Adopting a Zero Trust Approach in Higher Education

Safety and protection hinge on trust in others. In all aspects of our lives—friendships, relationships, and professional connections—trust is imperative to reducing risk and maintaining personal safety. While placing trust in individuals, groups, and organizations is easy, what happens when trust is attacked? That question was answered last year when the world saw one of the most advanced security breaches in history.

Solorigate (also referred to as the SolarWinds attack or Sunburst by FireEye) was a supply chain malware attack deployed on SolarWinds networks and matriculated to other organizations. SolarWinds is a U.S. company that develops software for businesses to help manage their networks, systems, and IT infrastructure. Malicious actors inserted code into the source code of SolarWinds' Orion product, enabling them to gain backdoor access and add malware. The code was then propagated in an Orion update, leading to over 17,000 customers' systems—including federal agencies, higher education institutions, and Microsoft—being placed at risk.

Scale is not the only factor that makes this one of the most sophisticated attacks ever seen in the United States—in history. The most concerning aspect of this attack, and what makes security teams uneasy, is how long these hackers were able to avoid detection. While this attack was first identified by FireEye in December 2020, evidence suggests these attackers have had access to the Solar Winds source code since as early as October 2019. With this early access, the attackers could test and add in malicious code before the final software build, enhancing its ability to run privileged actions while keeping a low profile. This strategy worked, as Solar Winds was unable to identify any issues before the affected update was delivered to Orion customers.

This attack represents an attack on trust. It has changed what it means when we get software from a vendor and our trust in the supply chain and technology. Traditionally, organizations could implicitly trust that the software purchased from vendors or already in their network was safe and secure. Now, these organizations are left wondering if other purchased products already in the network have similar vulnerabilities that could put their environments at risk. To ease these concerns, and lessen the impact of these attacks, a new approach to security and trust must be adopted.

A Zero Trust Approach

Zero Trust is a modern cybersecurity approach that protects communities through constant, explicit entity verification and authentication. Unlike traditional security approaches that assume everything behind a corporate firewall is safe, Zero Trust follows a philosophy of assuming a breach has already happened, or is going to happen soon, in any given environment. Organizations today manage complex environments across remote devices and networks. Zero Trust accounts for this complexity by treating all network activity as a potential risk—no matter where it originates or what resources it accesses. To protect these environments from modern threats, Zero Trust architectures and Zero Trust security are requirements.

So, how does Zero Trust work? Zero Trust follows three guiding principles: verify explicitly, use least privileged access (LPA), and assume breach.

• Verify explicitly: Zero Trust closes gaps in multi-factor authentication (MFA) coverage by requiring explicit verification across the network. Instead of assuming trust based on weak assurances like network locations, Zero Trust uses all available data—identity, endpoint, and network data—to authenticate all access requests, no matter where they came from or what they're accessing.
• Use least privileged access (LPA): Zero Trust makes it harder for attackers to negatively impact key systems and data by limiting users' access to the resources, devices, and environments they need. Without widespread privileges and access, attackers have less opportunities to move laterally within the network beyond an initial breach.
• Assume breach: As a final failsafe, Zero Trust operates under the assumption that a breach has already happened, or soon will. This means deploying redundant security mechanisms, collecting system telemetry, using that telemetry to detect anomalies, and—wherever possible—automating insight generation to enable near-real-time prevention, response, and remediation.

Of course, even with these principles in place, breaches and attacks are still possible. Zero Trust may not prevent everything, but its objective is to prevent massive impact from any potential breach institutions may encounter. This is what happened with Microsoft's approach to the Solorigate breach.

Microsoft's Approach

Because of its adherence to Zero Trust principles, Microsoft was able to quickly identify the affected resources, isolate them from the rest of the network, and remediate the threat with minimal time lost.^Footnote1 Microsoft first detected unusual activity in December 2020 and was able to take immediate action to secure and protect its environment until access attempts ceased in January 2021. After undergoing an internal investigation, Microsoft found no evidence of access to production services or customer data. The investigation also found no indications that systems at Microsoft were used to attack others. The malicious actor was also not able to gain access to privileged credentials or leverage the Security Assertion Markup Language (SAML) techniques against Microsoft's corporate domains. And while a few individual files were viewed, there was no access to the vast majority of Microsoft's source code.

