Mobile in the Classroom:
How to secure the borderless
school network
Includes a checklist
for choosing the right
security solution
Mobile Devices
in Education
School-owned
Mobile Devices vs. BYOD
While there are many benefits associated with more mobile devices in the classroom, mobile enablement in schools presents new challenges for network security professionals tasked with safeguarding students, protecting the school network, maintaining Children’s Internet Protection Act (CIPA) compliance and ensuring network availability.
Providing mobile devices to students means schools must also ensure the device is CIPA compliant by securing web access on the device. In addition, tablets such as iOS and Androids may also require Mobile Device Management (MDM) software to manage the applications and peripherals on the device itself.
School-owned devices create equal status among students since they are all on the same technology – it’s also easier for teachers to manage assignments with students on the same platform.
School-owned devices are easier to secure, since you are able to install software on the devices to manage them, but allowing BYOD saves on the cost of providing a tablet to each student
Apple boasts that nearly 10 million iPads were in the hands of students worldwide in 2013, with that number expected to increase substantially in the coming years. Other brands of tablets are also increasing their school presence as educators have been quick to discover that educational resources on the Internet can enhance the learning experience and are budget friendly. Digital text books are about half the cost per student of printed text books, and with school budgets tighter than ever, mobile technology in schools, including bring-your-own-device (BYOD), will continue to expand. A recent industry analyst report estimates that mobile devices will overtake desktop computers by 2017.
Many schools have embraced 1:1 initiatives providing iPads and other mobile devices to students in K-12 schools. Other schools are allowing bring-your-own-device (BYOD) programs where students bring their mobile devices and connect to the school network. Each of these programs present advantages and challenges for schools:
BYOD saves the cost of purchas-ing devices and users are more comfortable with devices they own and are accustomed to using, but BYOD can introduce new threats to the school network since students can be unknow-ingly brining an already infected device into the network.
BYOD includes multiple platforms and applications that create support challenges as well as difficultly identifying web activity
events by directory user name vs. IP numbers.
More mobile devices on the network, whether school-owned or BYOD, increase bandwidth demands that can jeopardize network availability.
Controlling school-owned devices when off-network can be difficult. Managing activities of BYOD users
includes privacy considerations.
Whether schools provide school-owned mobile devices to students and staff, allow BYOD or enable both, mobile devices present risks and challenges for school admin and IT staff.
Dealing with
Mobile
Threats and Risks
Unfortunately, as mobile technology has continued to evolve, so have the tactics of cybercriminals
dedicated to exploiting weaknesses. Schools are not immune to the advanced persistent threats (APTs) and zero-day exploits that are in-creasingly aimed at mobile users. However, many security vendors are trying to secure the school’s border-less network with technology that was developed before mobile in the classroom existed. Other obstacles to securing mobile users at school include:
The growth of mobile wireless devices is matched by the intelli-gence of the devices themselves, making them capable of support-ing increassupport-ingly sophisticated applications that create more risks for school IT.
Cybercriminal syndicates engage talented hackers and exchange or sell exploit kits freely, with tactics as creative as the solutions they are trying to foil.
Mobile and Cyberbullying
With more mobile students accessing the school network, it’s no surprise they are also accessing social media applications more often via mobile devices. According to Pew Research, 74% of students age 12-17 are mobile Internet users who access the Web via cell phones and tablets, and 81% are accessing social media sites. Recent studies show that cyberbullying in K-12 schools is rampant, with 87% of middle-school students reporting they have witnessed cyberbullying in the past year.
Prior to the advent of mobile devices, bullying incidents occurred in person and perpetrators could be identified. The availability of mobile communications coupled with numerous popular social media platforms has ushered in an era of cyberbullying in which the bully can remain hidden from the victim. Unfortunately, the damage to victims is still the same and schools can be considered culpable if the
offenses happen during school hours or via the school network, or even off-network if it involved school-supplied devices. There are many cases of schools being sued for allowing students to be cyber bullied, including:
An increasing number of proxy applications such as Ultrasurf, Tor and others are designed to enable anonymous browsing, allowing students to circumvent the school Web security solution. Schools need to consider the
threat of data loss as well as protecting students’ Internet access. This is because beyond
CIPA, schools are required to secure student and staff health information under HIPAA regula-tions as well as comply with the Family Educational Rights and Privacy Act (FERPA). These com-pliance requirements demand vigilance over data leaving the school network and data-stealing malware entering it.
