions], we do therapy sessions with students, we do housing, we do food. We hit just about every single compliance measure on the cybersecurity wheel,” he says.
“Then you begin to weigh that against the cost of breaches — we’ve seen many schools fall victim to some very large breaches — and the numbers keep getting higher and higher. The return on investment discussion really becomes rather easy to have with leadership. I’ve been very fortunate. I’ve got great leadership at the university that’s been incredibly supportive of our program.”
Lee and Eckman both wrap up the podcast conversation with their recommendations on the lessons colleges and universities might take away Kent State’s experience.
Listen to the podcast for the full conversation on Kent State University’s journey to zero-trust security and learn more about it here. You can hear more coverage of “IT Modernization in Higher Education” on EdScoop.com and on EdScoop’s radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by EdScoop and underwritten by Microsoft.
Bob Eckman has more than 25 years of experience in security, technology and project and program management, having previously led cybersecurity programs at FirstEnergy, Progressive Insurance and Shearers Foods. He is an active member of ISC2 and he has earned recognition for his accomplishments teaching graduate level cybersecurity courses.
Corey J. Lee has served in IT risk and assurance consulting roles for the likes of Ernst & Young and Booz Allen Hamilton before joining Microsoft nearly 9 years ago. He currently serves as a solution strategist and delivery architect, as well as a senior consultant. Corey is a Certified Ethical Hacker.