New security measures needed
Educational and research institutions are an attractive target for cybercriminals because of their open nature: many students walk in and out with their own devices every day, and researchers want to share data and knowledge. We see an increase in cyber threats, there are more successful attacks and cybercriminals are finding ever smarter attack methods. We need security measures to match these rapid and complex developments. The zero trust principle looks at security in a new way. And while no security strategy is perfect, and data breaches can never be completely prevented, the zero trust principle is among the most effective strategies today.
The zero trust principle: never trust, always verify
The zero trust principle does not assume that the IT landscape can be trusted and is secure, but takes from premise that it is not secure. It assumes the principle of "never trust, always verify": every access request is fully verified, authorised and encrypted before access is granted.
Strategy as a basis for practice
If you want to successfully implement an architecture based on zero trust, you need to do more than roll out integrated tools and technologies supported by operational agreements and authentication requirements. Underlying a successful implementation is a strategic policy. This policy is based on the following pillars:
Authentication and authorisation
It is important to re-authenticate and re-authorise identities with every login attempt. According to the entitlement system, do they have access to the device, application or information they are trying to access? Is the access request coming from a logical location? The use of multi-factor authentication (MFA) is essential to verify the identity of users.
As an institution, you want to make it as difficult as possible for malicious parties to penetrate a network. To reduce the impact of an attack, you can divide the network into logical segments (zones).
Monitoring and logging
It is important to know exactly what is happening within the IT landscape. By spotting suspicious traffic or actions early on, you can easily extinguish a smouldering fire and prevent it from spreading. To do this, it is essential that devices, users and services are continuously monitored. You can set up a monitoring process based on predefined roles and policies.
The monitoring process uses logging to gain insight. For example, it can verify that users do not exceed roles/policies. A response to this could be to deny a user access to a zone in the network.
Practical examples during Security Expertise Centre seminar
During a Security Expertise Centre seminar on 28 November 2022, a number of organisations from the public sector and the business community told how they apply the zero trust principle. For example, MBO Digitaal gave a presentation on information security awareness and governance and the importance of technical measures within in the context of the NBA maturity model. Secura and Fox-IT showed with real-life examples how important and useful it is to apply zero trust principles. Microsoft and Cisco told how to make your IT landscape resilient against cybercrime, also using concrete practical cases. The NCSC also shared its vision on zero trust, as well as experiences with its implementation (see also the NCSC fact sheet on zero trust). Several institutions have indicated their willingness to collaborate on a user case, so that other institutions can use this as inspiration and learn from it. As soon as these user cases are available, SURF will share them.
Research on zero trust principle for education and research
An intern from Utrecht University is currently researching at SURF which concepts can be applied in a zero trust architecture, and whether these concepts are interesting for education and research. The intern is also investigating whether a method can be developed to help institutions decide which zero trust concepts could be an addition to their current IT landscape.
The research is expected to be completed by mid-2023. SURF will of course share the results.
Want to know more?
Want to know more about zero trust and how to implement it within your institution? Then contact SURF's Security Expertise Centre at firstname.lastname@example.org
Meer weten over zero trust en hoe je dit binnen jouw instelling kunt implementeren? Neem dan contact op met het Security Expertise Centrum van SURF via email@example.com. Of lees het praktijkverhaal van BUas en Inholland over hun zero trust-aanpak.
Lees ook het praktijkverhaal over het CIS Controls framework, een andere aanpak voor informatiebeveiliging.
Measures within the SURFaudit review framework
The education and research sector is already taking important steps to take cyber resilience to the next level. Through the education umbrella organisations, it has been agreed with the Ministry of Education, Culture and Science that all institutions will achieve level 3 of the SURFaudit assessment framework within the agreed period. This assessment framework is based on the NBA maturity model. Besides process measures, this model contains technical measures, but the concrete details of those measures are lacking.