3 Mistakes Experts Often See in Zero-Trust Initiatives

Mistake No. 1: Thinking Zero Trust Can Be Installed

A zero-trust security framework is not a task that can be checked off a list or a product that can be licensed or installed. It is a strategy that defines a holistic approach to cybersecurity, which shifts the traditional network security focus to protecting assets and users instead of protecting a perimeter.

“Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources,” according to the National Institute of Standards and Technology’s Special Publication 800-207. “A zero-trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows.”

NIST adds that zero trust has been made necessary by a number of trends in recent years, including an increase in remote users and the growth of cloud-based assets located outside organizations’ own perimeters.

SP 800-207 notes that “zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”

The Cybersecurity and Infrastructure Security Agency spells out five pillars of a zero-trust model: identity, devices, networks, applications and workloads, and data. By far, identity and data governance serve as the model’s cornerstones; any zero-trust initiative must prioritize identity and data access controls, Candillo says.

RELATED: Implement identity and access management best practices.

In a zero-trust environment, that verification happens continuously, ensuring that even when bad actors somehow gain access to a network, they can’t hang around for long.

Mistake No. 2: Ignoring Teachers’ and Students’ Experiences

Implementing a zero-trust framework typically requires shifting a school’s philosophy about cybersecurity, says Candillo. Often, organizations embark on a zero-trust journey thinking they can continue to use “their old, siloed teams and management styles,” he says. “A successful zero-trust transformation also requires a cultural transformation.”

Beyond ensuring that essential teams work together to implement the approach, thoughtful consideration must be given to users and their experiences engaging with online materials. Educating teachers and students to make users part of the solution helps create “a culture where securing data is a top priority and taken very seriously by everyone,” Candillo says.

Ultimately, when users aren’t satisfied with their experience accessing resources, they’ll turn elsewhere. Educators’ may rely on outside software and tools or depart from using educational technology for teaching altogether. Students, meanwhile, may struggle to complete assignments, take tests and remain engaged in learning activities.

Mistake No. 3: Failing to Set Effective Policies for Accessing Data

As a school’s zero-trust adoption matures, getting a handle on the data or resources that specific users need can be an ongoing challenge — but it’s not an insurmountable one.

When every user, piece of data and device is considered an asset to be protected, IT teams can no longer rely on manual network inventories. Cloud-native network management and inventory management tools provide real-time insights and visibility on use, helping teams set priorities and appropriate access privileges.

GET STARTED: Embark on a journey to the cloud in your K–12 organization.

“Combining due diligence around access governance and implementing things like behavior analytics and adaptive authentication can be steps in the right direction,” Candillo says. “Don’t try to achieve 100 percent zero trust in the short term. Instead, after you’ve laid the foundation, focus on locking down a group of critical systems or assets you are trying to protect.”