Data Security :: Locked Down, Not Out


A swarm of portable technologies is creating security headaches for school districts, as they must wrestle with opposing needs: how to protect the network from unauthorized use while still keeping it accessible to staff and students.

Data SecurityIT IS AN IRONY lost on few district CIOs and tech directors that new technologies designed to make it easier for students and teachers to access computing resources have made the job of securing those resources a lot harder. There was a time when all the devices that connected to an organization's network were owned and managed by the organization— in fact, they never left the grounds. Nowadays, not only do the so-called endpoints (laptops, PDAs, and mobile phones) have antennas and legs, the network itself is linkedto the whole world through the internet.

Although traditional security approaches— firewalls, anti-spyware solutions, virus scanners— are still essential, they are predicated on a model that is fading: networks with boundaries that can be secured, fenced, and protected by a virtual software moat. High bandwidths swarming with connected but untethered endpoints have created what amounts to a borderless network. Throw in some tools and applications that emphasize peer-to-peer data sharing and a new generation of thumb-sized, removable storage media, and you have an environment that the conventional solutions alone simply can't protect.

The problem with traditional, perimeterbased security methods is twofold: First, they can stifle the educational mission that district networks were created to encourage. Firewalls can thwart hackers, but they can also prevent staff and students from accessing online tools or information. Desktop lockdown measures can keep virus-laden applications off the network, but they can also keep teachers from trying out new software. And forget the serendipitous "teachable moment," when a teacher might need immediate access to a website, or the ability to load some software or adjust a student's desktop. Furthermore, the siege mentality behind these solutions can lead districts to create what cybersecurity analysts at the Consortium for School Networking call "data tombs" of protected but inaccessible information.

Second, these approaches tend to provide inadequate defenses against modern security threats, such as USB devices and memory sticks, which are potential sources of infection, as well as handy and easily concealed storage for data theft; instant messaging, through which a variety of suspect files may be introduced to the network; and peer-to-peer file sharing programs (Kazaa, Gnutella, BitTorrent), which clog up the system and can't be blocked at the firewall.


Mark Sunner

The convergence of spam and spyware is coming to an inbox near you.

E-mail has become the most widely used method for hackinginto corporate networks, stealing identities, crippling IT systems,and committing online crimes, says Mark Sunner, CTOof MessageLabs. Sunner’s companyscans 170 million corporate e-mails a day, providing it a bigpictureview of what Sunner, speaking at last June’s Inbox:The E-mail Event conference (, warnedwas a potentially devastating seismic shift about to hit the ITsecurity landscape, generated by the convergence of phishing-type spam e-mails and spyware. This combination, hesaid, of powerful social-engineering techniques and stealthyinformation-gathering capabilities will soon take the bad guysto a whole new level.

“I have no doubt that a year or so from now, we’ll look back on this time frame as a trigger point when threats started to shift in this direction,” Sunner said. “We’ll look back on this period in the same way we look back at 2003 as the year botnets went from an embryonic stage to the source of virtually all spam.We’ll look back and say that this is when the threats truly became targeted.”

Phishing—the e-mail scamming technique designed to acquire sensitive personal information such as passwords and credit card numbers, using messages that seem to be from an official source—has morphed into a more targeted species known as spear phishing, which seeks access to data in a specific organization through phony e-mails that appear to come from within the company. The spam-spyware convergence has the potential to provide enough information for a detailed profile of individual users, enabling fraud that is even more refined. A fraudster could, for example, send an official-looking e-mail to an eBay user who just lost out on a bid, telling him that the winner backed out and that he has now won—and to send in his payment info.

With all of these emerging threats, security can no longer be considered a checkbox item—you can't just pick up a copy of Norton AntiVirus at your local Best Buy and mark security off your list. To cope with an increasingly permeable network, districts are turning to strategies and solutions that protect data at its point of use. The ability to enforce a set of policies on the devices that connect with the network, while managing the identities of the users of those devices, is fast becoming a must-have security capability.

Managing the Endpoints

The term endpoint security once referred to the process of safeguarding the end-user devices managed by an IT organization— literally, the points at which the organization's network ended. Nowadays, with so many so-called "foreign" endpoints connecting to the network—devices outside the organization's dominion, such as a BlackBerry or personal laptop—endpoint security strategies focus more on controlling network access.

