As part of our on-going series of posts dedicated to the consumerisation of IT in education, we now turn our attention to the security considerations that institutions need to take on board when planning their strategy.
When considering security we need to think about the devices themselves, the data and the network.
Is any data going to be stored on the device, or is it all in the data centre or cloud. If there will be sensitive data, on a member of staff laptop, for example – would you consider enforcing encryption policies with a technology such as BitLocker Drive Encryption. BitLocker Drive Encryption is integrated into Windows 7 Enterprise and Ultimate Editions and encrypts the hard disk at volume level. Thus, if a staff laptop goes missing, you will have the peace of mind that any sensitive data is unreadable.
BitLocker To Go extends encryption protection to USB memory sticks. Policies can also be enforced to ensure only encrypted memory sticks be used on campus.
Providing Network Access
With the potential introduction of “untrusted” devices onto your network there are many points to consider, including network segmentation (physical or logical) and user authentication.
A typical student might require a school PC one day to access internal systems, while the next day she might bring in her own device. What level of access will you give your student when using an untrusted device?
Will you limit her access to external access only? Will she be able to use the same username and password regardless of which device she uses?
You will likely want to limit the access level based on the level of trust you have in the device they are connecting from.
Microsoft Forefront Unified Access Gateway is a solution that can provide secure access (both internal and remote) based on a number of criteria. For example a student logging on from a School PC will be able to access applications 1-5, the same student logging on from an untrusted device might be limited to one application – or have no access at all.
Will you enforce a security policy to ensure devices meet minimum security levels, local firewall, antivirus protection etc. Network Access Protection (NAP) a technology introduced with Windows Server 2008, checks policy compliance of Windows clients and enforces security before allowing access to the network.
Is it likely that you will have students visiting from other schools, colleges or universities? If so, how will you manage their authentication? You might consider using a service such as the JANET(UK) federation service eduroam. The eduroam service provided by JANET(UK) is a federated service that enables JANET connected institutions to offer secure network services for visitors from other eduroam-enabled institutions – without the need for guest account management.
Alternatively, running a commercial offering, such as BT OpenZone, alongside your JANET(UK) provision could be a good option for allowing network access to non-approved devices.
For more information on our thoughts around the consumerisation of IT in education, download our paper or view in full below.