Today’s colleges and universities require a cybersecurity model that embraces mobile-heavy user behavior, and protects people, data, devices and applications no matter where they are located. A “zero-trust” approach meets these needs by evaluating and granting access to users and devices both inside and outside of the campus environment based on levels of potential risk.
In this web seminar, presenters discussed how to implement a zero-trust cybersecurity approach through a combination of clear policies, strategic use of technology and effective training.
Chris Irwin
Partner and CTO
Forsyte IT Solutions
Sam Buckhalter
Security and Compliance
Technical Specialist
Microsoft
Chris Irwin: Before we can understand what zero trust is, we need to understand what zero trust isn’t. Zero trust isn’t literal. You can’t build and manage a practical strategy around absolutes. Security is constantly changing. The variables are too complex, and you can’t just set a monolithic path and follow it.
Zero trust isn’t an adjective. You aren’t going to be zero-trust. It’s a very fluid state, and it’s a journey to get there. It’s not a product. There is no such thing as zero-trust technology. There are lots of products and solutions that will help you get to a zero-trust state, but there’s no single solution. And zero trust is not a revolution.
What is zero trust? It’s a mindset. What we want to do is think. We don’t want to trust any single source. We want to employ multifactor authentication when it is available. We want to focus on breach containment.
And we need to understand that there aren’t enough people to handle all the work. Everybody’s understaffed, and the number of devices that we’re dealing with, the number of signals that we’re seeing, and the number of applications that we’re dealing with are all rising exponentially. You have BYOD in a university space and you have distance learning, so our student population has expanded exponentially.
So what does that mean? We have to focus on automation—on doing automated detection and remediation response to try to get to that zero-trust mindset. Automation is key.
Sam Buckhalter: The challenges of IT are changing drastically. At Microsoft, we believe identity is now the center of the modern approach to security. We want to help address the explosion of apps and all the challenges you have today. We want to make sure you’re able to keep up with the ever-evolving data privacy regulations, the General Data Protection Regulation and the different policies you have to comply with going forward. We want to meet your end users’ demand for increased modernization and flexibility about where they work and how.
As we dive into zero trust, we’re first shifting our mentality. We’re no longer looking at the physical network perimeter as the security boundary. We’re moving into logical constraints. What cloud and on-premise apps do we have? How do we need to protect them? Are they high-risk apps? If content access is granted incorrectly, what’s the value of that data to your organization?
The second part is to assume that every resource on the internet is on the open web. We’re treating users the same way, whether they’re on your corporate network or in Starbucks. Effectively, there is no safe place.
Finally, we’re looking at a “never trust, always verify” mindset. We never trust the default elements of an environment. You want to be asking these questions: Where does this user log in? What are their standard behavior patterns? Do they usually log in from Colorado? Why am I seeing logins from France or South America? What is their normal behavior? What devices are they coming from? Are those devices trusted? Are they personal devices? Are users coming in from web-based experiences? And how do you handle each of those scenarios? We’re always verifying while providing the experience and security mechanisms that are necessary for specific sessions.
The world is much bigger than Microsoft, so Microsoft single sign-on supports over 1 million third-party apps. You can connect to those apps, and you can leverage the same zero-trust mentality and all of the security functions that you use for Microsoft Office 365 workloads.
Ultimately, we want to provide one collective identity for all single sign-ons. You want to be able to give users access to all of the apps they need and offer the same level of security control.
To watch this web seminar in its entirety, please visit UBmag.me/ws022620
