The Wolf Creek School Board District needed a security solution when it decided to let students bring their own devices. But it also decided not to rush implementation
The bring-your-own-mobile device movement doesn’t only exist in enterprises or government departments. Public school boards are increasingly adopting the policy as well.
Those holding back have one key worry: Security.
That was the problem facing Alberta’s Wolf Creek Public School District, a 5,994 sq. km. region between Calgary and Edmonton with about with 8,000 staff and students in 28 schools.
The board solved the security question by going to network access control (NAC), but the way it’s being implemented may be instructive: In short, the board is taking its time, giving principals the discretion on when to allow students to bring their own laptops to school.
The NAC project started in 2009 with a pilot project and two years later 17 of the 28 schools adopted BYOD.
Which is fine for Mark McWhinnie, the board’s director of IT integration and Gary Spence, its assistant superintendent.
“We recognize that the change the learning environment to include anytime [Internet] access with technology tools requires some careful planning on the part of the school and the classroom teacher. So we want them to be very methodical with their approach, covering off logistical (and) behavioural challenges.”
The story starts about seven years ago when the district was mulling over its strategy for computers in the classroom. Ideally, McWhinnie says, it was hoped there’d be one for every student. And in two schools that what they had under a special funding program from the province. But the district realized that it couldn’t count on the province to fund laptops for all the students.
When that project ended four years ago, the district had to think about the future. Fortunately, McWhinnie said, the price of laptops had begun to fall, so a bring your own device policy was becoming and affordable for students from Grade 2 to 12.
Connectivity wasn’t a problem. All of the district’s schools are on the Alberta SuperNet broadband network that connects public institutions, which delivers a 20 megabit per second duplex connection to each (plus a separate 6 Mbps reserved for video conferencing and voice-over-IP phones).
Wolf Creek has been an Alcatel-Lucent shop for years. Within each school there’s an A-L 6800 series Gigabit router and 6200 series workgroup switches. Each school has a wired and wireless network, the latter using a total of 450 Alcatel-Lucent access points in the schools.
Once the decision had been made to allow students to bring their own mobile devices, a way had to be found to ensure the network would remain secure. The search for NAC solution started early in 2009 and came down to solutions from Enterasys Networks, Bradford Networks and Alcatel-Lucent. Officials from each company did a demo for the district, but it was A-L’s solution, an appliance called CyberGatekeeper from Mountain View, Calif.’s InfoExpress Inc.(which A-L resells), that caught their eye.
CyberGatekeeper provides guest access control to Windows, MacOS and Linux servers by ensuring that endpoints meet set requirements before authorizing network access.
What was appealing, said Gary Spence, was that the appliance could be installed at the district’s network closet rather than having to be placed in every school. That kept the priced down. The ease of integration with an A-L infrastructure was also a factor.
Tied into the district’s Microsoft Active Directory – and used on both the wired and wireless network, a requirement in the search for a solution — the appliance’s policy server verifies each user’s credentials and what they are allowed to access.
Working closely with the district’s technical staff, teachers and A-L support staff, the board set up what it calls the Student-Staff Device Zone (SSD2), a two-level network access hierarchy. Most students have stage one access, which gives them access to the Internet and email. Staff and trusted students get stage two access, which includes the ability to link to printers, to a file share and to network-based resources.
CyberGatekeeper also does a host integrity check for stage two access for Windows PCs to ensure each device has the latest anti-virus signatures and operating system service packs installed, scans for malware and keeps an eye out for the launching of forbidden applications. (Mobile devices that use Apple Inc.’s iOS operating system can’t have stage two authorization because they can’t link – yet – to a Windows server.)
The district was extremely patient in its plans. The pilot project involved one laptop in one classroom in the 2009-2010 school year. In the middle of 2010 that was extended to students in an entire class, then to the entire school.
A 14-step list had to be created for students to prepare their laptops, including instructions to verify WPA2 wireless security and encryption is enabled and a secure password is set.
“We were very planned in our approach to make sure we identified any challenges,” says Spence.
The biggest was speeding up the host integrity check. Initially it took five minutes. Today, it’s down to less than one minute.
Technical staff also had to deal with the appliance’s ability to hand the shift in Windows operating systems from XP to Vista and 7 over the last two years.
Last year project leaders met with teachers in every school to discuss its readiness to join the program. The pace of adoption is up to the school administrators, Spence says, who have to consider factors such as student behaviour, “digital citizenship” and even whether teachers are ready to leverage the advantages of having every student with a PC.
It’s not a one-way street, Spence added – students can have their school access revoked for inappropriate behaviour.
The schools aren’t on their own. Seven have been designated as “21st Century learning schools” because their students are making advanced uses of computers and social networking, and are available to other schools as a resource.
Network access control solutions aren’t new, but according to James Quin, a lead analyst at Info-Tech Research of London Ont., who leads the company’s risk management practice, enterprises have been slower to adopt them than the education sector.
“A lot of organizations have found it difficult to implement,” he said in an interview, “but I think that’s going to change because with BYOD policies NAC makes a lot more sense.”
There are three kinds of NAC solutions, he said: Network-based, offered by companies like Cisco Systems Inc. and Juniper Networks Inc.; endpoint-based, offered by companies such as Symantec, McAfee and Sophos; and appliance-based, offered by companies like Bradford, Enterasys and InfoExpress.
School boards are being forced to turn to NAC, Quin said, because they have two groups of users: Trustworthy staff, and youngsters who need to be looked at as large group of hackers. Organziations like school boards that can’t control the end-user devices may prefer an appliance solution, Quin said.
As for Wolf Creek, it sees NAC as helping its vision of ensuring its students are fully prepared to learn in a digital world.
Computers “are increasingly becoming part of the digital landscape,” said McWhinnie. “They’re becoming digital literacy tools for our students. So the next step is ensuring that we’re using these resources in powerful ways to build a successful learning environment for all of our students that focuses on 21st century skills like problem-solving, critical thinking and collaboration.”Related Download
Cisco Secure Mobility Knowledge Hub
This Knowledge Hub provides an end-to-end look at what it takes to discover, plan, and implement a successful Secure Mobility strategy.