Weaving a Safety Net
Thanks to growing reliance on technology and increasing sophistication on the part of digital miscreants, security issues are uppermost in the minds of many districts. To fend off the worms, viruses and hack attempts that happen every day, many IT managers and superintendents have implemented firewall-based security systems that give them at least some shelter from the storm.
But, as networks become more complex with the addition of wireless and other components like VoIP, firewalls might not be enough. Security experts emphasize that to create a truly effective barrier between bad guys and a district's network, it takes a multi-layered strategy that addresses threats at a number of levels.
For districts that have already sunk tens of thousands of dollars in firewalls and other products, the realization that more is needed may feel disheartening, but it's not the groan-inducer it might seem. Souping up network protection is sometimes just a matter of perspective change, more training or vendor consolidation. Here are some tactics for getting the most out of what you've already got.
Think like a business
When trying to keep up with security issues, it's easy to feel overwhelmed. It seems that the e-wolves are always at the door, huffing and puffing, and that many districts are continually scurrying to put more protections in place. But rather than taking a reactive stance, which calls for addressing threats as they occur, it's often more effective to employ a more proactive strategy, says Keith Krueger, chief executive of the Consortium for School Networking.
"In general, K-12 administrators have sometimes been unclear about what they need to do to address the wide range of cyber security concerns," he notes. "Since 9/11 there's been a heavy focus on vulnerability of networks. But having anxiety and knowing what to do are two different things."
One important step in creating stronger networks is to assess a district's computing environment in the same way that companies look at their architectures. Rather than aim for complete lockdown--and buy more products in the process--many businesses realize that there is no such thing as 100 percent protection, and that it's more important to create a risk management plan than to try and plug every minor network hole.
Taking such a high-level view of what the district is trying to achieve and how it can use existing security controls can lead to creating a plan that includes writing new policies for teachers, staff and students, tweaking technology like firewalls and content filters, and building in more IT time for security efforts. Krueger recommends that superintendents and IT directors meet on a regular basis, and discuss not just spending and nifty new security hardware, but also security management of both resources and personnel.
Discussion topics should include the district's level of risk, realistic assessments of trouble spots, and how users are handling security tasks.
"Security is a leadership issue, but some schools are still seeing it from a purely technological standpoint," says Krueger. "That's very limiting to their long-term power, because it makes the challenge black-and-white. They think the district is either secure or it isn't. But there are different levels of what can be done, and not all of them have a technology component."
Because data protection has become so vital in the business world, increasingly IT departments are meeting with presidents and CEOs to hammer out broader strategies around Internet use, employee training and risk analysis. The same should be done at districts, with administrators, school board members and network support staffers coming together to think more strategically and creatively about security.
"At a school, unlike at most companies, the focus is on learning," notes Krueger. "But the goal is the same for districts as it is in the corporate world: to ensure collaboration without putting information at risk."
Play traffic cop
Although higher-level strategy is crucial for bringing together all of a district's security pieces, it's also useful to tweak everyday tactics as well.
A good place to start is in monitoring the Internet traffic going in and out of the network. Most districts already have this ability in place, either through software that comes with their firewalls or from an Internet service provider, but some might not take the time to actually go through usage logs or look for broadband spikes.
"Many times, there are reporting tools that aren't used as effectively as they could be," notes Scott Cummings, president of Excalibur Technology. "People are just glancing at logs without trying to find trends, or they aren't really paying attention to what's in the spam filter."
Increases in broadband use might indicate the start of a denial-of-service attack, which hackers use to jam a network so it can't send and receive messages properly. They can also be a tip-off that students are trying to download bandwidth-eating files like those containing music or videos.
One advantage to paying more attention to traffic patterns is that internal security risks can be detected with greater speed. If a district's security controls are mainly centered on keeping people outside of the network from getting in, it might be missing a huge security risk, says Jim Hirsch, associate superintendent of the Plano Independent School District in Texas.
"Our greatest security threats are inside our own network," he says. "We found ourselves doing protection in both directions, and it became a bottleneck because of older firewalls and fighting on two fronts."
The district replaced the multiple firewalls with a simplified software and appliance approach that specifically addressed both internal and external security without affecting bandwidth.
