Zero trust and beyond: Creating cyber secure educational institutions

By Ming En Liew

Adopting zero trust from the onset, building software-defined networks and creating a culture of cyber awareness are just some of the recommendations cyber experts highlighted at an event on cybersecurity in the education sector.

At a recent GovInsider event, cyber experts delved into the role of zero trust in securing the education sector. 

Generative AI has been the talk of the town since the introduction of ChatGPT, and the education sector is no exception. Some have raised concerns about AI-assisted cheating, while others are embracing its potential as an educational tool.

But generative AI technology also has implications for cybersecurity. Phishing and social engineering attacks, which have been perennial concerns in the education sector, are becoming more of an issue with such AI tech.

“No longer are we seeing badly-crafted phishing emails. [Now], we see emails which have good English and grammar, and naturally, that translates to it being more believable,” explained Ang Leong Boon, Head of IT Security at the National University of Singapore. He was speaking on a panel at a GovInsider event titled Deep dive into the zero-trust approach for cybersecurity in education.

The introduction of such technology, alongside the technological revolution in education catalysed by the Covid-19 pandemic, is leaving the sector more vulnerable than ever before. In fact, recent research by cybersecurity provider Zscaler found that the education sector was the most targeted industry by phishing attacks in 2022, having experienced a spike of 576 per cent as compared to the previous year.

With the threat that these new technologies pose, there lies a need for a new sophisticated set of tools to address them, said Dennis Chung, Chief Security Officer of Microsoft during the panel session. “Hence the zero trust concept.”

Understanding zero trust

In essence, zero trust means to never trust, and always verify, said Kavitha Mariappan, Executive Vice President of Customer Experience & Transformation at Zscaler, who was also on the panel.

This means being able to map out what each identity in an organisation can or cannot do and what their privileges are, Ang explained. In the context of learning, this could look like students only having access to an open learning system which doesn’t have any sensitive information on it.

In an examination or assessment scenario, students may need to have different privileges, Chung explained. “You need to use your identity, prove who you are on a managed device, perhaps in a lab, and operate only from a controlled segment before you can touch the examination system,” he illustrated.

These same zero trust principles should also apply to third-party vendors, said Mariappan.

“As you work with vendors and partners, understand what the key tenets of the zero trust architecture are…and make sure that they’re building technologies for you that adhere to these key tenets,” she explained.

For instance, Chung suggested that educational institutions can request for a SOC 2 Type II Report – an audit which details how a cloud-based service provider handles sensitive information. On Microsoft’s Azure, for instance, institutions who request      this report will be able to ascertain that there are encryption capabilities built into the cloud to protect sensitive information.

Zero trust in practice: Network security

When NUS was devising their cybersecurity strategy, they first defined the “crown jewels” that needed protection – internal networks, valuable data and the like     , Ang explained. Next, they segmented these elements into different zones depending on their sensitivity, the data they carry and the systems they host.

“From there, we are then able to construct many different layers within the network to enable zero trust,” he said.

This strategy works as educational institutions are unable to control the endpoints – the devices that students and staff are using. “The next best thing you can do is to control the network which all of us connect to,” he explained. By doing so, there is no way for threat actors to bypass network controls easily.

The institution has also adapted its security measures over time. Today, NUS is home to the region’s largest software-defined network, Ang shared. This is a type of networking that relies on software-based controllers or application programming interfaces (APIs) as opposed to hardware devices like routers and switches to control traffic on a network.

This approach had to be implemented due to the sheer volume of NUS’ network, which hosts over 200,000 devices and more than 50,000 users. “It would be very challenging to implement a layered network approach [due to the] number of segments we will have to create,” Ang said.

With this, the institution is able to control how each and every network zone interacts with each other. “This means that instead of having, for example, just a staff and student network, we can further segment the student network into different zones,” he explained.

Such an approach would help prevent threat propagation, where malicious actors who infiltrate a network can gain access to all resources on the network, Mariappan added. Through segmentation, such breaches can be isolated and contained within a specific zone.

A culture of cybersecurity

No matter the strength of the security measure, security breaches are most often caused by human error, as an audience member pointed out during the event. In fact, Verizon’s 2022 Data Breach Investigations Report found that a whopping 82 per cent of data breaches involved a human element, whether in the form of social attacks, errors, or misuse.

The solution? “Make cyber education part and parcel of the culture and make it part of the curriculum,” Mariappan said.

Specifically, Ang explained that institutions need to “let our users understand the threat rather than the policy.” For example, this could involve helping users visualise what it is like to be hacked through the eyes of the hacker, as it gives them a first-hand experience of the threat.

In Singapore, where many were brought up in a physical environment that was largely safe, people may be lulled into a false sense of security online, Ang said.

“Education would be a lot about showing them what the real world is like, rather than telling them,” he explained.

“Arm them with that information,” Chung added. He encouraged institutions to share amongst their people real stories of cyber attempts and incidents that have occurred among peers in their organisation. They are then able to better appreciate and resonate with the importance of cybersecurity.

“Over time, you are virtually recruiting them to be on your side,” he said.

Implementing a zero trust framework from scratch can be complex. Get started on your zero trust journey with Zscaler. Find out more in this ebook, Seven Elements of Highly Successful Zero Trust Architecture’.