Video:
Tips for securing your education network
Andrew Donaldson, regional manager for Swivel Secure, and Adrian Jones, CEO, discuss how
education facilities use their IT systems and networks. They looked at the common cyber challenges
the industry faces and offer their advice for securing an education network.
Tips for securing your education network
I don’t think there is a typical network in an educational facility. They are so diverse and there are so many different versions of it. It’s been around for a very long time.
They were the first people to build the web and the Internet and they grow in that with all of their systems, whether it be POS or whether it be internal systems, or email.
The Internet itself was based on the education market from the military. That was the first place where it expanded. So they’re so diverse, they’re so complicated and they’re so different.
And it’s the same thing with the user community. They are totally different between facilities. You’ve got faculty staff and then you’ve got students, right the way through to pupils – and they can be children.
So the security that’s required to manage a small school through the county council market is very different from managing a university network. And that’s also different from a global university trying to operate in different markets you see that can operate globally.
And the students can be diverse, from different countries, different cultures, different devices, and different technologies. All have to be coped with and provisioned with different systems.
So you’ve got everything from basic email access, right the way through to database management. But you’ve also got manufacturing systems, you’ve got research systems, you’ve got IP protection, all of which have to be wrapped up in compliance, GDPR in education.
Those networks are public and the facilities are paying for it in most countries now. So it’s an enterprise in its own right, but a lot of them are incredibly complicated beasts and require very specific solutions. The generics work at the top level for the top sort of layer of security is not as simple and as it moves forward, the ‘one-stop-shop’ or ‘one-size-fits-all’ doesn’t really work. They have to build different layers.
It’s got to start with a budget. Budget and planning. How do you get it? What plan do you put in place to get it? How thoroughly do you think that through? Because one size doesn’t fit all.
You’ve got such diverse user communities. In terms of local government, for instance, funding for the county council is for everybody. It has to work for the guy who picks up your rubbish in the bins, a forestry worker, the staff in the county council and also the schools because they can draw those. Whereas a university has a different route to get the money.
Planning is essential. The user community is not a corporation. They are very much individuals and they’re not IT literate at the gate so will not comply with the company rules in the same way council workers would.
Because help desk management doesn’t have the staff and the manpower to deal with after-the-fact issues. So you need a fairly automated autonomous system, but you need to have something which is flexible enough for you to build your solution within the corporate environment.
I would say the fundamental thing though is definitely planning and allocation of money. I think it was JISC that put out a report very recently, a survey they did into funding, saying there was a marginal increase. In other words, the budget’s not going to go up massively despite the funding levels, across from third parties or private funding and the international students.
At the end of the day, it’s a very tight budget system with a very big demand for it and very few people involved. So the more you automate it and the more you plan for that budget, the bigger benefit there’s going to be.
As with any enterprise network security system, you have to make the plan, test the plan, implement it, and then you’ll get the result you wanted. If you rush it through and try to make a quick decision on it without all the facts it can really kill you long-term as the devil is in the detail.
It’s a tough one. In fact, actually, I’d sort of narrow it down again. While IT skills are hard, networking skills are, I think, even harder. Then cyber security skills go beyond both those.
I mean, often in education, there’s no process to keep up with current technologies. The problem is they move so fast. By the time you’re qualified, you’re four years out of date. So, you’ve got to find somebody who’s already in that marketplace moving it forward.
There is a lot of work trying to get people involved, it’s a full-time job to bring people in to do that. But they’re few and far between. And they’re spread very thin.
The best place is to either self-educate, to bring yourself up to speed. To go out and find educational forums online, talk to your peers, talk to your colleagues, and talk to other Universities, or people on the same levels, because, again there are different requirements for different sectors.
The other option is the suppliers if they’re a good supplier. If they want to sell you something, you walk away. If they want to talk to you about it and address the issue you have and skill you up and to help and train you, that’s part of the argument. That’s part of the solution because you will get better knowledge. And then you’ll start asking those questions, well, what about this? How does that work? What issues are going to be addressed by that?
That’s what really needs to happen. I think it’ll catch up with itself. Assuming we can get the budgets involved in education to bring those people forward.
And if you look at universities, there are courses and that way you’re specifically going on the government’s initiative, you know with the Cybersecurity center down at GCHQ and the suppliers themselves, they’re thinking more about how we can protect all aspects of our community and particularly education and children. So, I think further education has got a specific set of needs and schools. It’s different, it’s a harder problem. There is no dedicated IT resource, they have to refer back. But there’s no such thing as self-learning. Be aware of it, that’s probably the key thing but knowledge is power.
Well, it’s not just the device, it’s the user. But let’s take the issue of the devices. Typically, in the old days, there was a mainframe in the university. If you want to get in, you type your username and password and it would let you in, probably a WAN or a local Cray Mainframe. And that was it. That was the system. Now if you look at my daughters, they turn up to university with a laptop, phone, iPad, mobile devices, or tablets. They’ve got multiple devices that they all want to have access to the same thing in theory. But they’re all (as far as an IT security professional is concerned) foreign devices.
The only common denominator is the person. Can I authenticate that you are yourself using that device? Every system they use is different, but all students now would expect to have a level of access to a large range of applications. E-learning is the basis. You have the assessment system, the review system, the coaching, and mentoring system. The exams themselves are virtually all online and the systems that support the student.
