Expert Viewpoint

Is SASE a Good Solution for Securing K-12 Education This School Year?

We’re still in the first quarter of the 2022–2023 school year, and districts are facing more cybersecurity risks than ever before. The recent FortiGuard Labs global threat report for the first half of 2022 brings many of the current K–12 cybersecurity challenges into sharp focus. Top threats from that report involve zero-day exploits, ransomware, data wipers and Operational Technology vulnerabilities.

The K12 Security Information Exchange found in its annual State of K–12 Cybersecurity report that there were 166 publicly disclosed cyber incidents affecting schools in 162 districts across 38 states in 2021. Given that many cyberattack incidents at public schools aren’t disclosed, the real number is likely higher.

State and local governments are working with K–12 district IT leaders to search for answers to address many of the cybersecurity issues, and they’re pushing for increased funding and adding more knowledgeable cybersecurity staff.

Amy McLaughlin, the Cybersecurity Program Director for the Consortium for School Networking, is one person leading the charge of helping government leaders understand the issues at hand. In a hearing this summer before the U.S. Senate Committee on Health, Education, Labor and Pensions, she offered insights from the CoSN 2022 Ed Tech Trends report, which identified cybersecurity as the top unmet technology need for K–12.

“Even before the pandemic required schools to move more services online, cybersecurity has been a top concern for districts,” she said. “In a situation where even well‐funded corporations in the private sector struggle to address cybersecurity issues, poorly funded districts are at a disadvantage. One respondent called the need for more cybersecurity funding ‘desperate’.”

Ongoing Remote Learning and Security Risks

There is no quick fix, as the K–12 security issues are happening while many school districts are continuing transformation from on-premises data centers to cloud-based teaching and learning tools. As long as the increased federal funding streams continue, the movement from data centers to Software-as-a-Service will continue, too, for many situations.

The use of education-specific SaaS grew significantly during the pandemic, with the current motivation shifting to initiatives that spread the costs over several years and enable IT leaders to scale services as student populations fluctuate. Along the way, a mix of hybrid IT and cloud-based services tend to provide better support for schools with 1:1 devices while providing flexibility for teachers, students, and parents.

Even with most schools and students returning to the classroom, periodic public health scares and other issues that interrupt the flow in the classroom mean that access to secure remote learning is still needed.

In several states, the pandemic created more opportunities for students to switch to learning situations that were fully focused on remote learning. In one report, Oregon state officials noted that the number of students enrolled in fully virtual schools nearly doubled from 2.7% to 4.8% in the 2020-2021 school year with only a slight decline to 4.5% for 2021-2022. And in southeast Virginia, a consortium of public school districts convened their “Virtual Academy” this year for students with short- or long-term attendance challenges, with an estimated enrollment of 180 elementary students, almost 200 middle school students, and nearly 650 high school students.

Because online activity in schools doesn’t typically occur within a defined perimeter that has complementary physical and cybersecurity controls in place, the continuation of online learning is a serious cybersecurity concern. Students, teachers, and administrators are spending significantly more time working online using cloud services and architectures, expanding districts’ attack surfaces.

Cybersecurity and Homeschooling

A final perspective comes from the not-so-insignificant homeschool population. While many of those students live in a SaaS world for portions of their learning, the quality of security rests with their provider unless the parents have awareness of security challenges. Providers must be in sync with tools and tactics to ensure data privacy give safe and effective learning experiences.

One perspective comes from a mother of four I spoke with who, along with her husband, schools the family using a hybrid mixture of courses provided by public sources, paid services, and homeschool groups in their neighborhood. She’s been teaching their “class” since the beginning of the COVID-19 pandemic, and aside from user interface guidance on creating strong passwords, she’s found the information provided on internet safety and security to be scarce.

This homeschool mother said any formal guidance or instructions on network and information security was “barely noticeable.” Also absent were any easily found instructions for teaching those students of hers about cyber hygiene. The “schoolhouse rules” are based in limited internet “freedom” with shared credentials as a path to monitor online activity.

Flexible Security for K–12

Is there a strong, yet affordable, technology-based solution to protect K–12 education leaders and learners? SaaS and its sibling, Infrastructure as a Service, are bringing much-needed flexibility to K–12 without the need for continual updates to data centers. Again, according to McLaughlin, this supports “more robust technology services and lower cost overall.”

Moving to cloud-based and so-called “converged” capabilities creates an opportunity for security where it is needed. This means policy- and technology-based secure access at the service edge, a.k.a. SASE. Perhaps it’s time for K–12 IT leaders to explore better and more cost-effective methods, like SASE, which moves the security tools from the data center to where they are needed – that device in the teachers’ and students’ hands.

Before that bus leaves the schoolhouse, K–12 educators need to understand the gaps between security in the on-premises data center and cloud services before they explore SASE. Then they should evaluate their readiness and migration plans.

That’s the homework for the fall term.

About the Author

Bob Turner has years of experience as a higher education executive, board member, and thought leader with a focus on cybersecurity strategy and leadership, information assurance and business continuity planning, and information technology management. At Fortinet, he is the Chief Information Security Officer for K–12 and higher education customers, acting as a senior level strategic business and technical advisor for the cybersecurity community and business executives. Previously, Turner served as a cybersecurity executive and Director of the Office of Cybersecurity at the University of Wisconsin at Madison.