Can you believe it? The 2023 school year has come to a close! And with that, the Zscaler team has been busy traveling to various conferences and user-group seminars, having wonderful conversations with universities across the country. What I love about this space is learning how each school tends to have core areas of focus. For example, schools with affiliate university hospitals have an education and research focus on health care, while schools with strong engineering programs may have a focus on gaining DoE/DoD research grants. What’s interesting, is regardless of the area of focus, there is a common theme that is top of mind for security and compliance professionals at these universities, and that is a need for a secure and compliant educational environment. And for good reason.

Change is in the air

Change is in the air as a new class of students eagerly await their college journey. But bigger changes are coming for security and compliance teams in higher education. For example, the Federal Trade Commission (FTC) is making changes to the Gramm-Leach-Bliley Act (GLBA) “Safeguards Rule”, while the DoD is updating their requirements around handling of Controlled Unclassified Information (CUI) with their amended CMMC 2.0 framework.

Both of these changes are aimed at enforcing better access controls, security and visibility into data to ensure it’s handled safely, and doesn’t get leaked into the wrong hands.

What’s driving these changes?

Is it any wonder why there is an emphasis on the handling of critical data? The short answer is: Remote work and cloud applications.

The majority of research and work is now done off-campus networks - whether it’s at home, or in a coffee shop. Likewise, we are quickly approaching the point where the majority of applications are either SaaS or Cloud-hosted- in Azure, AWS or Google. These shifts provide a number of benefits from a flexibility and accessibility perspective, but with that, they’ve left some critical gaps that have made universities and their users sitting ducks to potential cyber attacks.

The bad guys know this

Universities have gotten a hall pass on security for a number of years, but legal rulings on release of student personal information has become a key threat that adversaries are leveraging. The advent of ransomware has since exploded onto the higher education industry, to the point where Higher Education is now one of the most-targeted sectors.

What Can Be Done?

Preventing User Compromise

The good news is there is a way to mitigate the majority of these risks, but it requires a new way of thinking. Universities are moving from an “Open Campus” with free wifi and access to “Secure and Productive Campus” where access is granted as long as the site is secure, and the data transmission is permitted only if it is found to be compliant. Similar to what we’ve seen in the endpoint protection space, universities are leveraging Zscaler’s cloud-based architecture to seamlessly inspect traffic to ensure it’s safe, without impacting the end-user.

Protecting Your Data Regardless of Location

Zscaler not only ensures a user isn’t compromised, the solution enables data protection policies with predefined dictionaries for HIPAA, GLBA, and allows you to build your own customer dictionaries. You can build policies on a per application basis, while also building guardrails around where that data is stored.

Regarding CUI Data, Zscaler allows you to provide these same security and data protections to users, while abiding by NIST and other federal framework recommendations.

Reducing Lateral Risk

VPN technology has recently celebrated its 27th birthday. “I love my VPN” - said no one, ever.

In all seriousness, since the start of the pandemic in 2020, VPN usage has exploded, and we’re seeing the risks and performance impact associated with them. Today, when researchers use VPN, it brings the user directly onto the university network - without the necessary protections in place that many other enterprises utilize. This is even more concerning with Bring Your Own Device policies or 3rd Party Contractor’s accessing applications via VPN. You are only as secure as whom you do business with, and let onto your network. This opens the university network to lateral mobility and privilege escalation, which can ultimately lead to unauthorized access, data exfiltration, and even ransomware.

With Zscaler’s Zero Trust Exchange, we never bring the user directly onto the corporate network, meaning the university’s IPs are not exposed to the open internet. You cannot attack what you cannot see, so adversaries are unable to move freely within university infrastructure. This creates segmentation from the user to the application, which is another key initiative for many universities.

Zscaler for Higher Education

As we look forward to a new school year, we hope to speak with more universities on how Zscaler can quickly and easily provide a safe, secure, and compliant environment, without compromise.

Read more about how Zscaler simplifies security, user access and compliance for higher education institutions. As the only cloud-native security platform that is FedRAMP, StateRAMP and IL5 authorized, Zscaler is the most trusted security compliance partner in public sector.

For more information, please reach out or visit our Education page.