Next Article in Journal
Educational Constructivism
Previous Article in Journal
Cross-Cultural Psychology and Compassion
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Encyclopedia
Volume 4
Issue 4
10.3390/encyclopedia4040099
encyclopedia-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Entry

Zero Trust Cybersecurity: Procedures and Considerations in Context

by
Brady D. Lund
1,*,
Tae-Hee Lee
1,
Ziang Wang
2,
Ting Wang
3 and
Nishith Reddy Mannuru
1
1
Department of Information Science, University of North Texas, Denton, TX 76201, USA
2
School of Education, Baker University, Baldwin City, KS 66006, USA
3
School of Library and Information Management, Emporia State University, Emporia, KS 66801, USA
*
Author to whom correspondence should be addressed.
Encyclopedia 2024, 4(4), 1520-1533; https://doi.org/10.3390/encyclopedia4040099
Submission received: 7 August 2024 / Revised: 30 September 2024 / Accepted: 9 October 2024 / Published: 11 October 2024
(This article belongs to the Section Mathematics & Computer Science)
Versions Notes

Definition

:
In response to the increasing complexity and sophistication of cyber threats, particularly those enhanced by advancements in artificial intelligence, traditional security methods are proving insufficient. This paper provides an overview of the zero-trust cybersecurity framework, which operates on the principle of “never trust, always verify” to mitigate vulnerabilities within organizations. Specifically, this paper examines the applicability of zero-trust principles in environments where large volumes of information are exchanged, such as schools and libraries, highlighting the importance of continuous authentication (proving who users are within the network), least privilege access (providing only access to what users specifically need), and breach assumption (assuming a breach has or will occur and thus operating to limit the spread through the use of multiple checkpoints throughout the network). The analysis highlights avenues for future research that may help preserve the security of vulnerable organizations.

1. Introduction

In a time where rapidly evolving threats—bolstered by advancements in technologies like artificial intelligence—pose substantial danger to organizational well-being, it is critical to adopt advanced security solutions to protect assets. Conventional methods of security are no longer sufficient, in isolation, to ensure organizational cybersecurity. Multifaceted approaches, which consider each element of an organization as a potential vulnerability, are requisite. Enter zero-trust cybersecurity, a security paradigm that embraces a zero-trust philosophy: in order to limit vulnerabilities, there is no default trust that any person or object within a network is what it claims or should have access to unnecessary segments of the network [1]. This philosophy means that all users must continuously provide evidence that they are who they claim (e.g., through multi-factor authentication), and access is limited to only that information that is position-critical.
Traditional cybersecurity relies on a perimeter-based approach, where the network operates as though an enclosure with a perimeter fence. Once a user successfully enters the perimeter, they are “in” and no longer need to worry about further verifying who they are or why they need to access any part of the network. This model is problematic, as it means that if an attacker makes it through the network’s perimeter, they can access and disrupt nearly all network functions, increasing the likelihood for major interruptions that could take the entire network offline and cause permanent damage. The zero-trust approach ensures that users must pass through a constant series of checkpoints to access any part of the network, which limits the spread of any threat that emerges. Consider, for example, a breach that compromises a list of organizational clients. This breach is costly, but less so than a breach that also places human resources and financial records at risk. Isolating a threat and minimizing its impact can mitigate the costly nature of cyberattacks.
Organizations where large amounts of information are regularly exchanged and private records are secured—such as schools and libraries—are especially at risk from cyber threats. Recently, the Toronto Public Library fell victim to a cyberattack that hijacked its systems and data for months, crippling the organization’s ability to function properly and threatening patron privacy [2]. In these organizations, zero-trust cybersecurity practices may offer a way to remain resilient in the face of increasing threats. The purpose of this paper is to discuss how zero-trust cybersecurity principles may be integrated into learning and information organizations to preserve the sanctity of these organizations’ information and records.

2. Principles of Zero-Trust Cybersecurity

Security experts proposed a new approach to cybersecurity using firewalls to control traffic and counter insider threats at the Jericho Forum in 2005. Unlike the traditional method, the approach marked a departure from established security models emphasizing defining perimeter [3]. Based on these ideas, cybersecurity expert John Kindervag coined the term “zero trust” in 2010 while working at Forrester Research [3]. The zero-trust model assumes that systems would inevitably be compromised; therefore, no internal or external entities should be automatically trusted. Every request for resource access must be authenticated, authorized, and continuously validated before granting access [4].

2.1. Never Trust, Always Verify

The separation of trust from location is the core of zero trust. The most significant difference between zero trust and traditional security boundaries is that, in traditional models, trust is often based on location [5]. In the traditional security model, once a user, device, application, or process is granted access to a network or resource, they typically have unrestricted access. The model assumes that everything in the network is inherently trusted [5]. However, the current static rule sets, firewalls, VPNs, and subnets can lead to severe vulnerabilities [6]. First, there is often a lack of control or segmentation within the internal network, which means once an intruder or malicious insider breaches the perimeter defense and gains access to the internal network, they can easily move laterally, accessing sensitive data and resources without further checks [7]. Second, intruders can exploit poorly protected devices or applications as entry points into the internal network, compromising the security of the entire internal network by the weakest link, making the network highly vulnerable [6]. Third, the current architectures establish connections through devices and services with known external IP addresses before verifying access. It can lead to potential attacks against the initial connection point and increase the risk of unauthorized access and network outages [8]. Fourth, centralized log servers pose another vulnerability. Since log files are stored in one location, intruders who gain access to the log servers can potentially disguise their activities and clear their tracks by altering or deleting long entries [9].
In contrast, the zero-trust framework emphasizes that network location does not imply trust but assumes that all network traffic, devices, applications, and processes are potentially malicious and untrustworthy, and everything inside and outside the network should be verified consistently [9]. Emphasis on authentication and recognizing that authentication is critical to network access control is a vital component of the model [10]. The approach to authentication has evolved from simple password-given systems to more sophisticated Multi-Factor Authentication (MFA) techniques, enhancing security by requiring multiple authentication forms and reducing the risk associated with weak or compromised credentials [11,12]. The technique requires multiple authentication parts to authenticate the user, such as an SMS or phone call prompt or an authenticator application. For MFA administrators, on the other hand, it helps verify who is active on the system and identify hackers [13].
Installing MFA with digital certificates and tokens issued by trusted certificate authorities for devices and applications to establish identity is an approach to strengthening security. Providing a certificate and having a certificate authority verify when a device or application connects to a network or service prevents unauthorized access and ensures that only authorized entities can access the network [14]. The token can be a physical device like a USB key, smart card, or software token running on a smartphone, further enhancing security. Hardware tokens generate a one-time password or provide encryption keys when connected to a device [15]. Software tokens generate one-time passwords or authenticate users or devices using encryption algorithms. Tokens add a layer of security by requiring handling a physical device or access to a specific application, reducing the risk of unauthorized access by stealing or guessing passwords [15].

