Higher Ed, Cyber threats and Zero Trust
Pritesh Suvarna
Transformation Leader | Sustainability | Digital | GTM Leader | Climate Tech & ESG | Enterprise Architecture & Engineering | Business Management | Professional Services |
"If we release your information, you will lose more than what we have demanded for”, wrote the ransomware hacker to the representative of a large Californian University. This was in the summer of 2020 and the University finally settled on an undisclosed ransom in exchange for the decryption key.
Over the past few years, we have been consistently witnessing similar news feeds where hackers have gained access to secure information and have demanded ransom from Universities. Here are some worrying statistics.
The ramifications of cyber-attacks has been across the value chain of the University landscape - enrolments, learning & teaching, research and administration and has negatively impacted brand value, rankings, revenue growth and efficiency.
Post-pandemic, the velocity of digital transformation has quadrupled in the past 12 months versus the previous 4 years. Business leaders are aware that higher digital exposure also means exposure to new vulnerabilities and expansion of the threat landscape. In 2023, Australian Cyber Security Centre’s latest cyber threat report confirmed that Education and training providers were the fifth-most targeted sector for cyber-attacks. Some of the recent cyber-attacks on Australian Universities were as follows:
Why is the Higher Education sector targeted ?
There are 2 critical information that are stored and maintained by Universities.
Personable Identifiable Information (PII) : Universities store and maintain large amounts of PII dated back to many years and that are potential for financial theft, identity related frauds or ransoms. Identity related thefts can invite expensive lawsuits. Students go onto become industry experts and professionals which are targets for ongoing future threats.?
Research & Confidential information : Universities store large amounts of confidential research information, cutting edge innovation and inventions in the area of healthcare, technology and other important disciplines. Data theft can seriously impair the University financially and impact its global reputation and brand for years. For e.g.: in June 2020, a large University in California, that supported COVID-19 research, paid a USD1.14 million ransom demand after NetWalker threat actors infected several servers in the University’s School of Medicine with ransomware.
Post pandemic evolution of Higher Education sector
The Higher Education technology landscape has rapidly evolved over the past 2 years.
Rise in remote and hybrid learning : Post pandemic, universities are planning transformations to support fully remote campuses, enabling students, faculty, administrative staff and partners to engage with each other virtually. The outside-in business models have given rise to rapid adoption of digital technologies; however digital security has lagged behind this transformation.
Complex legacy infrastructure : Though Universities have embarked on new business and operating models for the future, they operate on modern technologies such as cloud and edge computing as well as legacy and monolithic infrastructure that risk exposure to vulnerabilities. Additionally, change process, risk mitigations can be slowed down due to the very nature of the existing infrastructure.
Heterogeneous endpoints : Cyber threats do not stop at the infrastructure or perimeter of the institution. Technological evolution and Bring your own devices (BYOD) policies have enabled multiple end points to the University assets. Therefore stakeholders - students, staff, potential students, consultants are now considered to carry potential end-point vulnerabilities. Students connect to University networks through multiple devices which can get comprised. Similarly, university staff, especially research and teaching are used to having admin rights that may be a potential compromised end point.?
Disparate supply chain : As new business and operating models take shape owing to digital transformation, the scope of operations and commercials extend beyond Universities’ immediate network. Integration with SaaS education providers and MOOCs, business partners, suppliers create opportunities for vulnerability. The legacy approach of only hardening the perimeter may not be enough to block attackers who can gain access by exploiting any of the partners.
Limitations with the current / legacy Cyber Security architecture and approach
Perimeter based security : Traditionally network architectures were built on organisational LANs (Local Area Networks) within data centres which formed the organisation network perimeter. Anything connected to the LAN was considered ‘trusted’ and anything coming from outside was considered ‘untrusted’. Therefore external entities had to provide their identity through organisation security policies and tools. The two fundamental flaws of perimeter based architecture is that anyone accessing the network from inside the firewall is to be trusted.?
In the digital age wherein students, staff, partners and other stakeholders work inside and outside the perimeters of the company firewall, the traditional perimeter-based architecture security approach that differentiates ‘trusted’ vs ‘untrusted’ may not be viable. Through identity impersonation / thefts, phishing and and therefore hackers are quickly able to impersonate as ‘trusted’ entities and gain access laterally into the organisation network and create malicious acts.? Therefore, identity and access to assets and information become more crucial in the modern age than location perimeters for Universities.
Zero Trust Network Architecture (ZTNA)
What is ZTNA?
The definition of 'Zero Trust' has evolved over the past few years and NIST (National Insititute of Standards and Technolog - SP800-207) defines it as a cyber security approach that fundamentally considers ‘all’ entities as ‘untrusted’ by default until verified through modern identity management tools and policies and focuses on information security, endpoints, including lifecycle. This approach provides a level playing field for all entities and therefore can enable streamline policy creation, centralised access control & visibility.?
领英推荐
ZTNA (Zero Trust Network Architecture) is the enterprise implementation of Zero Trust approach. It aims to secure access to applications and services by denying access to anyone or anything unless explicitly allowed through policies. This approach enables tighter network security and micro-segmentation that can limit lateral movement if a breach occurs.?ZTNA eliminates past 'trust' and only focusses on present 'trust' indicators to allow access.
Why ZTNA and Why Now ?
Though ZTNA has been in the architecture domain since a decade, it has been dormant due to difficulty in adoption, ease of implementation, business case and other factors. However rapid digitalisation has brought ZTNA back into the mainstream and has been considered an effective approach to deal with modern cyber threats. ZTNA can now be deployed quickly and in a cost effective way.? In addition, ZTNA makes more sense due to the rise in remote or hybrid learning, cloud adoption and digital transformation.
Several IT, networking and security suppliers implement ZTNA in different ways. Over time, these suppliers will implement ZTNA to replace ageing VPN infrastructure and as part of an overall Secure Access Service Edge (SASE) architecture.
Implementing ZTNA
One of the misconceptions of ZTNA is that the security architecture has to be redesigned from scratch followed by University wide implementation. However, ZTNA has the ability to leverage existing investments followed by prioritised deployment strategy.?
ZTNA maturity assessment is an important first step to understand the current state, formulate future state and implement iteratively. Universities should prioritise protecting the most vulnerable assets, user classes such as IDAM (Identity and Access Management) and PAM (Privileged Access Management) for students and staff followed by other priority items.
Conclusion and looking forward
Post-pandemic digitalisation has expanded the threat landscape of Universities and Educational institutions: students, professors, non-teaching staff and third party stakeholders work, shop and learn from anywhere and are more digitally connected than ever before. The legacy perimeter-based security approach that considered securing digital assets within boundaries of the organisation is no longer adaptive to the digital age. Therefore cyber threat vectors have increased exponentially and require agile mindset and design approaches.
Zero Trust represents a change in a fundamental assumption (from a safe network to a hostile data and application environment) and will require changes throughout current practices for security, productivity, application development, IT operations, and more. Zero Trust security capabilities enable organisations to secure data/information, applications, APIs, and any data integrations, on any network, including the cloud, internal networks, and public or untrusted (zero trust) networks.
In my next article, I will discuss the ZTNA implementation guidance for Universities, the ZT Maturity model, comparisons with evolving approaches such as SASE and what happens to existing technologies such as VPN and Citrix and much more. Stay tuned.
Sources: