Zero Trust Cybersecurity

Zero Trust is first a cybersecurity design philosophy and secondly, a set of cybersecurity design principles that eliminates implicit trust by requiring verification, dynamic access, automated risk assessment and response, and transparency.  The foundation of OTDI’s approach to Zero Trust is NIST 800-207.  NIST defines Zero Trust as a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. 

Key Contacts: Chris Hartley, Bob Mackin, Rich Nagle 

What strategic pillars does it support? 

  • Teaching 
  • Research 
  • Outreach 
  • Operational Excellence & Innovation 
  • Culture of Belonging 

Why is it important? 

Due to the evolution of technology and emerging patterns and modes of working, learning, teaching, collaboration, research, and providing services, modern cybersecurity architectures are moving away from static, network-based “trusted” security perimeters to focus on people, devices, resources, applications and data.  Whereas historically, most University faculty, staff, students, and associates performed all their work on-premises, increasingly, much University business is performed remotely.  At the same time, services (and systems) have been and continue to migrate to cloud-based providers.  It is no longer reasonable to identify a hard on-premises “border” as a delineation between “trusted” and “untrusted.”  These factors and forces are elevating cybersecurity risk; therefore, a new cybersecurity approach is required. 

The OAA Academic Plan published November 2022 provides a vision and framework that is our compass towards goal five to improve technological innovation.  Further defining the path is the OTDI Technology Roadmap direction to implement systems that are secure by design and states “we are committed to implementing systems that address cybersecurity, privacy, and accessibility standards”.  External auditor KPMG audit and strategy report appendix recommended that “with so much data and high-value information at stake, colleges and universities are at an inflection point and should focus on adopting a zero trust mindset towards cybersecurity”.   

Zero Trust mindset will enable OSU to increase the security of our technology by adopting a set of principles to guide a secure by design approach.  This approach will increase preventive behavior among the university community, and increase the security of identity, devices, network, infrastructure, applications, and data.

Who will benefit? 

Faculty, staff, students, researchers, associates, customers, guests will all benefit from zero trust. It may not be something tangible that they see or interact with, as it will operate in the background to ensure security, privacy and data integrity. 

What is the timeline? 

Zero Trust is cybersecurity mindset and an ongoing journey, without an end. Some forms of Zero Trust are already in use at the university.

Who are our partners and sponsors? 

Zero Trust is sponsored by Digital Security and Trust. In collaboration with partners from university colleges, offices and security coordinators. Zero Trust will require leadership, guidance and work from all OTDI areas including Digital Security and Trust, Infrastructure, Applications and Data teams.   

What other OTDI groups will be needed?

  • Research Technology and Infrastructure (Breon) 
  • Service Desk (Max) 

How will success be measured? 

  • # of meetings, participants, and drafts – framework 
  • # of systems implemented 
  • # of principle deployed 
Learning, Research, Outreach, Innovation and Belonging icons all highlighted within IT Pillars Supported graphic