2.2. Implement the Least Privilege

Implementing the principle of least privilege is another core principle of the zero-trust framework [16]. It requires that users, applications, and systems have the minimum level of access to resources and data to perform the functions by employing strategies for monitoring user behaviors, verifying device IDs, and implementing dynamic authorization, which adjusts access in real time based on the context and behavior of users or devices [16,17]. The principle ensures that limited authentication limits the possible paths available to attackers, thereby reducing the risk of unauthorized access and potential data breaches, enhancing security, and simplifying access management by clearly identifying and enforcing the boundaries of roles and devices in the network [18].
Role-based access control is a mechanism for achieving the principle of least privilege by assigning permissions based on specific roles, simplifying user authorization management, and reducing the possibility of unauthorized and excessive access, thereby preventing security vulnerabilities [19,20]. However, the traditional role-based access control model has certain limitations. For instance, the assigned permissions and roles remain static until the administrator manually updates them to prevent dynamic permission adjustment. Furthermore, changes in system scale or business logic often require the creation of numerous roles to maintain user-role relationships. It leads to a phenomenon known as role explosion [21,22], in which a trust-based control process model can enhance security with role-based access control by incorporating user behavior trust. For instance, a user profile is generated by extracting valid features from user behaviors and attributes, such as login mode, time, duration, device, and IP address. By analyzing the anomaly and security degree of each user behavior and attribute feature and comparing the user profile with the current behavior, the system detects the deviation from the historical behavior, dynamically adjusts the user trust level, and identifies abnormal users and behaviors [22].
Network segmentation is another principle of least privilege. It emphasizes dividing network entities into smaller subnets to minimize the possibility of attackers moving sideways, which involves several stages: grouping resources within each segment, defining short leases within the subnet by implementing the network typology, and establishing access control between the segments [23,24]. By default, links between instances within the same segment are considered reliable; [25,26] categorizes segments into macro-segmentation and micro-segmentation. Marco segmentation involves grouping multiple resources within each segment to ensure they can be collectively secured. In contrast, micro-segmentation places resources within each segment so that there is typically one, but occasionally several, highly protected resources within a single segment [26]. Marco-segmentation enhances performance and reduces costs by simplifying network management, decreasing the complexity of protecting numerous small segments, and optimizing the use of network resources. While granular access control (e.g., differential segments) improves reliability and security by implementing the zero-trust principle among different segments [23]. Therefore, it is necessary to balance the benefits of macro- and micro-segmentation with the need for effective communication within the network [27,28].

2.3. Assume Breach and Plan for the Worst

Despite the robust data security measures, a system can only be guaranteed to be utterly breach-proof if taken offline [29]. The reality necessitates a comprehensive approach to monitoring all access-related entities, such as data streams, devices, services, and files, and collecting as much environmental information as possible to enhance the reliability of security assessment and increase credibility. Organizations should conduct thorough risk assessments to identify potential threats and vulnerabilities within their infrastructure, including potential attack vectors and likelihood of a successful attack [30]. Organizations need to develop a business continuity plan outlining specific actions and protocols (e.g., establishing clear communication channels, designating responsibilities and roles, and ensuring data backup and recovery processes) to maintain critical operations during and after a breach based on the risk assessments to prepare for worst-case scenarios. The scope of risk assessment can vary depending on the specific use case, but utilizing well-prepared templates built on best practices can ensure comprehensive evaluations regardless of scope [30]. Additionally, a risk assessment should be carried out every time the environment changes, such as by implementing new technologies, expanding or restructuring the network, integrating third-party services, or adopting new business processes. The changes introduce new vulnerabilities and alter the risk landscape. Organizations can identify and mitigate potential risks by performing a risk assessment before they are exploited, ensuring that security measures are always aligned with the current operational environment and helping to maintain a robust security posture [31].

3. Comparison among Different Cybersecurity Models

Diverse organizations followed the Castle-and-Moat model for cybersecurity before the pandemic, allowing users unrestricted access to applications and data once they were within the internal network [4]. Organizations using the model invest significant resources to protect their network boundaries, such as deploying firewalls, intrusion detection systems, intrusion prevention systems, and other security tools to prevent external threats. However, similar to a breach in a castle’s defenses through an overlooked weakness, the model would be ineffective in preventing a cyberattack if a network vulnerability in the network service is exploited, allowing attackers to bypass perimeter protections.
The CIA Triad model is another guiding model of cybersecurity, consisting of confidentiality, integrity, and availability. This model emphasizes preventing unauthorized access or disclosure, using multiple technologies to prevent unauthorized data changes to ensure data accuracy and consistency, and maintaining system continuity with system redundancy and disaster recovery strategies. In 2002, retired information security consultant and researcher Donn Parker added three additional elements to the CIA Triad model—authenticity, possession or control, and utility, resulting in the Parkerian Hexad model. The three elements address enforcing policies regarding using, distributing, and modifying information, ensuring that it is authentic, reliable, securely controlled, and serves its purpose.
The Zero-Trust Model, Castle-and-Moat Model, and Parkerian Hexad Model represent distinct cybersecurity frameworks with specific strengths and limitations. The Zero-Trust Model operates on the premise that no entity, whether internal or external, should be trusted by default, which is suited for current cyber environments characterized by remote access and dynamic networks. However, its complexity and resource-intensive implementation can be challenging to adopt and maintain fully. The Castle-and-Moat Model is more suitable for traditional, static networks as it focuses on protecting network perimeters through robust external defenses while assuming that internal users are inherently trustworthy. However, it is vulnerable to insider threats and less effective in contexts involving mobile or remote workforces. In contrast to the first two models, the Parkerian Hexad Model underlines the strengthening of the protection of systems and networks in environments that require detailed information management.

4. Issues for Implementing Zero Trust

The following section discusses many of the prominent challenges that persist in implementing a zero-trust architecture within organizations. Although these issues threaten the success of a zero-trust implementation, they can be overcome through careful planning and effective communication within the organization. By understanding how these challenges manifest, system managers may protect their organization and greatly enhance security measures.

4.1. Insider Threat Management

Insider threat is posed by individuals within the organization [31]. It is generally considered one of the top security concerns in any organization, and also managing this inside threat is a critical component of zero-trust cybersecurity [32]. These threats can occur from current and former employees in the company, workers from contracted vendors and business partners who have legitimate access to the network and systems, or even managers of cloud-computing vendors [33]. In this situation, adopting the “never trust, always verify” principle is critical for reducing inside threats. To prevent inside threats, zero-trust cybersecurity can be applied by continuous monitoring, strict access controls, and training for potential breaches [34,35].

