By Paul Ducklin
Getting computer security right in a school is much trickier than doing so in a business setting. How much money can you spend? How much time can you devote to the problem? Should you have an environment in which you enforce or merely guide? How do you win the co-operation of parents, staff and students?
No matter whether the school provides the technology, or embraces the new Bring Your Own Device (BYOD) trend that has taken the business world by storm, there are a number of key network and security issues to consider.
Simply put, how do you keep the good stuff in and the bad stuff out when you are being stretched to offer more flexibility, for less money, in a shorter time?
Covered In Clouds
One popular approach is to embrace so-called ‘cloud computing’, where you not only entrust running your network to other people, but also let them own and operate all the hardware, typically far away from your school in a data centre somewhere. Cloud email, for example, relies on the idea that you outsource both the ownership and operation of your school’s email to a third party – to Microsoft, perhaps, or to your ISP, or to Google. This third-party takes care of sending, receiving and filtering all your email, so that you do not need to run your own email infrastructure at all. Similar arrangements can be made for access to the web, for calendaring applications, for discussion forums, for school administration software, and more.
Cloud computing can simplify your IT operations, because external companies – who typically enjoy great economies of scale by sharing their service infrastructure across tens, thousands or even millions of customers – take care of the day-to-day running of various parts of your network. But there are risks too, since you must trust your cloud computing companies absolutely, especially from a security and availability perspective.
Outages in service are no longer within your own ability to fix. Data leakages are no longer within your remit to control. Security policies are no longer necessarily yours to decide and to enforce. You may even lose legal jurisdiction over your students’ data if you partner with companies which operate outside your country – companies which may, paradoxically, seem more attractive by virtue of their increased operational redundancy.
And, of course, recent revelations about the pervasive surveillance on online data by intelligence services around the world have cast something of a cloud over the cloud – excuse the pun. So, deciding whether to do IT security yourself or to entrust it entirely to others is a tricky decision, and needs careful consideration.
One thing, however, is clear: you cannot ‘cloudify’ all aspects of computer security.
The main reason why you cannot offload all the responsibility for your computer security, especially in an environment dedicated to learning, has to do with the learning itself.
Modern internet usage is heavily oriented towards online social activities, in which friendships (and, increasingly frequently, relationships and businesses) are forged and built online. Social networking sites make it easy for internet users to share information about themselves – not just with friends in their own school, suburb or town, but almost anywhere in the world. The problem, of course, is how much to share, and with whom, since today’s schoolchildren are the first to live in an era in which even the most inconsequential things they say and do online may end up indexed and archived forever. This is causing many schools to rethink their attitude to online security.
Prevention and enforcement are still important. For example, there are many well-known websites which are unarguably inappropriate for children to access whilst at school. If the school can unambiguously block access to such sites, it should do so.
But most schools now recognise that prevention alone is not a solution, since children need to be kept safe not only from explicitly malicious, illegal or dangerous sites online, but also from apparently innocent behaviour on legitimate sites – especially social networking sites – which puts them at risk from predators, bullies and cybercriminals.
Schools can no longer be expected to create closed networks in which everything not blocked for students is assumed safe. Instead, school IT staff should be permitted – by principals, parents and administrators – to adopt security practices which encourage an open network in which limits are defined by policy. Safe online behaviour should be taught, and learned, as an integral part of modern education.
What Is The Right Choice For My School?
Whatever your attitude to BYOD, both staff and students are likely to bring their own phones and tablets anyway, and to use them in parallel with their officially-supplied devices. Even if they do not plug them into your network, they will nevertheless be using them while they are on school property – so you will still want to get them to take security seriously. While you are about it, you will want them to take those attitudes home, too, and to stay secure outside the educational environment.
That sounds like a lot of work, and for most schools having a dedicated IT team at all is often a bit of a pipe dream, let alone a sub-team just to take on security challenges.
So, one approach to the network security side is to simplify your operation – not by throwing out individual aspects of security so you no longer spend any time on them, but by consolidating your solution with what is known as UTM, or Unified Threat Management.
At the bottom of the market, UTM devices are often deliberately built down to a price. They may offer only very basic features, cobbled together from a range of different sources, in what is essentially a commodity product, not an ongoing service. Updates, whether to software functionality, or threat detection capability, may be non-existent.
But UTMs that combine best-of-breed security solutions from a single vendor can be a great way to do more with less, so that a single appliance (or virtual machine), with a single management console, will let you take care of email security, web filtering, your wireless access, and more.
Another term you will hear a lot about is MDM, short for Mobile Device Management. MDM capability is built into most modern mobile device operating systems, such as Apple’s iOS and Google’s Android, allowing an organisation to take on some degree of central control over the devices, wherever they may roam.
But the central part of MDM – the console that actually does the device management part – needs to offer you a suitable mix of flexibility and control. That ensures you can move safely from 1990s-era IT, with its motto of “thou shalt not pass”, into a more accommodating era of “let’s meet each other half way”.
Good MDM products will help you to manage all aspects of mobile device security, whether the school or the individual owns the device, and whether the device is connected directly to your network, or accessible only over-the-air via the mobile phone network. This means the MDM can cover all aspects of device usage, from the initial setup and enrolment, through its ongoing configuration and control, to what happens when the device is decommissioned – including what to do it if is lost or stolen.
More With Less
In short, a combination of UTM and MDM is a great way to simplify and consolidate your school’s computer security, helping you to do more with less.
Securing devices and networks is not a set-and-forget task but, with the right choices, even your non-technical staff can be part of the effort, not just to make students safe online, but also to teach them how to stay safe even when school is over.
Paul Ducklin is a passionate security educator and proselytiser (that’s like an evangelist, but more so!). He is one of the world’s leading security experts and loves to share his knowledge. Paul won the inaugural AusCERT Director’s Award for Individual Excellence in Computer Security in 2009. You can follow him on Twitter at @duckblog