Martin Roots, Managing Director of Expedia Group Limited, charts the way to the zero trust model of security for higher education.
Every university is equipped with:
High-Value Data
· Student Records
· Staff Records
· Financial Records
· Commercial Data
· Research Data
· Know-How
Mission-Critical Infrastructure
· Identity Management
· Networks
· Datacentres
· On-premise services (Applications, Databases, Systems, Storage & Platforms)
· Cloud-based services
· Endpoints
Infrastructure and data are vulnerable to attack by various means, and a poorly handled breach can result in a significant financial, legal, or reputational impact on the institution and have immediate and tangible consequences for those affected.
The protection of these assets up to a point has been focused on the perimeter, but as the corporate uses become more complex (think of the numerous kinds of users that can be found in a university -students research, staff as well as partners, contractors) and boundaries are dissolved (think remote and hybrid working, studying and teaching, as well as the move of core services into the cloud) While it is essential to have a variety of security measures in place, backed by effective operational security hygiene according to best practice, however, it’s no longer an all-encompassing strategy.
Modern security is about ensuring that only the right people have access to access at the right level to the resources they need and in the appropriate context and ensuring access can be monitored constantly – without creating unnecessary friction for users – the concept of security is called Zero Trust.
But as every organization will be at a different level of maturity, how do we get started while maintaining our current (and perhaps ‘legacy’) cyber security capability/investment?
Developing and implementing an overall Zero Trust security strategy needs to consider IT, security, and business projects that are currently ‘in motion’ and are scheduled. Also, it must look at existing security controls and operational ‘hygiene capabilities and capacities.
With the limited resources of the university, crucial investment decisions should be made as soon as possible to determine the best places for funds and resources to be invested, whether new funds and resources are required, or if the present investment (and allocation of resources) can be shifted to achieve a better result.
In a perfect world:
· Anything that is brand new must be presented following the new strategy, design principles, architecture, and operating model.
· Any ‘in-flight’ item that is not implemented should be evaluated and then refocused as soon as possible and adjusted to match the latest direction of travel.
· Anything not currently being addressed (e.g., the stable ‘legacy’) should be assessed for security vulnerabilities and exposure and remediated according to asset criticality/sensitivity/value.
· Because this is a path that will see us traverse different levels of information security maturity over many years, The business case can be broken down into phases.
The journey’s first stage includes a variety of different phases:
· The creation of the University Information Security Strategy, Architecture, Design Principles, and Operational Model is in line with the Zero Trust Maturity Model.
· The consolidation/delivery of inflight initiatives, and towards the end of the business case period,
· A complete business case for the program will support the strategy’s execution over the next stages or years.
· The phases are discussed more in the following paragraphs.
Phase 1: Create the architecture of the project and operate the model following one of the Zero Trust Principles:
Never trust, Always verify. Secure your corporate assets by removing persistent trust in all things such as Identities, Devices, Workloads (Apps and infrastructure), Networks & Data.
Assume Breach:operate under the assumption that the environment has been breached before. Engineers should minimize the impact of a breach using controls that prevent movement and limit the damage.
Verify Explicitly:where several types of verification that are both active (RBAC, user, and entity behavior analytics context) and static (passwords biometrics, passwords tokens) are required to grant access to the resources.
Phase 2: Examine the current state of security in information.
To reach where we would like to be, we must first evaluate our current position. It could mean returning to the basics.
Assigning the Information Asset Ownership (IAO) for each category of information assets at the department or team or departmental level (if there isn’t already a designation);
Laos is then required to develop an inventory from their information.
Map repositories by calculating volume x sensitivity. By mapping repositories to a 2×2 matrix, with the sensitivity on one side and the amount of data stored across the other, We get an approximate estimation of the priority level once you can determine the strategy to safeguard the most valuable information…
Note: The results of this step directly feed to the data considerations phase of the design/architecture phase (phase one), and, consequently, discovery and design can work in tandem.
Examine the effectiveness of the current controls associated with each repository we have identified. This can be accomplished in workshops by using software similar to the one below to quickly document the existing controls associated with the repository and evaluate the degree of their use for the repository in question.
They can also be further examined to determine how effective they are in reducing risks at each stage of the lifecycle of data.
Phase 3: Create the implementation roadmap and prioritize the activities (the full Business Case).
The last phase offered us two ways of looking for areas that could be improved. The first (the evaluation of the countermeasures currently in place for each repository) provides a heatmap of the areas where effort can be made to be applied following the priorities of a group.