4.1.1. Continuous Monitoring

Monitoring activities within the organization is the first step in preventing insider threats. Insiders are considered to be very “Trusted” people. This involves using advanced tools and methods to identify unusual behaviors or actions that could signal potential threats or risky behavior [36]. According to [36], insider threat mitigation includes all types of technology to alert, monitor, notify, and report on activities that occur on a network. For example, this involves deploying user behavior to monitor and analyze user activities continuously. Monitoring the behaviors and ensuring that these infiltrations are unsuccessful is a behavioral analysis goal for insider threat mitigation [37]. It uses machine learning algorithms to establish normal behavior patterns and detect deviations that may indicate malicious intent or risky actions [38,39].

4.1.2. Access Controls and Least Privilege

Access controls are one of the core elements in inside threat management [32,40]. To acquire high prevention of inside threats and keep zero-trust cybersecurity, implementing least privilege is the first thing to do. If a user has excessive privileges, or a company did not map user privileges against their actual accesses, it may be hard to identify who accessed or allowed a user to sabotage the whole system [32]. To mitigate this problem, for example, role-based access control (RBAC) can ensure that only users with the right role can access the permitted system so that the risk of unauthorized access will be prevented [32,40]. In addition, regular reviews and audits of access permissions are also crucial to maintaining zero-trust security [32,40].

4.1.3. Training and Awareness

Human factors, such as mistakes and lack of awareness of security, have a significant portion in insider threats. Therefore, many organizations have to use training and awareness programs to reduce inside threats caused by humans [32,40]. In the regular educational sessions, employees will learn about the importance of information and cybersecurity, how to recognize and respond to threats such as phishing attempts, how to use passwords properly, and how to securely handle sensitive data [40]. As a result, organizations not only enhance their employees’ ability to prevent and respond to security incidents but also implement zero-trust cybersecurity frameworks and environments [32].

4.2. Customers/Users/Patrons

Often one of the greatest potential vulnerabilities for an organization is not technology or even internal employees, but rather the customers, users, or patrons who interact with the organization. Data are constantly being exchanged between the organization and its users. These individuals must simultaneously be viewed as subjects of cyberthreats as well as potential causes of cyberthreats—access must be balanced with ensuring control and security. Most members of the general public are woefully underprepared to prevent or address emerging cyberthreats if targeted [41,42]. One factor that appears important is whether the users have a stake in the technology they are using and the data that are being shared, as they are likely to be more protective of data on personal devices [43]. Another factor is whether they have ever received formal instruction about cybersecurity behavior, which has been shown to produce better security behavior [44]. Transparency with users as to why new cybersecurity plans and procedures—some of which may seem inconvenient—are being implemented is key to earning buy-in [45].

4.3. Cybersecurity Awareness for Customers/Users/Patrons

Ensuring that users are well-informed about the risks associated with interacting with the organization and systems in general is a critical dimension for shoring up this vulnerability. Training should highlight the justifications for new procedures, clearly outline what the procedures are, and provide examples and activities as needed to reinforce the procedures. For instance, an organization may offer exercises to highlight new procedures for multi-factor authentication or how to handle potential social engineering attacks [46]. Training could be formal (content the user must learn before they can access a system) or informal (reminders about best practices for cybersecurity) and may include targeted approaches aimed at particularly vulnerable user populations [47]. Organizations may seek to strike a balance between the potential costs of cyberthreats and the costs of training the public. The different approaches to cybersecurity awareness training that exist today provide options for the organization to consider [48].

4.4. User-Focused Solutions

Users are not experts in cybersecurity. They very well may not even be familiar with the systems in use within an organization. Thus, it is critical to meet the users where they are in terms of knowledge and ability. Systems that are designed with high usability are less likely to engage in system behavior that could leave the organization susceptible to threats [49]. Clear policy surrounding the use of these systems will further support these security initiatives [50]. A zero-trust architecture will naturally support greater security, but it too needs buy-in, given the amount of change it may require [51]. Incorporating feedback from actual users may help support this process.

4.5. Hybrid Cloud Protection

Hybrid cloud is defined as a combination of two or more cloud services, such as public, private, and community, and it can cause unique security challenges due to cloud vendors’ lack of security standards or customers’ wrong assumptions about the security level of the used cloud service [32]. Implementing zero trust in these settings necessitates a comprehensive strategy to protect data, applications, and infrastructure across all platforms. Unlike on-premises infrastructure, cloud systems are external to the organization. Numerous stakeholders and components are involved between the cloud vendor and the organization utilizing the cloud service.

4.5.1. Challenges in Hybrid Cloud Security

Hybrid cloud services cause complexities in security management even though they offer flexibility and scalability to us. Researchers have identified many security challenges in cloud computing, including securing data storage and data encryption, keeping data confidentiality and accountability, lack of audit features, as well as maintaining consistent security policies across different environments, managing access controls, securing data both in transit and at rest, and ensuring privacy and security control over all components [52]. Tabrizchi et al. [53] find that the major challenge in the adoption of the cloud is security, and these challenges force the integration of a robust security framework that covers seamlessly across different cloud platforms and on-premises. Moreover, it should ensure consistent policy enforcement and threat detection. In addition, every access request, regardless of its origin, must be continuously authenticated and authorized. If not, the hybrid cloud system may be compromised by unauthorized users. Besides those challenges, hybrid clouds involve frequent data transfers between cloud services and customers, so that it increases complexity of security management. To effectively tackle these challenges, organizations need to embrace advanced technologies and strategies [54].

4.5.2. Implementing a Security Framework

Implementing a robust security framework in the hybrid cloud environment is critical to securing zero trust. The implemented security framework should incorporate security policies, processes, and technologies to provide integrated protection across all platforms. There are many frameworks, but the National Institute of Standards and Technology (NIST) provides a comprehensive cybersecurity framework for hybrid cloud settings. In the NIST Cybersecurity Framework, six core functions—Govern, Identify, Protect, Detect, Respond, and Recover—are included [32,40]. These functions offer a structured approach to managing cybersecurity risks and applying zero-trust cybersecurity principles [55]. Based on the NIST framework, organizations may adapt it by integrating best practices for their unique needs and also to meet industry standards [32,40]. In addition, service level agreements (SLAs) are important contracts in managing security in a hybrid cloud. These agreements help users and cloud vendors set their expectations and define conditions on how far providers are responsible for outages or performance problems [32,40]. Usually, an SLA consists of a statement of objectives, a list of services, and the responsibilities of both the service provider and the customer. SLAs may cover data encryption, monitoring systems, threat detection coverage, incident response protocols, and compliance with standards and regulatories. By adopting a security framework and maintaining it via SLAs, organizations can ensure that their hybrid clouds are secure and can control service providers to keep their security level [56].

4.5.3. Data Protection

Hybrid cloud computing environments are diverse and challenging to control because they consist of multiple platforms, such as integration of private and public clouds. Therefore, data flows are very complicated and have many vulnerable points, so protecting data protection by encryption and access control is critical [57]. By restricting access to encryption and decryption keys to authorized users only, data protection in cloud computing environments can be greatly enhanced. Data encryption is a starting point for maintaining the confidentiality and integrity of data. If data are encrypted during data-in-transit and data-at-rest periods, they remains secure so that an unauthorized person cannot access them. Additionally, adding access control in a hybrid cloud may enhance data protection. Organizations must securely manage encryption and decryption keys to prevent unauthorized access [32]. It can lead to end-to-end encryption, where data are encrypted before they are sent and only decrypted by authorized recipients, and adds an extra layer of security [40]. Taking this comprehensive approach to keeping data safe protects sensitive information and helps maintain the reliability and security of cloud services.

4.5.4. Privacy

The risk of privacy breaches increases in data-in-transit, data-in-use, and data-at-rest with cloud service providers (CSPs), and it occurs when security vulnerabilities in current technologies may transfer to the cloud platform and then create potential security threats [57]. According to the Cloud Security Alliance (CSA) and other scholarly sources, key privacy threats in cloud computing include data disclosure, access rights management issues, and difficulties in data destruction [54,58]. Virtualized cloud services also have privacy challenges because multi-tenant and cross-domain sharing can complicate service authorization and access control, and it may increase the risk of unauthorized access and data breaches [57,59]. Addressing privacy concerns in cloud computing requires a multi-faceted approach incorporating advanced technologies, robust policies, and best practices [60,61]. According to [60] that reduce data privacy problems, organizations should ensure they know the logical and physical location of their data, including the state, country, and specific data center, to address potential regulatory, contractual, and jurisdictional issues; establishing location and jurisdictional policies to govern data location is essential. Intelligent data segregation techniques should be adopted to separate data from different users effectively. Using strong encryption techniques for backup data is crucial to preventing data leakage.

4.5.5. Monitoring and Detection

Real-time monitoring and detection for potential threats are critical for protecting any networked system, including hybrid cloud [32,40,55]. Those allow organizations to identify and respond to threats promptly. For example, security information and event management (SIEM) systems are an excellent example in this process [32]. SIEM solutions collect and analyze logs and events from various sources within the hybrid cloud system, and they can provide a complete view of security activities in the network of cloud systems [40]. SIEM systems facilitate rapid threat detection and response by correlating events and identifying patterns indicative of malicious behavior. Also, cloud security posture management (CSPM) tools can automate cloud security configurations’ assessment, identify potential vulnerabilities, and check compliance with security policies [62]. CSPM solutions monitor misconfigurations and deviations of cloud systems continuously based on best practices. It can help organizations maintain a secure posture of cloud systems.

4.5.6. Access Controls and Least Privilege

Access controls and the least privilege are essential for securing a hybrid cloud. This approach allows permission for the right users to do their jobs, and it will reduce unauthorized access and data breaches. To make sure that data stays private and intact, organizations need to use advanced encryption methods for data when it is in data-in-transit and date-at-rest. It is also important to securely handle encryption keys using key management services [32,57]. In addition, advanced authentication protocols such as multi-factor authentication and dynamic reciprocal authentication may offer more secure authentication, and it may prevent phishing and man-in-the-middle attacks [63,64]. By developing technologies, smart virtual cards and blockchain technology can provide additional layers of security by ensuring the integrity and authenticity of transactions [65]. Furthermore, machine-learning-based intrusion detection systems implemented by vector machines (SVM) and information gain (IG) may improve the speed of detecting malicious activities and the accuracy [66]. Besides those, the mobile cloud intrusion detection and prevention System (MINDPRES) is developed. These can leverage machine learning to analyze network traffic and device resources dynamically, and it will provide robust protection against intrusions [67].

5. Contextual Differences in Zero-Trust Cybersecurity

Importantly, the appearance of zero-trust implementation may differ based on context. A for-profit organization with few customers will look distinct from a public library. Both organizations need a high level of security as common targets of attacks, but the threats for a small organization with few customers (likely an external threat) are different from those of a library with many public users. Additionally, the targets of attacks may differ. A for-profit organization may be attacked for financial information, whereas a public library may be attacked for patron data or to hijack systems for ransom. These factors are all important in the design of the zero-trust architecture. The following sections explore several unique contexts in detail.

The University Environment

Institutions of higher education (IHEs) hold access to protected information not only about employees (e.g., social security numbers), but also thousands of students. A breach of this information could not only cause irreparable damage to the reputation of the institution and put students and employees at risk but also make the institution criminally liable for failing to protect these parties’ information [68]. Obviously, this would come with severe direct and indirect impacts on the institution’s financial standing and public trust. Given these consequences, preserving security at all costs is vital.
Many colleges and universities already utilize strategies like multi-factor authentication to prevent hacking, but one can argue that these measures are insufficient. There are many systems within universities that hold very sensitive information and yet are accessible to lower-level employees like part-time and student workers [69]. Employees at all levels regularly access systems from different locations around campus—an instructor could easily forget to log out of a classroom computer station. The vulnerabilities are practically boundless. Zero-trust solutions may provide an answer to protect these valuable higher education resources.
Here are a few examples of how zero trust can support cybersecurity in higher education:
  • Zero trust can limit access to only the information employees need when they need it [70]. For instance, it is possible a student employee may need to access student records in the course of their work, but they have no legitimate rationale to have access to this information outside of work hours and their workstation.
  • Faculty members have substantial amounts of information, including student grades and funding accounts, that must be protected [71]. When they leave a computer station unattended—such as in a classroom when they leave to use the restroom—they create a vulnerability. Session timeouts can protect these workstations by locking the computer and requiring a fresh log-in to access the station again. While this solution may cause frustration for some faculty members, it may also prevent a major breach.
  • Students require access to many systems, offering a slightly different dynamic where they must share large amounts of private information but have limited access to the stored information of others [72]. Permissions must be managed to protect students from their own peers.

6. The Library Environment

Libraries hold immense stores of information in the form of the copyrighted physical and digital works they lend to patrons, the access they afford to the Internet, and the data they possess about their patrons [73]. All of this information is potentially valuable to attackers. If, for instance, a hacker gains access to patrons’ sensitive information, they could hold it for ransom, like with Toronto Public Libraries. As with institutions of higher education, libraries present unique challenges by having both employee and patron/user populations to manage as far as cyberthreats [74].
Within libraries, patrons must have access to their own data and data about library resources, but not data pertaining to other patrons. Front-line library workers must have some ability to look up information but do not usually need access to information about other aspects of internal library operations or fellow employees. Administrators, however, need access to wide-ranging data. This necessitates varying levels of permissions based on an individual’s credentials [75]. Fortunately, this mandate is built directly into zero-trust cybersecurity. Additional ways that zero-trust may support cybersecurity in libraries include:
  • Protecting patrons against invasions of privacy by authorities could be supported by zero trust measures. Historically, library records have been a target of police, who might use them to monitor patron behavior. The American Library Association, the leading organization for libraries, strongly opposes this activity and supports practices that restrict these efforts [76]. Nonetheless, it can be intimidating for an unprepared front-line library worker if confronted by law enforcement. A zero-trust system could prevent these officials from easily gaining access to this information from a front-line employee, forcing them to follow the prescribed path of receiving a warrant and communicating with the library director.
  • As with the case of an instructor who leaves a computer unattended, session timeouts can be used to secure employee workstations to ensure no unmonitored patrons gain access to unauthorized information [77].

7. The Supply Chain Environment

Supply chains consist of entities directly providing and distributing products, services, funds, and information from origin to destination [78]. They are an integral part of daily life in contemporary society as they facilitate delivering essential items such as water, food, healthcare, medications, and energy resources [79]. Supply chain management covers extensive planning, sourcing, production, delivery, and returns management [80]. However, the general interconnections among stakeholders, technologies, and geographic locations in contemporary supply chain systems introduce vulnerabilities that malicious actors can exploit [81]. Even though big data analytics provides valuable insights for optimizing operations, predicting demand, and enhancing the customer experience, its advent has led to exponential growth across the supply chain, including information from procurement, production, distribution, and customer interaction, which increases the complexity of data security, as the vast amount of data flowing through the supply chain can be challenging to monitor and secure, and participants accessing large data sets may inadvertently or intentionally misuse or disclose sensitive information, exacerbating security challenges [82,83]. Meanwhile, big data analytics leads to a broadened cyberattack surface and makes organizations vulnerable to potential breaches, particularly identity-based attacks such as theft or misuse of user credentials, privileges, or personal information.
Achieving zero trust in the supply chain involves developing comprehensive, enterprise-wide security plans and strategies [84], including addressing the intricate relationships between upstream and downstream stakeholders, flows of material, information, and finances, and access transaction strategies. Unlike the IT field, the supply chain encompasses technical systems and complex processes, individuals, and relationships, all requiring careful consideration and attention [84]. Based on the [85] zero-trust architecture guideline, Collier and Sarkis proposed the following transitional steps for implementing zero trust in the supply chain:
  • Supply chain organizations need to identify participants and boundaries, distinguish between internal and external participants (including suppliers, clients, and internal employees), and understand their roles and the level of access required [84].
  • Identify supply chain assets by cataloging data, information, and systems within the enterprise, recognizing non-enterprise participants and technologies that interact with the supply chain, and understanding general business processes related to the organization’s mission, such as trust-related processes and contractually mandated procedures for non-enterprise participants, identifying threats posed by participants, assets, and processes, and conducting risk assessments to prioritize zero-trust implementation and its impact on business objectives [84].
  • During deployment and monitoring, the organization should decide on a deployment strategy, possibly using a trial mode, and gather the necessary data to evaluate success while ensuring the ability to revert to the previous configuration [84].
  • Finally, implementing zero trust involves designing an iterative process that builds on successes and learns from failures, gradually transitioning, adjusting priorities, and incorporating continuous improvement into deployments [84].

8. Conclusions

By transitioning from a traditional “trust but verify” to “never trust, always verify” approach, zero-trust cybersecurity focuses on continuous verification, strict access controls, and the assumption that breaches are inevitable even though everything is under the trusted people and resources [9]. This paper has explored the core principles of zero trust and the context of applying the zero-trust cybersecurity framework. Zero-trust cybersecurity implementation has been identified with a detailed focus on inside threats and hybrid clouds, and the unique challenges and strategies for different environments such as libraries, universities, and warehouses have been discussed.
Understanding different situations where zero-trust cybersecurity is used is important to make sure it works well. In universities, for example, there are a lot of different users, open networks, and important research, so the main focus is on protecting research data, keeping student information safe, and making sure students can access educational resources securely. In libraries, the priorities are protecting patron data, securing public access computers, and maintaining the integrity of digital resources. Warehouses, on the other hand, deal with automation and IoT devices, so the emphasis is on securing those devices, protecting inventory data, and ensuring physical security. By customizing zero-trust cybersecurity to fit their specific environments, organizations can improve their security, protect their data and systems, and keep users safe from cyber threats. It might be hard at first to implement zero trust because some workers who are used to fewer restrictions might hesitate. But it is really important to highlight the need to protect the organization, so switching from the old way of doing cybersecurity to zero trust is something that cannot be avoided.
Future research could focus on creating more advanced, user-friendly security analytics tools that use AI and machine learning for real-time threat detection and response. It is also important to explore more efficient and cost-effective ways to implement zero trust, especially for small and medium-sized businesses. Tailoring zero trust strategies to data- and information-rich environments is essential as well. As remote work and hybrid cloud setups continue to grow, ongoing research is needed to find the best practices and new solutions. Another key area for study is striking the right balance between security and usability so that security measures do not interfere with efficiency or user satisfaction. Long-term studies looking at how zero trust performs across different industries would give us a clearer picture of its sustainability. Plus, a range of case studies on real-world zero trust implementations could offer valuable insights for organizations considering adopting this approach.
For more information about the zero trust model, frequently asked questions about the model, and educational videos, Microsoft offers an excellent informational and demo website at https://www.microsoft.com/en-us/security/business/zero-trust (accessed on 14 September 2024). The National Institute of Standards and Technology publication on zero trust can be found at https://doi.org/10.6028/NIST.SP.800-207 (accessed on 14 September 2024). Additionally, there is a growing body of research on this topic, which can be found in scholarly indices. This is an emerging topic, and additional new publications about zero trust and how to implement it within various organizations should appear frequently in the literature.

Author Contributions

Conceptualization, B.D.L., Z.W. and T.W.; Formal Analysis, B.D.L., T.-H.L., Z.W. and T.W.; Writing—Original Draft Preparation, B.D.L., T.-H.L., Z.W., T.W. and N.R.M.; Writing—Review and Editing, B.D.L. and N.R.M. All authors have read and agreed to the published version of the manuscript.

Funding

The preparation of this manuscript was supported in part by Cyber-CREWS project DHS Award: 23STSLA00013.

