May 20 2020

CoSN2020: Best Practices for a Secure Work-from-Home Environment

With faculty and staff accessing devices and data outside of school, it’s even more crucial for districts to understand the ins and outs of remote security.

Over the past few months, there’s been a surge in people working from home across all industries — including education. The pandemic led schools to shut their doors and pushed many students, teachers and other school staff online.

While finding the right remote learning tools to continue teaching and learning online was a priority during that shift, there were a lot of other factors — such as security — that became secondary, said Michael Lane, senior field solution architect for CDW•G, during a session at CoSN2020, the Consortium for School Networking’s virtual annual conference.

Lane said that many organizations did not put as much effort as they should have into security before deploying their remote learning solutions. That’s a mistake, especially because school districts have become more vulnerable to cyberthreats with users accessing devices and confidential data outside of school.

With a focus on enabling secure remote access for teachers and faculty, Lane and his colleague Mikela Lea, principal field solution architect for CDW•G, walked attendees through remote access methods and the top six security recommendations school districts should consider.

What Kinds of Remote Access Methods Are Out There?

It’s important for school districts to understand how secure their work-from-home strategies are. Here are the methods Lane covered and key security considerations for each:

  • The traditional VPN: When it comes to extending an on-premises network with a VPN, it’s important to implement firewalls without an “access everything” policy. Lane suggested putting controls on what specific users are allowed to access. He also noted a disadvantage: If users need to access resources on the internet, you’ll either have to let them access it directly from a remote location, which can introduce security risks, or tunnel all their traffic back, which consumes a lot more bandwidth and requires a heavier firewall to handle the encryption
  • Reverse proxy: This method features a device such as a dual-network gateway that provides HTTP and HTTPS applications out of the public internet, Lane said. While you can apply a lot of the same security logic from VPNs — like controlling which resources users can access based on their role — it is more limited because you can only allow access to resources the proxy is able to proxy, which, a lot of the time, is only HTTP and HTTPS applications, he said.
  • Remote virtual desktop infrastructure: VDI solutions such as Citrix or VMware Horizon give users full access to a virtual machine or terminal services session hosted within your network environment. These come with nifty security controls such as preventing users from transferring certain files inside or outside the environment and restricting them from executing programs that only specifically sanctioned applications are allowed to run. However, some administrators don’t implement any of those security features, Lane said. Also, with this solution, there are no controls in place to secure the network access of an individual.
  • Cloud computing: Most people are familiar with cloud applications such as Google’s G Suite for Education and Microsoft 365. “But the problem we have with cloud resources is that we don’t really have anything between us, the user and the cloud to do any deep-level inspection,” Lane said. While those types of applications do offer a certain amount of security, he said that it’s important to have a consistent security policy for all users across all of them.
  • Secure Access Service Edge (SASE): Lane said that many organizations are moving to SASE because it allows them to enforce a consistent security policy and user experience across all internet access applications and devices, whether they are on a Windows, Linux, Mac or Chromebook device. It also allows for connecting remote branches back to the core branch.

MORE ON EDTECH: Learn about the state of ransomware in K–12 education today.

6 Work-from-Home Security Recommendations

Lea spelled out some of the key cybersecurity issues school districts face during remote work.

Having weak passwords and the absence of multifactor authentication are still huge problems, she said. Some school districts don’t have a good patch management program or policy in place or a secure cloud environment. Others are also missing the mark on training and testing their staff to make sure nothing falls through the cracks, she said.

“We have to work extra vigilantly to protect student information because if that gets out there, it often takes years before anyone is even aware of it because nobody’s really watching their credit,” Lea added.

To combat those issues, Lane and Lea shared their top six recommendations for securing a work-from-home environment.

Watch Joe Phillips, director of technology at Kansas City (Mo.) Public Schools, discuss how IT leaders can manage cybersecurity during remote learning.

  1. Implement next-generation endpoint protection. Next-generation endpoint protection goes far beyond what your traditional anti-virus can do, Lane said. “It’s actually going to analyze the behavior of the file and applications on the workstation,” he said. For example, if a file starts trying to modify system files, this solution can notice it and immediately stop it.
  2. Implement multifactor authentication. “With all of this remote use and remote access going on now, multifactor authentication is going to help you if those passwords do become compromised or are easily guessable,” Lane said. That’s crucial, especially because there are now databases of passwords that exist out on the dark web that hackers can use to try accessing school networks, Lea said.
  3. Have a strong patching discipline. A strong patching strategy can help IT teams stop ransomware from spreading into their environment. It’s important to consider that not all patching solutions can patch things that are off your network, however, Lane said. He suggested looking at solutions like Microsoft Intune, which can extend those capabilities so that IT teams can patch remote workstations.
  4. Adopt a DNS filtering solution. A DNS filtering solution will intercept all the DNS requests coming out from your environment, preventing users from accessing websites they shouldn’t have access to. Every time a user attempts to go on a prohibited website, it will tie the DNS name entered back to an IP address, and the DNS filtering solution will intercept that by either redirecting them or blocking them from accessing it, Lane said.
  5. Educate your users. Lane said that 77 percent of threats require user intervention at some point. By providing cybersecurity training on password policies and digital citizenship, IT teams help faculty and staff protect the school environment and their personal information.
  6. Assess your work-from-home strategy. It’s important to have a third party review your work-from-home solutions, Lea said. That includes having a penetration test of the environment to see where the issues are and how to best address them. “Security is like the bear in the woods. You don’t have to be the fastest person, but you need to be faster than the person next to you,” Lea said. She also noted that hackers actually look for the path of least resistance, so the harder your environment is, the more likely it is that an intruder would go look for an easier target.

“If you follow these recommendations, you’ll be well on your way to protecting yourself from any work-from-home attacks and rooting out any problems that may already exist in your environment,” Lane said.

EdTech is covering CoSN2020: A Breakthrough Virtual Experience, so keep this page bookmarked for our ongoing coverage. Follow @EdTech_K12 on Twitter for live updates and join the conversation using #CoSN2020.

ake1150sb/Getty Images