Securing mobile devices can be costly and taxing to tight school budgets. The scarcity of integrated solutions has many vendors striving to upgrade legacy solutions to encompass technology that didn’t exist when they were created. As a result, vendors try to integrate third party MDM, which can create gaping security holes.
Williamson County Schools in Tennessee are being sued for $1.1 million with parents claiming the district didn’t do enough to protect their son from cyber bullies on Facebook.
The Estacada School District in Oregon is being sued because a video of a student changing in their locker room was posted on social media sites.
A Louisiana school board was sued over the death of a student who committed suicide after cyberbullying by classmates.
Challenges
of 1:1 Initiatives and BYOD Support
Whether your school or district chooses to adopt a 1:1 initiative, support BYOD or both, there are security risks associated with both programs. Here is a comparison of the challenges each presents:1:1 Initiatives
BYOD
Providing iPads or other tablets to each student can burden tight school budgets and with technology moving fast, it may be difficult to fund technology upgrades when they are needed.
While allowing personal mobile devices on your
network relieves the school budget, they can introduce new threats to the network. There are also privacy issues when dealing with BYOD users.
Having all students and teachers on the same devices will require training for those not familiar with the chosen technology– adding time and costs.
Anonymizer and file-sharing services, which allow savvy BYOD students to circumvent school Web security, are fertile ground for cybercriminals seeking exploitable vulnerabilities.
While BYOD students are responsible for the maintenance and security of their own devices, the school will be accepting more liability for the devices they provide.
The variety of operating systems in BYOD makes securing them more complex. Also, users who fail to perform timely upgrades can have bugs from previous versions.
Securing students’ and staff’s Web access and protecting school-owned devices will require MDM software, which can add significant costs to your 1:1 program.
Erosion in network performance can occur from multiple mobile devices driving up bandwidth
consumption. These unpredictable and increased levels of demand can interfere with important processes such as online testing.
Checklist
for your next Mobile Security Solution
Supports all regulatory compliance requirements:
Students and staff on school-owned mobile devices must be in compliance with the requirements of CIPA and other regulatory legislation both on- and off-premises. Users on privately-owned devices must also comply if they are accessing the school’s wireless network. Make sure the mobile security you choose gives you the ability to enforce any regulatory compliance that’s needed. Be aware that standard MDM solutions may lack the capabilities needed to accurately support school compliance requirements.
Supports multiple platforms:
For schools that enable BYOD programs, it will be important to have Web and mobile security
solutions that can integrate across any platform. With the varied number of mobile devices available, if your security solution isn’t flexible enough to support multiple platforms, you could jeopardize your compliance efforts.
Provides advanced threat protection across all mobile devices:
Most schools have Web security / Web Filtering solutions in place, but many of them were designed before mobile Web connections existed. Make sure your security solutions not only prevent advanced threats, including those using SSL/HTTPS traffic, but also provide granular protection across all mobile devices whether school-owned or BYOD. With mobile threats increasing daily, you need a solution that extends protection to all your mobile users or you will be leaving your school network vulnerable to a wide range of damaging malware and other exploits.
Integrates with existing security solutions:
Since virtually all schools have Web security solutions in place, finding mobile security solutions that integrate easily with existing software is important. Make sure you not only review the features of MDM to ensure they fit your schools requirements, but also thoroughly understand what steps are required to integrate MDM into your existing Web security solution. In many cases, integration may require reconfiguration of your firewall as well as configuration of proxies which can be costly and time consuming.
Whether your school embraces a 1:1 program, allows BYOD or both, it will be up to your school or district to ensure the security of users and devices. The following check list can serve as a guide for crucial capabilities to include as you refine your mobile security strategy and evaluate security solutions:
Provides granular policy enforcement: It’s important for schools to be able to enforce Web usage
policies across diverse audiences, for instance, applying policies to teachers / staff vs. students, or younger students vs. older students, etc. In the case of school-owned devices, where iPads or tablets might change hands during the day, the ability to pinpoint who is using a device at a particular time is important.