Acknowledgments

One author of this manuscript used Grammarly to assist with improving the quality of the writing in their section of the paper. This tool may utilize generative artificial intelligence to assist with the revision of text. No other AI tools were used in the preparation of this manuscript.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture; NIST Special Publication, 800-207; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020.
  2. Bridge, S.; Zoledziowski, A. 1 Million Books and 4 Months Later, Toronto’s Library Recovers from a Cyberattack. Canadian Broadcasting Corporation. 2024. Available online: https://www.cbc.ca/news/canada/toronto/toronto-library-ransomware-recovery-1.7126412 (accessed on 12 June 2024).
  3. Kerman, A. Zero Trust Cybersecurity: ‘Never Trust, Always Verify’. 2020. Available online: https://www.nist.gov/blogs/taking-measure/zero-trust-cybersecurity-never-trust-always-verify (accessed on 14 July 2024).
  4. Department of Defense. Zero Trust Referenced Architecture. 2022. Available online: https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf (accessed on 12 July 2024).
  5. Kang, H.; Liu, G.; Wang, Q.; Meng, L.; Liu, J. Theory and Application of Zero Trust Se-curity: A Brief Survey. Entropy 2023, 25, 1595. [Google Scholar] [CrossRef] [PubMed]
  6. Chen, Y.; Hu, H.; Cheng, G. Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties. Front. Inf. Technol. Electron. Eng. 2019, 20, 238–252. [Google Scholar] [CrossRef]
  7. Assunção, P. A zero-trust approach to network security. In Proceedings of the Digital Privacy and Security Conference, Porto, Portugal, 16 January 2019; pp. 65–72. [Google Scholar]
  8. Kumar, P.; Moubayed, A.; Refaey, A.; Shami, A.; Koilpillai, J. Performance Analysis of SDP For Secure Internal Enterprises. In Proceedings of the 2019 IEEE Wireless Communications and Networking Conference, Marrakesh, Morocco, 15–18 April 2019; pp. 1–6. [Google Scholar] [CrossRef]
  9. Buck, C.; Olenberger, C.; Schweizer, A.; Völter, F.; Eymann, T. Never trust, always veri-fy: A multivocal literature review on current knowledge and research gaps of zero-trust. Comput. Secur. 2021, 110, 102436. [Google Scholar] [CrossRef]
  10. Rivera, J.J.D.; Muhammad, A.; Song, W.C. Securing Digital Identity in the Zero Trust Architecture: A Blockchain Approach to Privacy-Focused Multi-Factor Authentication. IEEE Open J. Commun. Soc. 2024, 5, 2792–2814. [Google Scholar] [CrossRef]
  11. Ferrag, M.A.; Maglaras, L.; Argyriou, A.; Kosmanos, D.; Janicke, H. Security for 4G and 5G cellular networks: A survey of existing authentication and privacy-preserving schemes. J. Netw. Comput. Appl. 2018, 101, 55–82. [Google Scholar] [CrossRef]
  12. Ometov, A.; Bezzateev, S.; Mäkitalo, N.; Andreev, S.; Mikkonen, T.; Koucheryavy, Y. Multi-factor authentication: A survey. Cryptography 2018, 2, 1. [Google Scholar] [CrossRef]
  13. Cunningham, C. Zero Trust. 2018. Available online: https://go.forrester.com/blogs/next-generation-access-and-zero-trust/ (accessed on 14 June 2024).
  14. Identity Management Institute. Digital Identity Certificate. Available online: https://identitymanagementinstitute.org/digital-identity-certificate/ (accessed on 18 June 2024).
  15. West, M. Preventing system intrusions. In Network and System Security; Vacca, J.J., Ed.; Syngress: Newton, MA, USA, 2013; pp. 29–56. [Google Scholar]
  16. DelBene, K.; Medin, M.; Murray, R. The Road to Zero Trust (Security); DIB Zero Trust White Paper, 9; U.S. Department of Defense: Washington, DC, USA, 2019.
  17. Azad, M.A.; Abdullah, S.; Arshad, J.; Lallie, H.; Ahmed, Y.H. Verify and trust: A multidimensional survey of zero-trust security in the age of IoT. Internet Things 2024, 27, 101227. [Google Scholar] [CrossRef]
  18. Bandari, V. Enterprise data security measures: A comparative review of effectiveness and risks across different industries and organization types. Int. J. Bus. Intell. Big Data Anal. 2023, 6, 1–11. [Google Scholar]
  19. Ferraiolo, D.F.; Sandhu, R.; Gavrila, S.; Kuhn, D.R.; Chandramouli, R. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 2001, 4, 224–274. [Google Scholar] [CrossRef]
  20. Sandhu, R.S. Role-based access control. IEEE Comput. Comput. 1995, 29, 38–47. [Google Scholar] [CrossRef]
  21. Fadhel, A.B.; Bianculli, D.; Briand, L. A comprehensive modeling framework for role-based access control policies. J. Syst. Softw. 2015, 107, 110–126. [Google Scholar] [CrossRef]
  22. Yao, Q.; Wang, Q.; Zhang, X.; Fei, J. Dynamic access control and authorization system based on zero-trust architecture. In Proceedings of the 2020 1st International Conference on Control, Robotics and Intelligent System, Xiamen, China, 27–28 October 2020; pp. 123–127. [Google Scholar]
  23. Simpson, W.R.; Foltz, K.E. Network Segmentation and Zero Trust Architectures. In Proceedings of the World Congress on Engineering 2021, London, UK, 7–9 July 2021. [Google Scholar]
  24. Wagner, N.; Sahin, C.S.; Peña, J.; Streilein, W. Automatic Generation of Cyber Architectures Optimized for Security, Cost, and Mission Performance: A Nature-Inspired Approach. In Advances in Nature-Inspired Computing and Applicationspp; Springer: Cham, Switzerland, 2019; pp. 1–25. [Google Scholar] [CrossRef]
  25. Simpson, W.R. Toward a zero trust metric. Procedia Comput. Sci. 2022, 204, 123–130. [Google Scholar] [CrossRef]
  26. Kallatsa, M. Strategies for Network Segmentation: A Systematic Literature Review. Master’s Thesis, University of Jyväskylä, Jyväskylä, Finland, 2024. [Google Scholar]
  27. Hemberg, E.; Zipkin, J.R.; Skowyra, R.W.; Wagner, N.; O’Reilly, U.-M. Adversarial Co-Evolution of Attack and Defense in a Segmented Computer Network Environment. In Proceedings of the Genetic and Evolutionary Computation Conference Companion, Kyoto, Japan, 15–19 July 2019; pp. 1648–1655. [Google Scholar] [CrossRef]
  28. Katsis, C.; Cicala, F.; Thomsen, D.; Ringo, N.; Bertino, E. Can I Reach You? Do I Need To? New Semantics in Security Policy Specification and Testing. In Proceedings of the 26th ACM Symposium on Access Control Models and Technologies, Virtual, 16–18 June 2021; pp. 165–174. [Google Scholar] [CrossRef]