In addition to helping the district track traffic, making a change in the technology has also reduced the amount of time that IT staff members have to combat spam. Since large volumes of unsolicited e-mail brings with it nasty critters like worms, viruses and Trojans, putting in better spam-fighting technology has helped Plano to shift IT resources and use them more effectively.
"When looking at security measures, like better spam control, you have to factor in people's time because then you see how much sense it makes financially to put better procedures and products in place," says Hirsch. Before employing stronger anti-spam measures, Plano was spending about $450,000 per year in staff time just to deal with the e-mail, Hirsch estimates. After implementing stronger anti-spam software, Plano will have a return on its investment in months, rather than years, Hirsch says.
Consider tech streamlining
With the array of software and hardware available to filter content, kill spyware, block spam and detect intruders, many districts may find themselves with multiple applications or appliances that might be creating too much complexity in the IT environment. Some may even be discovering redundancies, as a firewall works to block spam, even though spam-stopping software is also in use.
In response to such an embarrassment of technological riches, districts like Plano are deciding that rather than buy more protection, it's better to bolster security by streamlining their environments.
At the Moscow School District in Idaho, there's an effort underway to get rid of several of the district's many security-related devices in favor of an all-in-one approach. Moscow has chosen a device from Lightspeed Systems, which will provide content filtering, spam control and network monitoring in one device.
"We found that when we were running all of our devices together, it took us more time to figure out reporting with each one than it would if we just got one device and depended on that," says Chanc Hiatt, the district's lead network specialist. "It's good bang for the buck for tight budgets."
The district is also in the middle of a major project to centralize administration of the entire network, so that its wireless setup is not building-by-building as it is now. The ability to manage security issues from a central point is compelling, Hiatt notes, because it will further streamline how the network is handled.
"We're proactive in our approach to security, so we keep up with the latest products," he adds. "But we also recognize that the best defense doesn't always include a huge blend of hardware and software. Keeping the technology simple, and managing it from one spot, will allow us to be more efficient with time and resources."
Teach the educators
In addition to getting a handle on what can be improved from a technological standpoint, it's also vital to address the non-technology aspects of security. In other words: it's 10 a.m.: do you know what your users are doing?
Even with monitoring controls in place, users are often the weak link in the security chain. Some might take their school-owned laptops home or on trips and hook into other networks that don't have effective protection established. Others could tinker with security settings to use coffee shop hotspots, and then forget to change the settings back before they log into a district network.
It isn't just educators or students that lean toward such habits, says Cummings. Corporate employees, home users, high-level executives, and even IT staff members have all, at some point, employed unsafe practices when opening e-mail or surfing online.
"People within an organization will be your biggest asset or your biggest liability when it comes to protection, especially from things like spyware," says Cummings. "Once you have a technological border set up, most infections can't come through without some human help."
Perhaps the strongest booster shot for security a district can employ is to do more in-depth training and create awareness programs, and make that education easy to follow and continually refreshed. A bit of lighthearted writing--in the form of tips or short tactics--can also make lessons stick.
At Mankato (Minn.) Area Public Schools, the district has created a set of guidelines for teachers that is a mere two pages long, so they don't feel bogged down by numerous security rules, but are still given the information they need. The district's security policy is 70 pages, but Director of media and technology Doug Johnson knew that giving such a tome to educators would be counterproductive.
"We've taken a gradual approach with our communication efforts," says Johnson. "We have the standard guidelines, and then we also send out tech tips every month that includes some tactics on best practices."
In its short guideline, Mankato stresses main areas for security, including passwords, data backup procedures and privacy controls. The district also reminds teachers to keep physical security in mind, by using cables to lock laptops to desks, and listing computers with a homeowner insurance policy in case it's stolen.
More than just adding an extra layer of security for the district's technology, including the educators in the protection efforts makes them feel more invested in keeping the network safe, Johnson has noticed.
"Every district has to convince users that it's in their best interest to make sure networks are uncompromised," he says. "They're happy to know that they can take a role in creating a reliable, security infrastructure that lets them get their jobs done."
Elizabeth Millard is a freelance writer based in St. Louis Park, Minn.