Addresses bandwidth usage: With more mobile devices accessing the school network, you need a
mobile security solution that can ensure network availability during peak hours. This is particularly critical for schools when tests are being administered and network availability is paramount.
Provides intelligent social media access: Updated CIPA rules that became effective in July, 2012,
require schools to instruct children in appropriate online behavior on social media sites and chat rooms. Be sure you choose a security solution that provides content-aware scanning and granular management of social media so you can make it available to students in a safe environment. For instance allowing access to appropriate parts of a site but blocking comments.
In another scenario, it would be important to be able to block access to twitter.com, while allowing content on twitter.com/abcschools.
Controls mobile application downloads: With thousands of mobile applications available, schools
need to have an MDM solution that will push the apps that students and staff need, and block access to apps that are not school-related or age-appropriate. Will the app store remain open to all users so that students can download any of them? Choose a solution that gives you control over what apps are downloaded and when, and can push important or custom applications to the right groups or individuals.
Tracks lost or stolen devices: Schools must consider the possibility that the devices you provide
students and staff might be lost or stolen. What security measure will you have in place to deal with this possibility? Although recovery of the item may or may not be possible, having a way to track the device’s whereabouts and/or wipe its contents provides critical peace of mind.
Tracks electronic purchases: If your students and staff are downloading authorized e-books or
other content on school-owned mobile devices, you will need an MDM solution that can keep track of legitimate licenses for school materials students and teachers download. A tracking system that monitors and records purchases and licenses can prevent thousands of lost dollars should the device be wiped or stolen.
Mitigates tampering: School-owned devices can become accidentally or even intentionally locked,
preventing other students from using them. Make sure you have an MDM solution with the tools to remediate this quickly if it happens or better yet, keep it from happening in the first place.
Applies policies accurately on shared devices: Students may share school-owned mobile devices
or work in groups where devices are shared. That’s why it’s important to have an MDM solution that provides integration with your policy-based Web security. Choose a solution that lets you accurately enforce policies no matter who is using your mobile devices.
Enables content sharing: Teachers must be able to easily push documents, such as homework
assignments, announcements, grades, and links to students located both on and off campus. Whether kids are staying home sick or studying as long-distance learners, content-sharing solutions enable a fluid learning experience.
Offers an intuitive interface: Look for an integra ted MDM solution that offers easy-to-use features
and an intuitive dashboard that provides speedy communications among teachers, students and parents when required. There’s no reason to add complexity to MDM with a solution that is difficult to use or slow.
Identifies and tracks BYOD users: Just as you track your mobile users on school-owned devices,
if you allow BYOD on the school network, you will want the same ability to track their Web activity, whether students, teachers or staff. While some solutions may provide a feature to apply generic usage policies to all BYOD users, look for one that allows to you track individuals and provide accurate policy enforcement.
iboss Web and Mobile Security:
iboss offers integrated Web and mobile security solutions that are easy-to-deploy and manage and offer the granular control and rich feature set that can support all your users, and enforce regulatory compliance whether students and staff are on school-owned or personally-school-owned mobile devices. Important iboss mobile security features include:
MDM and mobile Security in
one solution – MobileEther
MDM and Web security with iboss MobileEther – Only iboss
offers full-featured mobile device management (MDM) and Integrated Web Security that secures both devices and your school’s Web access in one solution. With one interface, schools can locate
devices, wipe lost or stolen devices, and even disable device functions such as cameras. Email trigger alerts provide insight on
administrator-defined events, such as when a device leaves the network, an unapproved app is installed, or when web access violations occur. Eighteen different triggers can be customized to keep you apprised of all user activity, whether on- or off-network. If you already have an MDM solution, iboss Mobile Security can be inte grated with MobileEther disabled.
Social media controls – MobileEther
allows schools to create flexible social media access based on directory group membership. In addition, granular controls allow you to set policies for each social media user including restrictions such as ‘No Posting’, ‘Games’ or ‘Photo Uploads’ to social media sites. This allows you to enable social media while still complying with CIPA and other regulations.
