How Districts Ensure Mobile Security and Network Access

When Forest Park (Ill.) School District 91 issued tablets to administrators and principals last fall, Network Coordinator Zack Frangidakis was suddenly confronted with new security challenges.

"Mobile devices can be a security nightmare," he explains. "I'm struggling with how to secure the devices, and at the same time, make sure they're useful to people. It's hard. IT people naturally tend to be control freaks because with more control, you can manage devices much easier. But what good is giving people mobile devices if they're locked down?"

Mobile security has become a front-of-mind concern for school IT departments across the country as they equip faculty and staff with mobile devices and implement bring-your-own-device and one-to-one computing programs. Controlling who and what are connecting to the network without inhibiting administrative needs and the teaching and learning process is imperative.

To ensure security, districts not only need to manage the devices, they also must manage applications and data — and that requires multiple technologies, says Chris Silva, a mobility analyst for the Altimeter Group.

"Software tools let you lock or wipe the device if it gets lost, but just relying on the control of the device doesn't always get you the level of protection you need," Silva explains. "You need visibility into what the device is accessing, how much data lives there, and how data is stored and shared. It's an endpoint and data security issue."

As a result, network administrators are turning to new and existing technologies and tactics to ensure that school, student and staff data and devices are protected. Their efforts range from deploying mobile device ­management (MDM) software to using virtual local area networks (VLANs) to segregate and secure Wi-Fi traffic.

Boosting Mobile Security

District 91's transition to mobile computing has been gradual. During the past two summers, IT staff upgraded some network switches and installed an 802.11n Cisco Systems–based wireless network in all five schools, enabling wireless Internet access for the first time in the K­–8 district's history.

The majority of the district's computers are desktops. But 50 notebooks are available for student use via mobile computing carts, and 50 notebooks have been provided to administrators, faculty and staff. With wireless now in place, District 91 leaders aim to expand mobile adoption even further in the years ahead — with more notebook computer labs for students, more notebooks for teachers and then possibly a one-to-one mobile device initiative for sixth- through eighth-grade students.

In the meantime, the IT department is testing tablets. In November, the IT staff equipped the district's five principals and three other administrators with tablets to use for teacher evaluations, e-mail and other tasks. If the pilot proves successful, district leaders will consider purchasing tablets for teachers to use in their classrooms.

As the district moves forward with its mobile strategy, Frangidakis has focused on security and network access issues every step of the way. Specifically, the IT department has segmented its wireless network into two separate VLANs. The first — for faculty, staff and students — ­provides secure, encrypted access to district applications and data. The second, a guest network for consultants and guest speakers, provides access only to the Internet.

Frangidakis installed Symantec Endpoint Protection software, which provides antivirus, intrusion detection and prevention, and personal firewall protection, on each desktop and notebook computer. Symantec Mail Security for Microsoft Exchange shields e-mail from viruses, malware and spam, while Websense Web Filter software filters Internet access.

To secure the tablets, Frangidakis has subscribed to AirWatch's cloud-based MDM software, which allows him to centrally configure and monitor the mobile devices. Through a web-based console, he syncs the tablets with Exchange so that administrators can access work e-mail.

Frangidakis also configures the devices to connect to the district's secure Wi-Fi network and requires users to password-protect the devices. If users turn password protection off, AirWatch alerts the IT team. If devices are lost or stolen, the IT staff can erase them remotely.

Frangidakis says he wrestled with which restrictions to place on the tablets. Although he disabled video ­conferencing to conserve bandwidth and is preventing users from downloading and listening to music, he has given users the freedom to access their personal e-mail and download any app as long as it's for work.

"We've given the tablets to them fairly unlocked," he says. "They're all adults. But I've let them know that we're keeping an eye on their usage through AirWatch."

Defending the Network

District 91 is just getting started with mobile devices, but Wisconsin's Chequamegon School District has already fully embraced them.

Since becoming the full-time technology director two years ago, Mike Garvin has furnished teachers and students at the district's three schools in Park Falls and Glidden, Wis., with a variety of mobile devices to enhance the educational process. Every teacher, for example, has his or her own notebook computer.

Students, meanwhile, have gained access to computing devices in phases. During the 2011–2012 school year, Garvin purchased 150 tablets for the district's elementary and middle school students. He also equipped several computer labs with notebooks — and launched a BYOD program — for the middle and high school students. At the beginning of the current school year, he purchased 600 Samsung Series 5 Chromebooks for every student in grades four through 12.

Garvin takes a multilayered approach to both BYOD and one-to-one security. For the notebooks, he relies on Faronics Deep Freeze software, which prevents operating system changes. If a computer is infected with a virus or malware, rebooting the computer will revert the system to its original state and wipe out the infection.

Garvin also uses VLANs to segregate a private Wi-Fi network from the public one. A multifunction network security appliance provides firewall, antivirus and ­malware protection, intrusion detection and prevention, and web content filtering for both district- and personally owned devices. The web content filter also blocks access to banned applications and gives bandwidth priority to important educational applications.

A Google web-based management console allows Garvin to create specific user settings for different grade levels on the Chromebooks. To protect data, the district trains students on security awareness, creating good pass­words and other best practices, including how to avoid phishing attacks and disclosing private information.

Evolution in Action

Thomas Burgess, network engineer for Lexington County School District One in Lexington, S.C., also relies on multiple technologies to manage and secure mobile devices used by the district's 28 schools and one alternative program.

During the past year, the district launched Personal Mobile Computing, its one-to-one initiative, by ­purchasing 16,500 tablets. Today, every administrator, teacher, and middle and high school student has a tablet. In the elementary schools, the ratio is one tablet for every eight students. Burgess uses the tablet ­manufacturer's configuration tool and MobileIron's MDM software to monitor and secure the devices.

Security is a constant work in progress, Burgess says. He fine-tunes mobile security and network access as technology improves and new issues arise. For example, recently added enterprise management features in the tablet's operating system and configuration tool make it harder
for students to circumvent the district's web ­content filter. Before, the tablet ­manufacturer didn't offer global proxy support, forcing Burgess to install a ­virtual private network (VPN) on each device to direct web traffic to a web ­content filter. It was a custom solution that students could easily disable, he explains.

But now that there's global proxy support, Burgess can simply use the manufacturer's configuration tool to make sure all web browser requests are routed through the web content filter. The new technology makes it harder for students to bypass the filter, he says.

Burgess also uses MobileIron's MDM software to push out user settings and security policies. Instead of students having to type in their user names and passwords to authenticate to the Wi-Fi network, the settings and credentials are automatically pushed to the devices.

Once users are logged in securely, they can access files in Lexington One's data center through Web Distributed Authoring and Versioning on a Microsoft Internet Information Services web server. It allows ­educators and students to access and store their ­documents securely over the web.

MobileIron can't prevent students from downloading applications that the district doesn't allow, but it does allow Burgess to restrict apps based on ratings. He has set up an alert that warns the IT team if students download and use inappropriate apps. "We can then retroactively get the device, remove the app and refer students to administrators for discipline, if needed," he says.

Collectively, all of these tools provide the district with the mobile security it needs. "With security, it's never going to be a one-stop shop for everything," Burgess says. "You aren't just dealing with device security; you're also dealing with network security. So you need a mix of technologies. It will always be some kind of multifaceted approach."