While the Solar Winds attack was identified and mitigated, many other breaches may exist in secret today. As technology progresses, the sophistication, scale, and popularity of supply chain attacks are going to only increase. Because of this, higher education institutions must adopt a Zero Trust approach to adequately protect faculty, staff, and student data and information as soon as possible.

Steps to Take Today

Higher education institutions are a rich target for cyberattacks due to the amount of high-value data—such as sensitive research data, intellectual property, and students' personally identifiable information (PII)—held in their systems. This information makes colleges and universities prime targets for malicious actors, sophisticated criminals, and state-sponsored hackers. In fact, by November 2019, cyberattacks on higher education institutions had resulted in the exposure of more than 1.3 million identities.^Footnote2 Microsoft security intelligence has also identified education as by far the most affected industry for malware attacks.^Footnote3 And these modern attacks take advantage of organizations that don't have a Zero Trust architecture or strategy, partially due to the fact that many of these attacks are long and drawn out. Today, more than ever, adopting a Zero Trust approach is imperative for helping institutions reduce security risk across their environments.

There are steps institutions should take today to start realizing a Zero Trust approach.

• Recognize that Zero Trust doesn't exist only under the purview of security teams: Zero Trust is a philosophy that must be adopted by institutional leadership and leveraged to protect all students, staff, and educators. This is a departure from the usual operations of many higher education institutions, which have traditionally provided a flexible, open environment to their entire community.
• Understand the entire digital estate: Many different digital environments can exist within an institution. With different departments using different on-premises systems and cloud services, institutional leaders and staff may not have a full understanding of everything they have in their digital estate. The first step down the path toward Zero Trust is to gain a full understanding of the entire digital estate.
• Monitor the entire environment continuously: After understanding what is in their environment, institutional IT teams should start continuously monitoring their entire digital estate. Monitoring enables institutions to gain real-time insights into their systems through user and entity behavior analytics (UEBA). UEBA uses machine learning and advanced analytics to identify both normal and abnormal user behavior in an environment. If anomalous user behavior is detected, IT teams will be alerted so that they can act quickly to identify and isolate the potential threat.
• Apply conditional access controls for different roles: Different users have different technology needs. Instead of granting the same level of access to everyone, institutions should enforce LPA by providing access only to features and capabilities that apply to the specific user. For example, a student may only need to be able to access the learning management system to submit assignments, while his or her professor will need more privileges to review and grade assignments as well. Understanding and applying these levels of access helps promote a safer environment while enabling all users to find and use the tools they need, when they need them.
• Enforce multi-factor authentication (MFA) and single sign-on (SSO): MFA and SSO are powerful features that strengthen the security posture of the institution while also improving the user experience for students, educators, and the IT organization. While many institutions already have these capabilities available, they are not being used or enforced across the entire community. In many cases, these capabilities are enforced only when an account has been compromised, which can lead to MFA or SSO being viewed as punishments or as opt-in features. Instead of an optional approach, leaders need to enable, promote, and enforce these security measures across the institution. At the very least, enabling MFA reduces account compromise probability by more than 99.9 percent.
• Adopt intelligent security controls: Institutions should start shifting away from using only static controls—such as traditional firewall and anti-virus technology—to more dynamic and intelligent features that integrate advanced analytics into security evaluations. Static controls tend to collect data without sharing with other controls, leading to siloed information that is hard to glean insight from. With intelligent features that leverage automation and machine learning, institutional leaders can realize rapid detection, prevention, and remediation of attacks using behavioral analytics and anomaly detection.

There are many organizations around the world, including Microsoft and the National Security Agency, that believe Zero Trust is the right approach to protect higher education institutions from modern threats. With Zero Trust, institutions can confidently and quickly respond to and mitigate sophisticated cyberattacks now, and in the future. To maximize protection for their entire communities, IT teams must start moving their institutions toward this approach as soon as possible.

Notes

1. Microsoft Security Response Center, "Nobelium Resource Center," December 21, 2020 (updated March 4, 2021). Jump back to footnote 1 in the text.↩
2. Christine McKenzie, "Phishing in Academic Environments," Infosec, November 12, 2019. Jump back to footnote 2 in the text.↩
3. "Global Threat Activity," Microsoft (website), accessed March 22, 2021. Jump back to footnote 3 in the text.↩

---

Corey Lee is Senior Consultant and Zero Trust Architect at Microsoft.