The Secure UCSB program is an initiative to invest in critical technology updates during the upcoming academic year to protect our community from rapidly evolving cybersecurity threats.
While significant progress has been made in addressing the 2024 UC systemwide cybersecurity mandate, key challenges persist around device and network visibility. To build a digital landscape that is adequately resilient to modern threats, UCSB must continue the build on the foundations established in 2025.
A 'Zero Trust' Cybersecurity Model
Most organizations are moving to a cybersecurity model called Zero Trust. This model eliminates access decisions based on physical or network location. Instead, Zero Trust grants access based on the user's identity and (optionally) the security posture of the user’s device (laptop, desktop, phone, etc.) over encrypted connections. A Zero Trust cybersecurity model is not about distrusting people, it’s about defaulting the trust of systems or devices to zero until their security posture can be confirmed.
Two upcoming efforts address the outstanding parts of the cybersecurity mandate, and create a simpler, unified and more secure way to access UCSB resources:
Implementing Secure Service Access (SSA) to UCSB devices.
SSA is a VPN-like connector that brokers access based on identity and policy, connecting users to a specific resource rather than the entire network.
Microsegmenting the network.
Isolates devices onto individualized networks, preventing the lateral movement of threats and ensuring strict access controls.
Why is this model better?
Establishing this cybersecurity model will allow UCSB to move away from outdated technologies and processes that pose cybersecurity risks. This is a safer and more flexible way to access digital resources, ensuring that each person can access only what they’re authorized to use through secure, private connections. It reduces our attack surface by limiting the exposure of critical applications to the public internet.
SSA improves our security by defaulting our approach from ‘trusting but verify’ to ‘don’t trust and always verify’. It ensures continuous verification of user access rights and performs posture checks on devices, thereby minimizing the likelihood of successful attacks. SSA reduces our attack surface by limiting the number of applications that could be attacked directly from the Internet. Additionally, this approach contains threats, preventing them from crippling the entire organization.
It also makes it easier for members of the University community to work from locations on campus or around the world.
Privacy as a priority
Have questions about the project? Privacy is an important value of the University of California. Cybersecurity tools deployed as part of the initiative are in compliance with the UC Statement of Privacy Values
Read the UC Statement of Privacy Values and Principles
Learn more about privacy considerations for this project
UCOP has published additional clarity on Endpoint Detection and Response (EDR) tools.
Watch a recording of UCOP's Endpoint Detection and Response (EDR) Faculty Panel. Faculty experts from across the UC system, including UCSB's Giovanni Vigna, come together to address EDR implementation concerns (SSO login required).
Between 2020 and 2025, the number of attacks intercepted by UCSB’s campus firewall increased by over 520%.
Deploying a Secure Service Access (SSA) connector
This connector is a remote access tool, similar to VPN. It provides added security capability of connecting users only to the specific resource they are attempting to access, not the entire network. The SSA connector permits access to resources automatically when requested instead of manually logging into a VPN every time access is needed. It also assesses the device’s health (security posture) before initiating the connection. This ensures sensitive data is not exposed to a compromised device.
Initially, ScreenConnect and VPN will be replaced, but in the future, SSA could provide additional capabilities to improve remote access to UCSB resources.
There will be a gradual replacement of some commonly used tools for remote access to UCSB systems or applications (see below).
Access to sensitive applications may be restricted to only specific users/groups, and may be subject to a device security posture check.
Security postures are a real-time check of a device’s security “health.” This information is used to decide whether the device can be trusted to access sensitive resources. For example:
- Is the device running a supported, up-to-date operating system?
- Does the device have an anti-virus solution enabled?
- Is full-disk encryption enabled on the device?
- Is a local firewall enabled on the device?
Private UCSB-hosted applications containing P3 / P4 data will require the user to have a device security posture check before access is granted.
All applications currently requiring VPN will require the SSA connector.
Systems or applications generally accessible by the public, students or parents will not be behind SSA or require a security device posture check.
VPN provides full trust and access to an entire network, while SSA only connects the user to the specific systems or applications that they are authorized to access. This makes SSA a more secure alternative. Instead of manually opening the VPN client and connecting when needed, the ZPA connector used for SSA provides a more seamless user experience. The client runs in the background and will automatically initiate connections when you need access to protected UCSB applications or services. Users will need to re-authenticate every 7 days. It is security that is always on, and only acts if a user needs access to a secure UCSB resource.
In addition to improving our cybersecurity posture, there are other benefits of SSA:
- SSA is similar to a split-tunnel, which only routes traffic for specific applications through the connector, resulting in faster internet speeds, even when the client is running. This makes SSA a more stable access model that will not require frequent interaction or reconnections.
- The connector replaces VPN as the tool that devices must have installed to remotely access certain secure systems. It is lightweight and updates itself automatically. Unlike the current VPN (Ivanti) the connector does not require significant maintenance by users or IT support.
It is licensed to faculty, staff and student employees.
Deprecation will be iterative. ITS VPN profiles will be replaced first, followed by Departmental VPN profiles. We expect to complete the transition before Fall Quarter 2026.
VPN service may still be used in some capacity. More information to come.
- For remote connectivity, admins will use native tools, such as Remote Desktop Protocol (RDP) or Secure Shell (SSH).
- For remote support, we are currently assessing a handful of tools to replace ScreenConnect. More information to come.
Microsegmentation of the network
Isolates network segments, preventing lateral movement of threats and ensuring strict access controls. UCSB can define and enforce granular security policies across the network, significantly reducing the attack surface.
Microsegmentation is an approach to security that puts each device on its own, individual network then applies security controls to that segment based on specific requirements. Traditional networks were built like castles: firewalls at the edges, and everything inside was trusted. Once attackers get inside (via phishing, compromised credentials, or malware), they often move laterally across systems.
When a device connects to a traditional network, it is given an IP address on a subnet (e.g., 192.168.1.10.), and a gateway routes your traffic. Once on the network, devices can scan it, discover IPs, and reach services on other systems via ports. This is a security risk.
Microsegmentation can prevent attackers from moving laterally across our network if they gain access. If a compromised device accesses the network, it is isolated by default, preventing it from gaining access to more systems and data.
By deploying hardware that allows us to physically and/or logically isolate our systems from unsecured networks, such as the public internet or other parts of the network. UCSB-defined policies can permit only necessary traffic between individual network segments and deny all other traffic, resulting in a high level of network security.
Last year, we began standardizing switches across campus, setting the stage for centralizing all networks into a single UCSB network. Network policies will be managed centrally and updated as needed to ensure security across campus. Devices on existing departmental subnets will need to be mapped to move to a new network segment, based on the type/classification of the device. For instance, client computers will move to general-use "client" networks. Separate segments will be created for different classes of devices like servers, printers, OT/IoT devices, etc.
.jpg)
Past Secure UCSB work
Network Upgrades: Our currently decentralized campus network is moving to a unified, centrally-managed network service model. Buildings throughout campus will experience network outages on limited notice.
Device Security: To ensure device security, all UCSB owned devices will deploy an MDM platform. Through this platform, security tools can be installed to ensure the detection of cyber threats, malware, and identifying and fixing vulnerabilities.
Cybersecurity Training: Any UC Santa Barbara employee (those in the UCPath system) who are assigned the training in the UC Learning Center will be required to complete the 35-minute training, or risk losing access to important systems like Canvas, Google Suite and Zoom.
Contact Us
Have questions or concerns about Secure UCSB?
Send us a message at secure-ucsb@it.ucsb.edu