Office, Excel, PowerPoint, the basic office suites plus all of the specific applications. If they study Media Statistics, Products, or Design, all those applications are online and available for them to use on their devices in different ways.
Controlling access is the critical one and the only way you can do that is with authentication at some level. And because there’s a broad range of devices and a broad range of applications, you need multifactor authentication. That’s both factorial in the sense of the device control, right time, right place, right IP, right location, but also the person. Using fingerprint recognition or PINs. Not a static PIN and dynamic PIN. A proper 2FA or multifactor authentication.
Those things combined can secure what is now a vast array of applications that are just as different as students. Whether it be a school, a kid who wants to look on her iPad, right the way through to a further education [student] learning online for, you know, an architecture degree. Google is the place you go. You go to the library to use Google. That’s what’s changed.
That’s an even bigger issue. If you know the people that are coming in and the problem is the diversity. Let’s take the university and not talk so much about our schools, but let’s take a bigger education facility. They have such a vast array of application needs and security needs.
You’ve got everything from perimeter security, physical security: doors, buildings, parking, access control systems, right the way through to POS systems, and tills, they take an awful lot of money.
Take student bars – is the video camera system in there providing a feed that’s being matched up with the Epos data that’s then also matching up the person logged in on the till at 2 o’clock this afternoon? And so they’re the ones taking the money right the way through to cyber security resilience on student applications.
Now that also might be a manufacturing system, because they might build satellites and there’s a development engineering team with core IP in there. They might be, an engineering technical university.
There are all sorts of different systems. So I think it’s verging on cruel or unfair to expect an IT department in an education sector to suddenly start becoming experts in all these fields. Even with self-learning and education.
You have to separate the systems. You have to try and get best practices in those systems discreetly and then look for solutions that bring them together in a way that’s controllable. The biggest challenge is, we pull them all together and then they don’t work or they don’t do quite what you think they were going to do and you’re back to the same thing.
Flexibility doesn’t do what it says on the tin. Can I prove that it does what it says on the tin before I buy it? Is it cost-effective? Because there are amazing solutions out there, but they cost so much money. Identity Management, which is IDAS or the cheap version Identity as A Service. Yes, it’s a fantastic thing to have. But you need to have the roadmap and the journey and the process, and the buy-in from everybody to go and implement it. It’s a lot of money. It’s a lot of time and it’s a long process.
What do you do between now and then? I tell you what, when a student turns up at a university with a laptop and says, “I want to connect to get office 365”. You say, no problem at all. Here’s your username and your email address from the uni. There is your password. By the way, you’re going to install this app and that automatically comes in because we do mobile device management, another self-help. And that gives you multifactor authentication. So, every time you log in, it’s a different set of criteria for you to log into the system rather than just the username and password to see you through for 4 years.
That’s not a robust security solution.
So there are some things you can put in place that are relatively low cost, and some things that take a lot more thinking about and a lot more time. You’ve got to have a strategy for all of them and run them and then plan them and put them into place.
I think there’s a balance between control and education. Some policy management has to be enforced. Although it’s very difficult to do when you’ve got a student community and a faculty who bring their own equipment. It’s not yours to control as it is in a corporate environment like we talked about before.
All you can do is mitigate the user errors. To train them on what’s available, what systems will and won’t work for them, and what things they should and shouldn’t do. ‘Don’t click on these links. Don’t do those things. Be aware of social media. Here are some rules’ etc. and then put structures in place, whether that be user behavior tracking, whether that be control of actual physical access to networks or services and sites, web application, firewalling, identity management in terms of the person, and also authentication.
But then beyond that is all the other things that you have access to as a student that you expect to see because you’re so used to having everything open to you on all your devices.
There is no way you can impose a corporate device management policy by saying we’re going to install this, this, and this on your personal phone, without you agreeing to it. So it’s kind of an education process and also an enforcement process.
The problem with both scenarios is they cost money. Both in terms of education, you have to go and produce the information, share it in the right way via the internet or at enrolment and make that a regular part of the syllabus for everybody, including staff.
Or, you go with the enforcement group and set out what users can and can’t do. And you can do that to a certain extent, but if you push too hard, they’ll just ignore it.
That’s just the nature of the people. So you need to have some form of corporate controls or should we say or corporate standards, but you cannot enforce them in the same way. Because it’s not corporate. It’s an education establishment.
It’s all about collaboration. Know what you can do and what you can’t do. Be aware of what’s wrong and what’s right and then you can make an informed decision and if your informed decision is incorrect, make sure that the IT department’s got a way to stop you from doing it at the very extremes if it’s that dangerous in that particular area or a particular site or whatever, or a link.
Invariably it comes down to getting people’s buy-in to do it this way, in the best way. Rather than forcing it on somebody.
I suppose there are two things. One, in general terms, is for security. It’s a huge problem, so you have to break it up into manageable pieces, manageable projects, and you’ve got to budget for them and plan them before you implement them.
In terms of authentication, so our space: do authentication first. There’s a myriad of choices out there, and you can work through which ones are sensible for you. Do your authentication before you go straight into identity management. As soon as you go into identity management there are big budgets, big stakeholders, lots of issues, and lots of rollouts. Long-term stuff. It requires a massive amount of cost, infrastructure, time, and people.
So do the quick wins while you can and secure, and then move on through your planning cycle.