  29. Ghosemajumder, S. You Can’t Secure 100% of Your Data 100% of the Time. 2017. Available online: https://hbr.org/2017/12/you-cant-secure-100-of-your-data-100-of-the-time (accessed on 12 June 2024).
  30. Kujo, J. Implementing Zero trust Architecture for Identities and Endpoints. Master’s Thesis, Jamk University of Applied Sciences, Jyväskylä, Finland, 2023. Available online: https://www.theseus.fi/bitstream/handle/10024/796603/Thesis_Jani_Kujo.pdf?sequence=2 (accessed on 15 June 2024).
  31. National Institute of Standards and Technology. Guide for Conducting Risk Assessment. 2012. Available online: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf (accessed on 10 July 2024).
  32. Deane, A.J.; Kraus, A. The Official (ISC)2 CISSP CBK Reference, 6th ed.; Wiley: Hoboken, NJ, USA, 2021. [Google Scholar]
  33. Cappelli, D.; Moore, A.; Trzeciak, R. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud); Addison-Wesley Professional: Boston, MA, USA, 2012. [Google Scholar]
  34. Ophoff, J.; Jensen, A.; Sanderson-Smith, J.; Porter, M. A descriptive literature review and classification of insider threat research. InSITE 2014, 14, 211–223. [Google Scholar]
  35. Rousseau, T.L. Insider Threat: Replacing the Trusted Security Model. Ph.D. Thesis, Capella University, Minneapolis, MN, USA, 2021. [Google Scholar]
  36. Greitzer, F.L. Insider threats: It’s the human, stupid! In Proceedings of the Northwest Cybersecurity Symposium, Richland, WA, USA, 8–10 April 2019; pp. 1–8. [Google Scholar]
  37. Homoliak, I.; Toffalini, F.; Guarnizo, J.; Elovici, Y.; Ochoa, M. Insight into insiders and it: A survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput. Surv. (CSUR) 2019, 52, 1–40. [Google Scholar] [CrossRef]
  38. Shah, V. Machine Learning Algorithms for Cybersecurity: Detecting and Preventing Threats. Rev. Esp. Doc. Cient. 2021, 15, 42–66. [Google Scholar]
  39. Rabbani, M.; Wang, Y.; Khoshkangini, R.; Jelodar, H.; Zhao, R.; Bagheri Baba Ahmadi, S.; Ayobi, S. A review on machine learning approaches for network malicious behavior detection in emerging technologies. Entropy 2021, 23, 529. [Google Scholar] [CrossRef]
  40. Ciampa, M. CompTIA Security+ Guide to Network Security Fundamentals; Cengage Learning: Boston, MA, USA, 2017. [Google Scholar]
  41. Johri, A.; Kumar, S. Exploring customer awareness towards their cyber security in the Kingdom of Saudi Arabia: A study in the era of banking digital transformation. Hum. Behav. Emerg. Technol. 2023, 2023, 2103442. [Google Scholar] [CrossRef]
  42. Moallem, A. Cybersecurity Awareness among Students and Faculty; CRC Press: Boca Raton, FL, USA, 2019. [Google Scholar]
  43. Ameen, N.; Tarhini, A.; Shah, M.H.; Madichie, N.; Paul, J.; Choudrie, J. Keeping customers’ data secure: A cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce. Comput. Hum. Behav. 2021, 114, 106531. [Google Scholar] [CrossRef]
  44. McCrohan, K.F.; Engel, K.; Harvey, J.W. Influence of awareness and training on cyber security. J. Internet Commer. 2010, 9, 23–41. [Google Scholar] [CrossRef]
  45. Norris, D.F.; Mateczun, L.; Joshi, A.; Finin, T. Cybersecurity at the grassroots: American local governments and the challenges of internet security. J. Homel. Secur. Emerg. Manag. 2018, 15, 20170048. [Google Scholar] [CrossRef]
  46. Miranda, M.J. Enhancing cybersecurity awareness training: A comprehensive phishing exercise approach. Int. Manag. Rev. 2018, 14, 5–10. [Google Scholar]
  47. Li, Y.; Xin, T.; Siponen, M. Citizens’ cybersecurity behavior: Some major challenges. IEEE Secur. Priv. 2022, 20, 54–61. [Google Scholar] [CrossRef]
  48. Zhang, Z.; He, W.; Li, W.; Abdous, M.H. Cybersecurity awareness training programs: A cost–benefit analysis framework. Ind. Manag. Data Syst. 2021, 121, 613–636. [Google Scholar]
  49. Nurse, J.R.; Creese, S.; Goldsmith, M.; Lamberts, K. Guidelines for usable cybersecurity: Past and present. In Proceedings of the 2011 Third International Workshop on Cyberspace Safety and Security (CSS), Milan, Italy, 8 September 2011; pp. 21–26. [Google Scholar]
  50. AlQadheeb, A.; Bhattacharyya, S.; Perl, S. Enhancing cybersecurity by generating user-specific security policy through the formal modeling of user behavior. Array 2022, 14, 100146. [Google Scholar] [CrossRef]
  51. Phiayura, P.; Teerakanok, S. A comprehensive framework for migrating to zero trust architecture. IEEE Access 2023, 11, 19487–19511. [Google Scholar] [CrossRef]
  52. Tissir, N.; El Kafhali, S.; Aboutabit, N. Cybersecurity management in cloud computing: Semantic literature review and conceptual framework proposalLinks to an external site. J. Reliab. Intell. Environ. 2021, 7, 69–84. [Google Scholar] [CrossRef]
  53. Tabrizchi, H.; Kuchaki Rafsanjani, M. A survey on security challenges in cloud computing: Issues, threats, and solutions. J. Supercomput. 2020, 76, 9493–9532. [Google Scholar] [CrossRef]
  54. Cloud Security Alliance. Toward a Zero Trust Architecture: A Guided Approach for a Complex and Hybrid World; Cloud Security Alliance: Seattle, WA, USA, 2021. [Google Scholar]
  55. National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework (CFS) 2.0; National Institute of Standards: Washington, DC, USA, 2024. [Google Scholar]
  56. Fotiou, N.; Machas, A.; Polyzos, G.C.; Xylomenos, G. Access control as a service for the Cloud. J. Internet Serv. Appl. 2015, 6, 1–15. [Google Scholar] [CrossRef]
  57. Sun, P. Security and privacy protection in cloud computing: Discussions and challenges. J. Netw. Comput. Appl. 2020, 160, 102642. [Google Scholar] [CrossRef]
  58. Tourani, R.; Stubbs, R.; Misra, S. TACTIC: Tag-based access control framework for the information-centric wireless edge networks. In Proceedings of the 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), Vienna, Austria, 2–6 July 2018; pp. 456–466. [Google Scholar]
  59. Ang, Z. A Survey of Security Issues in Mobile Cloud ComputingLinks to an external site. In Proceedings of the 2021 International Conference on Signal Processing and Machine Learning (CONF-SPML), Beijing, China, 18–20 August 2021; pp. 117–121. [Google Scholar]
