When Sarasota County Schools started experimenting with a bring-your-own-device program, students, faculty and administrators were able to connect to the district’s guest network. So, problem solved? Not exactly.
“Students and staff aren’t really guests,” says Joe Binswanger, IT director for the Florida school district. “The guest network was just a straight tunnel to the internet. It was very vanilla, very locked down, very filtered.”
The internet connection was useful for some basic tasks, but it didn’t allow for access to student and staff folders, instructional resources and other district resources that require a user to be logged in to the network.
As a result, users weren’t able to unlock the program’s full potential. Only district-issued devices could tap into the district’s learning management system and collaboration tools. Teachers couldn’t use their own devices to distribute quizzes and tests, and students couldn’t use their own devices to take them.
“We wanted staff and students to log in to the network and get the resources they needed, without being seen as just a guest,” Binswanger says. “Before, it was kind of black or white. You either had district-owned devices, or were on the guest network. We needed some gray area.”
The challenge was to find a way to allow student- and staff-owned devices onto the network without compromising security.
Al Nelson, a security solution architect at CDW, says personal devices present a greater security threat than district-owned devices, even when users don’t have malicious intent.
“When you issue something, you have more control over that device,” Nelson says. “You’re maintaining the anti-virus, paying attention to any alerts that come out, addressing them, installing anti-malware. You have a higher level of trust for a device you’re in charge of maintaining, versus something that someone brought from home that may have malware on it.”
Binswanger wanted a solution that would let the district grant access to student- and staff-owned devices, but in a way that gave district staffers the visibility to monitor activity and respond immediately if a problem emerged. He and his staff consulted with CDW, which presented three different options for the district.
Binswanger ultimately opted for the Cisco Identity Services Engine (ISE) security policy management platform, implementing the solution in spring 2014.
“We were already a Cisco shop, so ISE was the obvious solution for us since it integrated with the hardware and other applications we had in place,” Binswanger says. “We prefer to stay with a consistent vendor or application, because it prevents the finger-pointing game when there’s a problem.”
Cisco ISE hasn’t caused any problems, Binswanger says — it’s actually solved them. Nelson says one of the chief draws of Cisco ISE is its simplicity: from quick out-of-the-box setup and self-service device onboarding, to the way it functions as a “single source of truth” for all connected devices.
“You have one central location for all your security policies instead of implementing them on each device,” Nelson says. “In the past, if you wanted that level of security, you would have to manually configure each switch, controller and firewall. As time goes on, people make changes that impact security, and they might not even realize it.”