Security Concerns for K-12 Networks
Network security (read last week’s article if you haven’t) is inextricably linked with BYOD, but it is also an issue of its own. Protecting student data has been a concern in K-12 for years, as shown in the Federal Educational Rights and Privacy Act and the Children’s Online Privacy Protection Acts in the U.S.; the Data Protection Directive in Europe, and the Privacy Act in Australia, to name just a few.
In the era of online testing, security and privacy take on a whole new level of importance. Your wireless network must have all of the security and privacy of the strongest wired elements in your network. Advanced security is considered a feature by some vendors and licensing for it comes at a cost; you must ensure that these features are included in your initial estimate, along with any costs for upgrades and expansion. Please note that you may have to ask probing questions to get complete information about security from Wi-Fi networking vendors, since some technologies have evolved from what was originally consumer-grade devices.
In addition, if you are considering a controller-based architecture that features distributed or local forwarding, it is important to ensure that you are aware of which security features, if any, are omitted when traffic bypasses the controller. If a branch or cloud-based controller solution is dependent upon the WAN for security applications, be sure to fully consider what features will fail if the WAN does.
One of the most important considerations when deploying a secure Wi-Fi network is what is required to get access to the network. Many home networks use a Pre Shared Key (PSK), in which access to the network is provided when you put in a specific password. The problem is that most people using PSK have the same password for all users, which poses many issues. One issue is that the network cannot tell users apart if they all come in with the same credentials. The most troubling issue, however, is that if PSKs are the only security method used, it is quite likely that an access key will remain in place long after it should have been removed; it can happen any time a user logs on but fails to log out. This can leave an open door for anyone to join your network and wreak havoc. Look for vendors that enable users to get their own keys, and provide network automation that removes the burden of administering keys from IT (see Aerohive’s PPSK).
Authentication and access control are likewise required for Wi-Fi networks in the school. Authentication will allow the network to know who is a teacher, an administrator, a student, or guest, and provide them appropriate access based on that information. While this is important for any users, it is often forgotten in the case of guests, where dynamic, configurable pre-shared keys—unique to each guest—can be configured to expire and should protect each connection. It should be possible to easily provision more granular access controls as well, including putting users onto separate VLANs if desired, to limit access by device type, time period, or by user role.
All posts in this series: