May 18 2012

Districts Large and Small Embrace BYOD

Schools focus on technology and policy measures to address security risks.

For a tiny organization, New Hampshire’s Hooksett School District is making some big changes. Hooksett, which comprises just two elementary schools and one middle school, is engaged in a yearlong pilot project to determine if it should allow its students and teachers to access the district network with their personal electronic devices.

A “bring your own device” (BYOD) program is a popular option for schools. It allows students and teachers to use whatever mobile devices they want in the school environment. At Hooksett, Technology Director Matthew Woodrow says the proposed policy change would put the decision of whether students can bring mobile devices to school in parents’ hands.

Staff members have been invited to participate in the BYOD pilot, as well as students in certain grades. Before starting the pilot, Woodrow conducted extensive research into potential security issues involved in allowing personal devices in the school environment. He also performed a readiness walkthrough to assess what was needed to ensure that the schools were supported by a robust wireless infrastructure and necessary security.

Woodrow ultimately implemented the Ruckus ZoneDirector network management device, a wireless solution that lets the IT department deploy multiple service set identifiers (SSID), which manage access to the network.

“Because it allows us to deploy multiple SSIDs, we can separate our business network from our guest network, which the BYOD devices use,” Woodrow explains. 

The district’s BYOD security measures also include a Barracuda Networks web filter, through which all traffic passes. If the program grows to allow devices access to part of the network, Woodrow says he will consider upgrading security even further.

Woodrow says accepting mobile devices on the schools’ network requires IT staff to shore up network security. Without that, the IT department can quickly lose control of who has access to data and applications and whether the devices they are using are fully secure, leaving the organization vulnerable to unauthorized access to sensitive information.

For organizations that let users save or download data to their mobile devices, the first step is to implement some type of mobile device management (MDM) solution. MDM monitors devices that are connected to the network and can remotely lock or wipe these devices.

Even if an organization doesn’t let users download or save data on their personal devices, security is still a priority, says Andrew Braunberg, research director for enterprise networks and security at Current Analysis in Herndon, Va. Many solutions can bolster network security for BYOD. The goal of mobile application management (MAM) products is to make apps more manageable and secure. Some solutions accomplish this with “wrappers” that control the use of the application. Others use containerization, which creates private “sandboxes” for sensitive apps.

Hypervisors, which create virtualized platforms that ride on top of the operating system, and data loss prevention technology, also help protect the network against the risks associated with personal devices.

The percentage of organizations that allow users to access network resources via personal devices

SOURCE: SANS Mobility/BYOD Security Survey, March 2012

Fairfax County Public Schools in Virginia is a much larger district than Hooksett, with nearly 200 schools and 180,000 students. Fairfax County has allowed students to bring their own devices — such as smartphones, e-readers and tablets — for several years, but this year the district has actually encouraged them to do so.

“Rather than having them hidden under their desks or in their lockers, why not have them be out in the open so they can be part of the instructional program?” asks CIO Maribeth Luftglass.

Luftglass is aware of the security risks these devices bring, and she has implemented a series of policy and technology steps to address them. Before any device can be used on a school’s network, for example, it must be registered. With this information, the IT department can monitor devices. If, for example, a virus is found, it can easily be traced to the user.

In addition to an MDM system that monitors, tracks and manages the mobile devices, Fairfax County also has segmented its network using Cisco technology. Students log in to the mobile Wi-Fi network; the administrative network that includes personnel data and the grading system is inaccessible to BYOD devices.