Application management – Ensure
granular application control with the ability to push customized apps,
update content, restrict or allow app store access and more. With the MobileEther’s unique Filtered AppStore, administrators can allow access to only approved application categories and age-ratings that users can search and install on their own.
Enroll students and staff easily – Quick and easy set-up
via over-the-air enrollment gets you started within minutes, while on or off-premises, without requiring an Apple Configurator. In addition, support for Apple’s Device Enrollment Program allows you to automatically enroll devices to MobileEther without user interaction.
Seamless directory integration and authentication – Simplifies
integration by binding devices to your existing directory services in-cluding Active Directory, eDirectory,
Put
Powerful Security
Open Directory, and LDAP. Policies for both Web access and mobile device profiles are based on your directory profiles and consolidated through a central management interface, which simplifies setup, management, and maintenance.
Dynamic content awareness and reporting – Mobile Security is fully
integrated with the iboss Threat and Event Console Reporter to provide dynamic content visibility across all actions, whether restricted or not, in real-time on any device. Instantly detect suspicious behavior on mobile devices and receive alerts. Streamlined directory services integration enables aggregate reporting across all users whether on or off-premises.
Accurate policy enforcement on shared devices – Authenticated
users are bound via directory integration to their group or individual profiles but MobileEther can dynamically change device settings including Internet access rules, device profiles, and app store access based on the specific user accessing the device. This is an essential capability in shared environments such as school classrooms, libraries or labs, where a single device may have different users.
Shared Content Lockbox –
iboss allows administrators and teachers to easily share content with students including documents, images, audio, video, bookmarks, announcements, or shared apps. Using the Content Sharing Lockbox, teachers create share groups based on their classes and students, giving students access to valuable learning
tools and increasing efficiency and productivity in the classroom.
Delegated Administration –
iboss allows you to delegate specific management and administration tasks for mobile device policies to teachers or other administrators, increasing efficiency and easing the demand on IT resources.
Hierarchal Nested Device Groups –
Simplify policy management by creating nested device group trees to deploy mobile device policies. Create groups policies, apply them to a parent group and they are then applied to all the devices under the parent.
BYOD Security
iboss Web Security Suite offers built-in BYOD management tools that extend leading Web security features across your BYOD mobile users and includes these features:
Captive portal for BYOD users –
Manage students and teachers on BYOD by binding them to directory services including Active Directory, eDirectory, Open Directory, and LDAP for both wired and wireless connections.
Granular policy enforcement –
Apply policies per group, or individual that allows you to accurately apply policies to the appropriate groups or individuals such as teachers, older students, younger students, etc.
Location awareness – iboss
enables location aware tracking that helps protect privacy on privately-owned mobile devices, when they are off the school network. As soon a privately held mobile devices leave the school network, you need to ensure that their private data is not being monitored, and iboss BYOD technology gives you that assurance.
Advanced threat defense –
iboss BYOD management includes scanning and filtering for known and unknown threats including malware and botnets that can invade school networks. iboss extends industry leading protection against threats and data loss to all users including BYOD.
Quarantine for high-risk users –
When illegal or banned activity is detected on privately-owned mobile devices iboss can automatically quarantine the offending user from further action and notify you so the problem can be addressed.
Comprehensive Bandwidth Management – iboss Web
Security Suite includes bandwidth shaping during peak hours, so you can ensure optimal network performance during important school tasks such as testing.
About iboss Cybersecurity
iboss Cybersecurity defends today’s borderless networks against malware, advanced threats and data exfiltration with innovative Web Security, Mobile Security and FireSphere™ Advanced APT Defense. Backed by patented technology and leveraging leading threat protection and unsurpassed usability, iboss is trusted by thousands of organizations and millions of users.
Visit www.iboss.com
iboss, Inc. (P) 877.742.6832 [email protected] U.S. HQ 9950 Summers Ridge Rd., Bldg. 160 San Diego, CA 92121 © 2015 All rights reserved. iboss, Inc. All other trademarks are the property of their respective owners.
