Cenic.org
  • Home
  • Blog
  • Zero-Trust Networking Enhances Security in Research and Education Environments

Zero-Trust Networking Enhances Security in Research and Education Environments

Categories CA Community Colleges CSU Cultural & Scientific University of California K-12 Libraries Private Sector Private Universities & NPS RENS & NRENS

Tags cisco cybersecurity google netflix research and education security

Research and education institutions face unique cybersecurity challenges due to their inherent culture of openness, sharing, and innovation. Universities, schools, and libraries administer public programs and allow generally anyone to use their own electronic devices to access a network. At the same time, these institutions store vast amounts of personal data, expensive research, and other confidential information, making them an attractive target for hackers.

Zero-trust networking — a solution implemented by Google and Netflix — may be uniquely capable of tackling the security issues confronted in R&E environments. Traditional IT security models are based on the outdated “castle-and-moat” concept, designed to protect only a network’s perimeter. Conversely, a zero-trust network architecture assumes that computer systems and users inside a network are no more trustworthy than computer systems and users outside a network. Strict identity verification is required for every person and device trying to access a network. Zero-trust networking is becoming more and more sought after as users become increasingly mobile, organizations store more information in the cloud, and cyberattacks become more sophisticated.

CENIC’s Chief Cybersecurity Strategist Sean Peisert moderated a panel on R&E security problems and zero-trust IT networking solutions at CENIC’s 2019 Conference. The panel included experts from Google, Netflix, the University of California Office of the President (UCOP), San Bernardino County Superintendent of Schools, and the San Francisco Public Library.

Libraries, Schools, and Universities Face Security Risks

Michael Liang, chief information officer for the San Francisco Public Library, said libraries’ mission is to provide open and free access to information for all. Millions of Californians depend on libraries’ computers and networks every day to access vital information and services. Balancing the demand for open access against the need for protection is challenging. “The public hopefully feels confident that if they use the technology at the library, it's safe,” Liang said. “We try to educate the public and warn them of security concerns and issues. We also try to put our own protection on devices, but we tell them to be very careful what you do because it is a very open network.”

K-12 school districts must balance a need for high security in their back-end administrative functions with open networks necessary for teaching and learning in the classroom, noted David Thurston, chief technology officer for San Bernardino County Superintendent of Schools. Users often have conflicting views — some are frustrated that they can’t access resources as quickly as they’d like while others want to make sure confidential student and parent data is more secure. “The challenge we have is implementing those across multiple device types that are inconsistently controlled and in environments that are both open in some ways and then very closed in other ways,” said Thurston.

David Rusting, the systemwide chief information security officer at UCOP, said higher education institutions thrive on collaboration and exchange of scholarship and ideas, both with people inside and outside the university. Still, campuses are responsible for safeguarding personal data as well as research and development data. “We are an environment that's open by design,” he said. “There's always this tension between being open and protecting the things that we need to protect and allowing innovation.”

Developing New Solutions

Barclay Osborn, site reliability engineering manager at Google in Los Angeles, told conference attendees about Google‘s zero-trust networking solution, BeyondCorp, grants access to employees based on what is known about them and their device, and not the location where they are connecting. Employees should be able to work from anywhere without using a virtual private network (VPN). Tiered access is granted based on three main questions: Is it you? Are you present? Can your device lie?

Netflix has a similar zero-trust solution called Location Independent Security Approach (LISA), according to Brooks Evans, director of security for Netflix. “As we're becoming a global company, we realized we had a lot of employees who never really see a corporate office,” he said. “They need to be able to work very effectively from that coffee shop model where they would never sit behind a network that had trusted access. Enforcing the zero-trust model, we got all of our services to a place where people could use them from anywhere.” LISA has stopped attacks, simplified network architecture, and saved money. Netflix also offers an open-source tool called Stethoscope, which checks the health of a device.

UCOP’s Rusting, who has implemented zero-trust networking in universities, emphasized that it’s important to start with leadership and help them understand what the risk is and how it can be addressed. “It's a risk-based approach,” he said. “Where do you put the controls in and how do you make them as easy as possible for somebody without interrupting their ability to work or collaborate?”

Adopting Appropriate Protections

CENIC’s Peisert said R&E institutions run computing systems similar to many organizations in the private sector and have similar vulnerabilities. However, R&E institutions are typically less resourced than private industry, and have a population of students and faculty that is much more transient and operate less hierarchically than private industry. “The result of all this is that we need to think carefully and creatively about how to adopt the appropriate mechanisms to enable and protect the research and education missions of R&E institutions going forward, from enforcing confidentiality of sensitive data and intellectual property, to protecting integrity of scientific data, to ensuring adequate network throughput during distance learning and testing,” said Peisert. “CENIC is committed to providing a secure, reliable network to its member institutions.”

Watch the complete panel discussion, "Security Without Moats and Walls: Zero-Trust Networking for Enhancing Security in R&E Environments," from CENIC's 2019 Conference.

Related Content

Related blog posts

Network Traffic Analysis Shows Changing Activity Patterns During COVID-19 Pandemic

Network Traffic Analysis Shows Changing Activity Patterns During COVID-19 Pandemic

Understanding Network Impacts of Increased Online Learning

Understanding Network Impacts of Increased Online Learning

Recent news

North American Research and Education Organizations Launch New Experimental Network and Exchange Collaboration: NA-REX

CENIC Honors San Diego State University and the San Diego Supercomputer Center for their Roles in Developing the Technology Infrastructure for Data Exploration (TIDE) Project

CENIC Recognizes UC San Diego’s ALERTCalifornia, CAL FIRE, and DigitalPath for Creating AI Tool for Wildfire Detection

CENIC Recognizes İlkay Altıntaş of UC San Diego and San Diego Supercomputer Center for Groundbreaking Contributions to Data Science

Juniper Networks Selected to Receive the CENIC 2024 Innovations in Networking Award for Corporate Partner

Recent blog posts

CENIC’s Integrated, Multi-Tool Approach to Network Configuration Management

Next-Gen Stewardship of Urban Sea Systems: Balancing Economic Vitality, Environmental Decline, Homeland Security, and Social Justice

Three Quick Guidelines to Help Your Organization Stay Safe from RPKI-Related Hacking

From the Ground to the Stars: Critical Big-Data Research in Africa

Connecting Last-Mile Customers at 100 Gbps Leveraging High-Launch-Power Coherent Pluggable Optics

Sign up for the CENIC newsletter

About Network Community News