Meeting the Security Challenges of Educational Institutions

For security professionals, educational institutions present a number of challenges that are quite different from the corporate world.  It’s an environment with distinct user groups – students, faculty and staff – that require both separation from one another and the ability to collaborate. In K-12 schools, there’s a need to police Internet access.  In universities, there is the need to monitor and log traffic and usage.  And many institutions have to comply with standards such as PCI and HIPAA, if they take credit cards and store student health data.
To get a handle on how schools are dealing with these issues we talked with Thorsten Behrens, lead IT security architect for Carousel Industries.

Students, faculty and staff can’t be allowed to roam free on the same network because of the sensitive nature of some information, such as student records and financial information.  Keeping them separate requires internal core firewalls to essentially create distinct networks for each group, Behrens says.

At the same time, there are instances when students and faculty have to work together, such as graduate students who take on some teaching duties or if students are working on a project and need to access the same resources as their professor.  “What can help in these instances is identity-based firewalls,” he says. “Based on a group level in a directory, users do or do not get access to certain resources.” With such capabilities, it’s a relatively simple matter to give an entire class access to certain resources, or just individual students.

With respect to Internet access, the challenge in K-12 institutions is to police access, to ensure students don’t view inappropriate material. Those that receive federal funding via the E-rate program must comply with the Children’s Internet Protection Act (CIPA), a federal law that says such schools and libraries must take measures to block access to objectionable material such as pornography.

Students, of course, are constantly trying to get around any protective measures, such as by looking for open proxy servers. “It becomes a game of Whac-a-Mole with classical Web filtering,” Behrens says. The solution lies in next-generation firewalls that can detect such proxy avoidance behavior at the application layer.

At the college and university level, however, the problem is entirely different. “You want very little Web filtering because of academic freedom, but you require a lot of logging,” Behrens says. The logging is intended to help the institution should a recording company, for example, come complaining that a student was downloaded unauthorized music. The school is then responsible for identifying the student.

“That can be challenging to do. It takes a lot of time and IT staff to track this down,” he says. It helps to have a good time synchronization solution because if your internal log times are out of sync with one another by even a minute or two, the job becomes much harder. It also helps to have identity awareness in the logs and to store them in a central place where they can be analyzed if need be. While the job is a challenging one, as we’ve covered before, it can be done with the right tools.

Meeting the challenge of regulatory compliance is another tough issue for schools, Behrens says. If schools accept credit cards, which pretty much all colleges and universities do, they are on the hook for PCI compliance (Since schools are typically heavy users of wireless LANs, the problem is only compounded, as we’ve covered previously).  If they keep health data on site, they need to worry about HIPAA. (To learn more about wireless PCI requirements, check out the white paper “Security Is In The Air: Complying With The PCI DSS v1.2 Standard,” by Carousel’s partner Aruba Networks.)

“Because it’s an academic environment, it’s very hard for the security team to push through any kind of concerted policy across campus,” he says. Heads of different departments often bristle at any outside interference, leaving the security team to use a gentler approach to achieve compliance.

If your school, school district or university needs help achieving compliance or addressing security concerns, contact Carousel – we bring a wealth of experience in expertise helping educational institutions address these challenges and more.