  60. Kumar, P.R.; Raj, P.H.; Jelciana, P. Exploring data security issues and solutions in cloud computing. Procedia Comput. Sci. 2018, 125, 691–697. [Google Scholar] [CrossRef]
  61. Reed, C.; Rezek, C.; Simmonds, P. Security Guidance for Critical Area of Focus in Cloud Computing V3.0; Cloud Security Alliance (CSA): Seattle, WA, USA, 2011; pp. 1–177. [Google Scholar]
  62. Loaiza Enriquez, R. Cloud Security Posture Management/CSPM) in Azure. Bachelor’s Thesis, Metropolia University of Applied Sciences, Metropolia, Finland, 2021. [Google Scholar]
  63. Mo, J.; Hu, Z.; Chen, H.; Shen, W. An efficient and provably secure anonymous user authentication and key agreement for mobile cloud computing. Wirel. Commun. Mob. Comput. 2019, 2019, 4520685. [Google Scholar] [CrossRef]
  64. Ahmed, A.A.; Wendy, K.; Kabir, M.N.; Sadiq, A.S. Dynamic reciprocal authentication protocol for mobile cloud computing. IEEE Syst. J. 2020, 15, 727–737. [Google Scholar] [CrossRef]
  65. Derhab, A.; Belaoued, M.; Guerroumi, M.; Khan, F.A. Two-factor mutual authentication offloading for mobile cloud computing. IEEE Access 2020, 8, 28956–28969. [Google Scholar] [CrossRef]
  66. Mugabo, E.; Zhang, Q.Y. Intrusion Detection Method Based on Support Vector Machine and Information Gain for Mobile Cloud Computing. Int. J. Netw. Secur. 2020, 22, 231–241. [Google Scholar]
  67. Ogwara, N.O.; Petrova, K.; Yang, M.L.; MacDonell, S. Enhancing Data Security in the User Layer of Mobile Cloud Computing Environment: A Novel Approach. In Advances in Security, Networks, and Internet of Things: Proceedings from SAM’20, ICWN’20, ICOMP’20, and ESCS’20; Springer: Cham, Switzerland, 2021; pp. 129–145. [Google Scholar]
  68. Ackson, M. The Impact of Cyberattacks and Cyberthreats on Higher Education Institutions. Master’s Thesis, The College of St. Scholastica, Duluth, MN, USA, 2021. [Google Scholar]
  69. Ghosh, M.M.A.; Atallah, R.R.; Naser, S.S.A. Secure mobile cloud computing for sensitive data: Teacher services for Palestinian higher education institutions. Int. J. Grid Distrib. Comput. 2016, 9, 17–22. [Google Scholar] [CrossRef]
  70. DeWeaver, L.F. Exploring How Universities Can Reduce Successful Cyberattacks by Incorporating Zero Trust. Ph.D. Thesis, Colorado Technical University, Colorado Springs, CO, USA, 2021. [Google Scholar]
  71. Culnan, M.J.; Carlin, T.J. Online privacy practices in higher education: Making the grade? Commun. ACM 2009, 52, 126–130. [Google Scholar] [CrossRef]
  72. Daraghmi, E.Y.; Daraghmi, Y.A.; Yuan, S.M. UniChain: A design of blockchain-based system for electronic academic records access and permissions management. Appl. Sci. 2019, 9, 4966. [Google Scholar] [CrossRef]
  73. Lund, B.D. Public libraries’ data privacy policies: A content and cluster analysis. Ser. Libr. 2021, 81, 99–107. [Google Scholar] [CrossRef]
  74. Hess, A.N.; LaPorte-Fiori, R.; Engwall, K. Preserving patron privacy in the 21st century academic library. J. Acad. Librariansh. 2015, 41, 105–114. [Google Scholar] [CrossRef]
  75. Amini, M.; Vakilimofrad, H.; Saberi, M.K. Human factors affecting information security in libraries. Bottom Line 2021, 34, 45–67. [Google Scholar] [CrossRef]
  76. Mars, P. ALA Precedent in Defense of Personal Privacy and Privacy Activism of 21st-Century Information Professionals. Ser. Libr. 2017, 73, 54–57. [Google Scholar] [CrossRef]
  77. Dietz, F. Timeout Reached, Session Ends? Ph.D. Thesis, Humboldt Universitaet zu Berlin, Berlin, Germany, 2022. [Google Scholar]
  78. Mentzer, J.; Witt, W.D.; Keebler, J.; Min, S.; Nix, N.; Smith, D.; Zacharia, Z. Defining supply chain management. J. Bus. Logist. 2001, 22, 1–25. [Google Scholar] [CrossRef]
  79. Council of Supply Chain Management Professionals. Outbound logistics. In CSCMP Supply Chain Management Definitions and Glossary. Available online: https://cscmp.org/CSCMP/Educate/SCM_Definitions_and_Glossary_of_Terms/CSCMP/Educate/SCM_Definitions_and_Glossary_of_Terms.aspx?hkey=60879588-f65f-4ab5-8c4b-6878815ef921 (accessed on 7 July 2024).
  80. Felea, M.; Albăstroiu, I. Defining the concept of supply chain management and its relevance to Romanian academics and practitioners. Amfiteatru Econ. J. 2013, 15, 74–88. [Google Scholar]
  81. Canadian Centre for Cyber Security. National Cyber Threat Assessment. 2022. Available online: https://www.cyber.gc.ca/sites/default/files/ncta-2023-24-web.pdf (accessed on 7 July 2024).
  82. Gopal, P.R.C.; Rana, N.P.; Krishna, T.V.; Ramkumar, M. Impact of big data analytics on supply chain performance: An analysis of influencing factors. Ann. Oper. Res. 2024, 333, 769–797. [Google Scholar] [CrossRef]
  83. Ogbuke, N.J.; Yusuf, Y.Y.; Dharma, K.; Mercangoz, B.A. Big data supply chain analytics: Ethical, privacy and security challenges posed to business, industries and society. Prod. Plan. Control 2022, 33, 123–137. [Google Scholar] [CrossRef]
  84. Collier, Z.A.; Sarkis, J. The zero trust supply chain: Managing supply chain risk in the absence of trust. Int. J. Prod. Res. 2021, 59, 3430–3445. [Google Scholar] [CrossRef]
  85. National Institute of Standards and Technology. Zero Trust Architecture. 2020. Available online: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf (accessed on 14 July 2024).
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Lund, B.D.; Lee, T.-H.; Wang, Z.; Wang, T.; Mannuru, N.R. Zero Trust Cybersecurity: Procedures and Considerations in Context. Encyclopedia 2024, 4, 1520-1533. https://doi.org/10.3390/encyclopedia4040099

AMA Style

Lund BD, Lee T-H, Wang Z, Wang T, Mannuru NR. Zero Trust Cybersecurity: Procedures and Considerations in Context. Encyclopedia. 2024; 4(4):1520-1533. https://doi.org/10.3390/encyclopedia4040099

Chicago/Turabian Style

Lund, Brady D., Tae-Hee Lee, Ziang Wang, Ting Wang, and Nishith Reddy Mannuru. 2024. "Zero Trust Cybersecurity: Procedures and Considerations in Context" Encyclopedia 4, no. 4: 1520-1533. https://doi.org/10.3390/encyclopedia4040099

Article Metrics

Back to TopTop