IT Tips for K-12 School Administrators
IT managers, administrators, and helpdesk technicians in the public and private K-12 education market should rethink their backup, retention, disaster recovery, and security plans.
As an IT professional in a K-12 school, you may be wondering, “How secure is our IT infrastructure?”
It’s a good question, often asked during annual assessments along with the following related questions:
- How does our managed services provider measure up?
- Can we affirm with confidence that our backup solution was rigorously tested, installed by professionals, and properly maintained?
- Was multi-layered secure access to files and e-mail inside cloud productivity suites such as Microsoft Office 365 or Google Apps for Education configured properly?
- Are our systems protected against malware, ransomware, and phishing scenarios?
IT administrators in education environments sometimes face a dilemma responding to such imperatives. Their budgets might be limited or frozen for a particular year. Competing priorities have to be examined, and often perceptions play a role. For example, a local school board may have to decide on only one of a few deserving proposals. It’s also true that some education professionals may perceive academic data as less sensitive or not as mission-critical as say, patient healthcare information or financial data. However, this data still deserves protections against viruses, and safeguards put in place to mitigate hacking threats and data breaches.
Often it helps to adopt an enterprise mindset, sharing managed services, pooling resources, and aggregating access controls. As your school transitions to cloud-based SaaS solutions, you need to optimize internet connectivity to provide accelerated access to important applications such as online assessments and learning tools.
IT professionals in schools may not be aware of potential issues that require them to rethink their security, backup plans, and vendors. For example, were you even aware of the next-generation firewalls available with hardware to mitigate against common risks? New technologies from industry leaders Palo Alto Networks and Cisco, with both companies offering their own Adaptive Security Appliance (ASA), are leading the way.
Where Do We Start?
Even though your school is not a major corporation, you are still an active part of the estimated $2 billion spent annually worldwide for IT backup and network security solutions.
Academic and administrative leaders with budget authority typically agree with IT management and helpdesk support technicians on the following shared goals:
- We must secure the network
- We must monitor and control network traffic
- We must optimize bandwidth utilization
When implementing a solution for your school, don’t stop there. Think about the opportunity to stretch your IT dollar. For example, is optimizing internet connectivity with dynamic failover for multiple internet access lines a luxury or necessity?
Can you provide your students and parents with outstanding quality-of-service for high priority applications such as Google Apps for Education? Can you link-balance traffic to ensure public safety or compliance testing data has priority? Does your service provider regularly apply best practices for monitoring and regulating network activity with application-based uplink selection to improve bandwidth and availability? Do your systems support these goals?
For example, you might assume that an incremental backup can take place from 8:00 to 10:00 pm without even considering an actual real-time traffic assessment. However, a very detailed analysis of student activity reveals that most students are actively engaged in their online homework assignments during those hours. Such an analysis would likely shape your traffic and bandwidth availability policies.
You want a provider who can give you control from a powerful user interface. You want to take action when necessary to manage security policies across all your sites, locations, and buildings. You want to control and throttle acceptable traffic. To implement controlled access for students, faculty and staff, your system must create dynamic policies. For example, enable a chat application but block an unwanted file-sharing application.
Implement a Reliable Backup Solution
When your school adds progress reports, incident reports, assessments, and student immunization records to the mix, a reliable backup solution is critical. As Principal Lead for Commercial Managed Services, I often help in client consultations by emphasizing the following points:
- Make sure you address any history of data loss and that your new systems are more robust to protect from data loss.
- Understand the true cost of ownership and operations at the school, multi-location, and regional or district level.
- Are your systems protecting you at the physical, virtual, and cloud levels?
- Go for automated backups that are local and offsite with the capability to perform quick local restorations or invoke disaster recovery mode whenever necessary.
Security and Compliance Requirements
Don’t focus so much on the details surrounding the nightly and weekly backups, that you lose sight of the big picture which also includes data protection and retention policies, archiving, and retrieval.
For example, do you maintain a policy where only the most important e-mail messages are retained? Do you maintain a separate physical volume for the preservation of e-mail, distinct from your production e-mail system? (Score yourself 2 extra points here if you do. Give yourself 5 extra points if you maintain separate hardware on a separate VLAN. And give yourself 10 extra points if your backup is completely offsite with redundant failover.)
Before you celebrate the migration of all your e-mail and documents to the cloud, recognize that your administration might have to take extra steps to satisfy security requirements and compliance audits.
With public safety, cyber-bullying, gun violence, and other criminal activity as risks, you want your school IT systems to comply with search requests, archiving standards, and legal eDiscovery requirements. How easy is it for your team to backup email systems and even recover critical deleted e-mail? Ideally, you want to mitigate risk by automating the backup of e-mail and other files to the cloud and wrap those files with multi-layer, multi-factor security.
Also be sure that your systems are designed to avoid malware downloads by applying typo-squatted link protection. Also known as URL hijacking, typo-squatting preys on the keyboard entry mistakes of blurry-eyed web users when they accidentally type or click a link to another site masquerading as a legitimate site. For example, instead of www.bankA1.com someone might fail to recognize the number 1 has changed to the lowercase L and go to www.bankAl.biz. (Sure, you also noticed the .com changed to .biz this time, but next time, will your typographical error whisk you away to some malicious hacker website?)
I also want to recommend that you include the following goals in your plans:
- Scan for malware with early threat detection software
- Protect sensitive information with encryption and data leak prevention
- Quarantine suspicious email attachments
Industry Trends
You might wonder about the performance and capabilities of tomorrow’s next-generation firewalls. One of the benefits of working with CDI is that we continue to monitor innovations from network security OEM vendors such as Cisco, Palo Alto Networks, Barracuda Networks, Check Point Software, Cyberoam, Dell, Forcepoint, Fortinet, Juniper, Hillstone, Huawei, and WatchGuard. When shopping for your next IT backup and security solution, test results for security, reliability, and performance are important. Look for test results that include exploits, blocking malicious traffic while allowing normal traffic, latency, throughput, and simulations based on actual data center traffic where a mix of protocols often occurs.
Cisco claims to be leading the way with an integrated multi-product platform, intrusion prevention, and advanced malware breach detection. While Cisco still dominates the market, Palo Alto is a rising star. Both offer adaptive security applications that allow or block traffic by a single profile on firewalls that are dynamically able to share protection policies based on your port and IP policy rules, as well as on actual user activity and network applications. For example, if one access point in your network experiences an attack, all other subscriber networks are updated with that profile automatically. For large implementations, standalone firewalls are a common infrastructure design. For smaller sites, it is possible for a firewall to act as a switch and network filter.
Final Word
We can advise you on the latest hardware and industry standards and can help you map out various plans and calculate their total cost of ownership. Read this blog post again from the start and finalize your own needs assessment including backup and security policies. Then, give us a call. We’ll help you sort through the options and deliver the best solution for you.