Securing BYOD for Schools
Many struggles have changed in the last 12 years in private K-12 Schools, and yet much has remained the same. BYOD, integration of technology into the classroom, better communications with families and management of networks systems remain important priorities. However, the environment has changed a great deal in the last few years. Technology departments no longer need to focus on creating custom systems; the market has matured a great deal and now provides off the shelf products that assist with a majority of these needs. The Bandwidth of networks is larger. On boarding of BYOD devices is now fairly easy. School websites with integrated Learning Management Systems, online report cards and mass mailing capability readily exist.
Today, the diversity of products that come into the school environment creates the largest issues. The consumerization of the hardware industry has small technology departments working with extremely diverse equipments. The web based offerings for any product, i.e. blogging applications, offer an almost unlimited number of options. More and more software and hardware is being offered as a cloud based solution. More and more external influences are affecting the decisions of the CIO in ways they can’t begin to control. Today’s school CIO needs to build systems and partner with vendors that are extremely robust.
While user education is important, it is becoming necessary to add endpoint threat analytics that detects and prevents malicious behavior
Schools must adapt their network security plans to accommodate their BYOD environment. We have segmented our wireless network into individual SSIDs to accommodate different equipment and access. Our wireless controller firewalls the wireless side of the network from the wired side. School owned equipment connects to entire domain, while faculty and student BYOD devices have limited access to printers and the Internet via the firewall filter. We have also expanded the number of access points in the school to accommodate the eventuality of every student having at least one internet connected device.
Most school networks have a limited number of applications and some storage. Implementing the cloud in most cases has been a relatively evolutionary decision. Our migration of Office 365 offered a way to move a great deal of storage and work offsite and provide our customers better access and more storage at no cost. Our website, like most small schools, is managed by someone else. As we looked to provide parents more access into the Student Information System (SIS), it made sense to integrate it with the website to unify the information flow. We have moved our nursing module into the cloud and also integrated it with our SIS. It provides parents a better experience and eliminates internal redundancy. Most of our application vendors offer cloud based products for any future system upgrades. Many of those will also integrate with our SIS. We are positioning ourselves to migrate major applications to the OEM’s cloud service in future and to take advantage of any cross platform data integration/single sign on that is offered.
Network security remains a universal concern. Everyone has the typical software, hardware, and implementation models of security in place. Yet, we continually hear about security lapses and ransomware payments in medium and large businesses. A recent article reported it takes over 200 days to detect a security breach. While user education is important, it is becoming necessary to add endpoint threat analytics that detects and prevents malicious behavior. Something is now necessary to sit behind the typical security systems and independently monitor user’s patterns and actions to prevent anything out of the ordinary.
It is equally important to have a security discussion with cloud vendors. Naturally, the conversation should be a review of their own internal security. Don’t’ assume a vendor does backups, has filtering software on their routers, or even anti-virus on every computer. Additionally, it is important that the data you give them to house is contractually yours; that you have unfettered access to it. One of the last things you want to deal with, if you cloud vendor goes bankrupt, is the bank holding and trying to sell you your own information. Your cloud vendor, more likely than not, has a backup site outside of the United States. You should not assume all the countries where your data is stored have laws in place to protect the privacy of your data. You should also specify how your data will be returned to you in the event you want to move to a different vendor, or the vendor fails. You should specify a generic content model for the return of your data, i.e. CSV, Excel, or SQL. As an aside, you should also ensure that your contract with any software vendor is set up so that you will not have to switch vendor’s mid-school year. Something painfully learned.
Today, school CIOs are working to: Tailor the family experience and provide ubiquitous access to internet, resources, information, communications and their child’s student records; and to provide faculty, students, and staff with the information, knowledge, resources, access, information systems, and stability necessary for them to perform well. All this done in a way that complies with the various applicable laws and regulations, i.e. Cipa, Coppa, HIPAA, PCI and provides minimally invasive security, at the lowest possible lifecycle cost, and is extremely respectful of everyone’s learning curve. It is a huge task but extremely rewarding and worth doing well.