Zero-trust strategies: Rethinking the security perimeter for higher ed

The unique openness of IT environments at higher education institutions challenges CIOs to protect against cyberthreats at a number of layers, whether it be applications, data servers or the network. In a new podcast, experts discuss ways to keep information accessible, but still improve security.

Peter Romness shares his expertise, looking at a new reality of cybersecurity as “perimeterless enterprise,” requiring organizations to continually verify access. As Cisco’s U.S. public sector cybersecurity solutions lead, Romness brings his 30 years’ experience helping agencies mitigate cyberthreats to the discussion.

Wendy Nather also elaborates on ways colleges and universities might best pursue a zero-trust strategy. Nather, head advisory CISOs with Duo Security, brings her perspective from the experience gained as an information security officer for the Texas Education Agency.

Together they talk about the principles of zero trust through the lens of higher education institutions in this podcast, produced by EdScoop and underwritten by Cisco Systems:

Key technologies support a comprehensive zero-trust strategy

“Segmentation, or micro-segmentation of the network is probably the main technology that is important with zero trust. This provides least privilege access control to all devices and users, everywhere they may be. … Micro-segmentation offers you the ‘who, what, when, where and how’ of a connection,” elaborates Romness.

“Since all of these [technologies] – from segmentation, to access decisions and network visibility – come at such high volumes and high speeds, it becomes critical that we have automation. To automate how access is granted and how to spot violations or irregularities,” says Romness.

Zero trust is a strategy, not something you buy

“If you think of your new perimeter as any place where you’re making an access-control decision, then you can be very flexible and creative as to where you put those controls. … If you start asking yourself: What more can we do to verify our users and the network, and the devices and the applications? Anything is going to bring you further along in that zero-trust journey,” says Nather.

Higher education institutions have to be creative with where they put controls

“Higher ed has already sort of been living that zero-trust life all this time. They are in the position where they can’t necessarily control their users, or the devices they’re using, or even necessarily their networks. So, they have to put in controls where they can – sometimes that’s at the application layer, sometimes that has to do with identity management, sometimes it has to do with networks,” Nather explains

Other points explored on this podcast include:

• Why zero-trust seems to have multiple definitions with IT leaders?
• What common barriers universities must overcome to implementing security and access controls.
• What strategies should CIOs be thinking about moving forward in building a zero-trust strategy?
• How programs, like Cisco System’s free Cyber Defense Clinic for Education, can be used to help universities train the next generation of cyber defenders.

Listen to the podcast for the full conversation on the benefits of building a zero-trust strategy. You can hear more coverage of “IT Modernization in Higher Education” on our EdScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.

This podcast refers to Cisco’s Cyber Defense Clinic for Education, which is a teaching tool offered to higher education institutions free of charge. This cloud-based lab has live attack and defend tools that educators can use to train the next generation of cyber defenders.

The podcast was produced by EdScoop and underwritten by Cisco Systems.