The stakes are high for security leaders at higher education institutions. CISOs, CIOs, and other information security leaders are tasked with managing highly sensitive data at a massive scale, within a complex ecosystem — from students’ personally identifiable information (PII), to healthcare records (PHI), to federal contract information, controlled unclassified information (CUI), and highly sensitive research data.
My Virtru teammates and I recently had a chance to join hundreds of higher-ed cybersecurity professionals at the Educause Cybersecurity and Privacy Professionals Conference in Bellevue, Washington. After attending several sessions and having conversations with dozens of security leaders, there were three key takeaways that resonated with me.
For CMMC Compliance, Data Security Must Allow for Collaboration
CMMC compliance is top of mind for university CISOs right now, particularly at institutions with regulated research and laboratory programs. CMMC took center stage at Educause 2023, as the CMMC 2.0 deadline approaches for institutions that collaborate with the Department of Defense.
University research programs are stewards of highly sensitive data, and far too often, those programs are not as secure as they should be. That’s because collaboration is essential to any research program — but too many research programs assume that enabling collaboration requires lax security measures.
That’s what we at Virtru call the data conundrum: We need to safeguard highly sensitive data, but we also need the ability to share it — especially in a university research context. We’ve worked with several universities, such as the University of Notre Dame (who joined us at the Educause conference this year), Brown University, and the University of Michigan, to provide end-to-end encryption that moves with the data, so students and faculty can share information quickly and easily without sacrificing security.
For universities that collaborate with the Department of Defense, CMMC is top of mind for a few reasons:
- CMMC regulations are strict and complex.
- CMMC is a relatively new standard, and it has evolved considerably since its inception in 2016.
- CMMC compliance requires a mature cybersecurity program.
- It can be argued that CMMC was created with the defense industrial base in mind, not educational institutions — and not all universities are alike, creating further confusion around the standard.
To sum it up, CMMC is a high priority for university tech leaders, and it requires a thorough assessment of sensitive data (including CUI) managed by research programs. Universities need to find a way to balance powerful security with the ability to collaborate freely.
Note: If you’re working to achieve CMMC compliance, reach out to our team. We can help you out with several encryption and data protection elements of CMMC with affordable, fast-to-deploy security solutions.
How to Bounce Back After a Breach: A Zero Trust Success Story
One especially compelling session featured Oregon State University, which built a robust Zero Trust program, lightning-fast: It took the team just a few months to execute three years’ worth of work.
The sense of urgency was sparked by a data breach, which was nearly undetectable because of the IT team’s lack of visibility at the time. After the breach, the team used the Zero Trust Maturity Model as a guide to their implementation, which includes identity management, endpoints, applications, network, and data.
Here are just a few of the wins they have experienced on their Zero Trust journey:
- The team now has better visibility and a more unified approach to information security and risk management.
- The IT community had tracked down 140 accounts tied to 123 individuals that had domain admin access, but that has now been reduced to 7.
- Asset tagging has been improved, making it easier to track devices and the data on them.
- The software has provided better indicators and automation capabilities, making life easier for staff and students.
The downstream benefits of Zero Trust are many — and it was great to see how quickly this team was able to advance their program’s maturity in such a short period of time.
Data Is the New Perimeter: Data-Centric Security and Cloud-Native Transformations
It’s no secret that the traditional network-perimeter-centric approach to security is no longer sufficient for cloud collaboration, remote work, and dynamic information sharing. CIOs are grappling with the best ways to adapt their approaches from legacy, on-prem models to dynamic, cloud-native platforms. In one panel, security leaders shared their respective experiences with cloud transformations and how they’re approaching this new “perimeter.” A few themes emerged from the conversation:
Data is the new perimeter.
It’s clear that data is meant to move. It’s meant to be shared. It moves in and out of a given organization’s network. The pivotal need is enforcing protections and access control for that data. This requires tools that allow for granular yet flexible policies to be applied to data across its entire lifecycle, wherever it moves. Tying identity to data is also important in the context of access control.
Simplicity is essential.
Cloud collaboration gets complicated fast, so reducing complexity is key for creating a manageable security posture. This includes streamlining your vendors where possible, as well as allowing your users to leverage familiar tools (with the proper security layered in). There’s also the consideration of managing multiple clouds during incident response, which can be a daunting task — especially when multiple tools are in place.
Follow the data.
A shared challenge for IT leaders is gaining visibility into data in motion: Where is sensitive data stored? How is it being shared? Who has access to it at any given time? What happens after it leaves the domain? Data silos are not sustainable in a university or research context. Data needs to move — and the essential challenge to solve is, “How can I let data move while maintaining control over it?”
Data-Centric Security for the New Perimeter
From cloud data security to CMMC compliance, the Virtru team had tons to discuss with our customers and colleagues at Educause. That’s because we see the pain points of university tech leaders, and we have the tools to help make their lives easier: Email and file security that follows data everywhere it moves, solutions that provide admins holistic visibility and control, data protection gateways that detect and automate encryption for sensitive data before it leaves your organization, and many more.
If you’re a security leader who wants to strengthen your cybersecurity posture, we’d love to talk with you. Reach out to our team and let us know how we can help.