"Both staff and students expect to be able to come in with their own computers or handhelds and plug in to the network," says Jeremy Hobbs, CIO of Ontario's Upper Canada District School Board. "And they find it difficult to imagine that we'd have any kind of problem with that."

The UCDSB is a rural district composed of 100 elementary and secondary public schools distributed over an area about three times the size of Connecticut. The district recently completed a server consolidation project, which was followed by what Hobbs describes as "a relative explosion of PC use in the field" as a growing number of its approximately 40,000 network users began connecting with laptops and PCs not managed by the IT staff, which posed significant risks to the network. In fact, Hobbs says, UCDSB tracked several cases of debilitating malware infections directly attributable to these unmanaged endpoints. To address the problem, Hobbs and his team decided two years ago to implement an appliance-based data security strategy, and deployed Nevis Networks' LANenforcer system to create what Hobbs calls an identity-driven infrastructure.

Nevis Networks, based in Mountain View, CA, specializes in local area network (LAN) security. Its flagship LANenforcer product line offers an appliance-based security solution. A security appliance is a physical device combined with controlling software that sits between the outside world and the network. Among other features, LANenforcer can ensure that an endpoint complies with a network's security posture, which is the sum of the policies put in place by an organization to protect its network. The system binds each individual user ID permanently to an IP or unique MAC address as users log on to the network. This is designed to make it impossible for anyone to fake a user ID, and to ensure that only legitimate users get network access.

"Data security is a special challenge for educators," says Shane Buckley, Nevis' COO. "On the one hand, they need to be open and inclusive and provide wide access to a lot of people; on the other, they need to protect absolutely some highly confi- dential data. There's no easy way to do that from the point of view of policing access [firewalls, virus scanners]. We believe that the most effective approach is to say, based on who you are, we will determine dynamically what you get to see.

"If you look at most organizations' procedures, they have a system that provides perimeter-level security, and a series of static firewall rules that say ‘Thou shalt' or ‘Thou shalt not,'" Buckley says. "Our solution says: We know that you are this person, and because you're this particular person, there's this whole set of rules for you."

UCDSB's Hobbs says he's mindful of balancing two contradictory needs: security and access. "It's the students or the employees who really ‘own' the infrastructure, not the organization, and they feel that they should be able to do whatever they want with it. And I think that's basically right. Rather than locking people out and saying no to them, my vision is to implement technology that will satisfy my obligation as CIO to secure our critical data resources while saying yes to as many people as possible, as often as possible."

Identity-Driven Infrastructure

Identity management is also a key component of the data security strategy implemented by the North Kansas City Schools. One of the largest districts in Missouri, North KC has approximately 17,500 students and 1,400 staff, and the IT group manages 7,500 PCs across more than 30 locations.

"It's no longer a teacher in a classroom with a chalkboard and some books," says Janet Herdman, North KC's CIO. "Almost every textbook we have comes with electronic resources, if not in an electronic format itself. The proliferation of internet resources that accompany the curriculum is helping to create a dynamic learning environment, but it is also creating some serious security threats."

North KC's solution came in the form of an ID management system originally implemented to simplify administrative tasks—Identity Manager from software maker Novell. "Our students tend to migrate between buildings in our district," Herdman says. "We have 30 sites, so it was a problem keeping up with the transfer files. The ID manager helped us to solve that problem. Now, once you enroll in our school district, you carry your identity with you from the time you are in kindergarten until you graduate, and your files can follow you from building to building." When the district found that the system could also be used to control network access, it quickly became a critical component of its data security strategy. "Of course, we also have the traditional security systems in place," Herdman explains. "You still need the firewalls and the virus scanners. But you don't need to rely on them as much if you are able to restrict access to the data effectively based on identity. What we've implemented here allows us not only to control that access, but also to automate processes so that the system is significantly more efficient."

Jeremy HobbsBoth staff and students expect to be able to comein with their own computers or handhelds and plugin to the network. And they find it difficult to imaginethat we’d have any kind of problem with that.
—Jeremy Hobbs, Upper Canada District School Board

Novell's Identity Manager is designed to automate the network administrator's job of assigning system resources and access privileges to users, including district employees and students. It also provides password management throughout the so-called user lifecycle—in other words, as long as the student is at the school. The program delivers first-day access to new users, modifying or rescinding access as necessary across all systems, and synchronizing multiple passwords into a single, strong password. The district also uses Novell Storage Manager to give its users individual and group storage on the network, based on their identities. Students can maintain a portfolio of their work throughout their school years, and teachers can create shared directories that give students easy access to class materials.

"The product not only gives districts the ability to keep the data with the student from school to school," says Novell's David Brower, manager of the company's North America academic market. "It allows them to do it as a policy-based implementation. When you're talking about data security, Novell is not encrypting the data. It's not really even securing data—it's securing access. And it's controlling that access based on role."

Herdman believes that the challenges school districts face today differ little from those faced by corporations. "Their employees are trying to access their networks with unmanaged devices," she says. "Their network administrators need to manage levels of access, just as we do. As you take on new employees—in our case, it's students—you must manage their identities and provide resources in a timely fashion. Those are very labor-intensive tasks for schools. The solution for us was to provide an electronic presence as soon as they enrolled that would follow them from kindergarten to graduation."

Checking the Whitelist

After it seceded from the Jefferson County School System (AL) last year to form its own K-12 district, Trussville City Schools, made up of five schools with a faculty and staff of 475 serving 4,150 students, had a unique opportunity to set its own ground rules for IT infrastructure. The district recently added 300 laptops to the 50-plus machines already in the hands of teachers, and is pursuing a 1-to-1 initiative. It maintains about 1,500 computers in all.

"At first we locked the machines down through [Microsoft's] Active Directory and Group Policy to keep out unauthorized software—spyware and that kind of thing," says Shawn Nutting, the district's director of technology. "Unfortunately, we kind of locked everybody out of the Windows environment. The teachers couldn't even install their own printers. It was just crazy. It was clear to me that we needed to find a different solution."

Laptops present the greatest security risk to the district's data, Nutting says. "It's hard to spend a lot of time at school tinkering with the desktop machines, trying to exploit the network and loading software you don't have a license for. But the laptops go home all night and all weekend. They go home and become part of the family. Now you have people using them who aren't even part of your network."

To secure these unmanaged endpoints, the district opted for an automated "whitelist" approach, which it implemented via a product called Sanctuary, developed by Luxembourg-based SecureWave. A whitelist identifies authorized applications allowed to connect to the network (as opposed to a blacklist of excluded devices, which is impractical). SecureWave's Sanctuary provides endpoint security through a line of products designed to support enforcement of network access policies as well as auditing of application device use for better endpoint control. "A city school network is a dynamic environment," says SecureWave Senior Vice President Dennis Szerszen. "This isn't a bank or a military installation, where you can guarantee a golden image on each machine. This is the Wild West, where you don't have total reign over the endpoints. What you do have is the opportunity to manage which applications they use."

Trussville knows exactly which applications its students are going to need in order to do their homework and to access the district's Microsoft SharePoint Portal service, Nutting explains. The Sanctuary solution allows the district to identify what's supposed to be there and disregard the rest. "We don't worry about peer-to-peer applications, spyware, or malware," he says. "If it's not part of that whitelist, it doesn't get on the network."

A Process, Not a Product

The typically tight budgets under which most school districts must operate notwithstanding, Nutting's pet peeve is stripped-tothe bone network management teams. A lack of personnel, he says, can pose as dangerous a risk as the deadliest malware. "In today's world, with the sophistication of modern hackers and virus writers, it's just too much for one network administrator," he says. "There's a ton of software to manage, and many servers, and there's no way one human being can do it all properly and maintain the level of security the schools should require."

North KC's Herdman advises districts to make sure that they establish clear user policies before they begin shopping for security solutions. "Without a user policy in place, there's no point in trying to buy a security solution," she says. "You really need to know how you want your end users to behave—and that they know what their responsibilities are—before you start shopping for software."

And it doesn't hurt to keep in mind exactly what you're protecting, which is three things, says Szerszen: "Confidentiality, integrity of data, and availability. These are the same things you see in a business environment. It's the ‘CIA' of security."

The most important thing to remember about the process of securing your district's data, says UCDSB's Hobbs, is that it is, in fact, a process, and not a product. "Security isn't something that comes out of a box," he says. "And it's not something that's in a box—an appliance— that you might add to secure your network, as we did. Look at how the threats have changed just in the past five years. There's no checkbox solution here—especially for districts that want to stay at the technological bleeding edge."

:: web extra :: For more on this topic, visit T.H.E. Journal. In the Browse by Topic menu, click on Security/Privacy.

John K. Waters is a freelance writer based in Palo Alto, CA.

This article originally appeared in the 02/01/2007 issue of THE Journal.