Pavel Ignatov - Fotolia

Avoiding a security nightmare at South Australia’s Catholic schools

Taking on the challenge of securing student and organisational data while ensuring easy access to resources

This article can also be found in the Premium Editorial Download: CW ANZ: CW ANZ: July 2016

Honi Soit, the weekly student newspaper of the University of Sydney, recently revealed that a laptop containing unencrypted but highly sensitive student information had been lost. It’s still lost.

It’s the stuff of nightmares for Simon Sigré, senior engineer with Catholic Education South Australia (CESA) who has oversight over the security of both student and staff data. He also handles accessibility of systems to students, teachers and parents.

CESA has partnerships across South Australia to set policy, provide facilities and offer resources to support the state’s 103 Catholic schools, 6,000 staff and 49,000 students. Sigré has been closely involved in developing the framework to protect the data held by schools, without acting as a brake on innovation or proper access to information by teachers, parents and students.

While many organisations harnessed technology to save money, Sigré said “that is not our story, as this is about equity of access to services”.

Every dollar counts

Sigré said part of the problem that many organisations face with security comes down to “lazy, antiquated IT staff”. In a sector such as education, which he described as “underfunded and where every dollar counts”, the biggest risk is that money is not being used smartly.

“To think that a password is enough (protection) for student records is 1980s stuff. The biggest risk is not being on top of this because the threat landscape is evolving fast. It’s like the University of Sydney laptop that was lost. What the hell is that? This is a leadership issue,” he said.

However, leadership has to navigate a series of obstacles, particularly in schools where equality of access cannot be sacrificed.

Sigré explained the challenge: “There are 300 public services facing the internet”, with 80 Exchange servers involved. “At one of our schools one of the students built a YouTube equivalent. The school was so proud it wanted to get it out on the internet – but with no regression testing of the system it scared the pants off me.”

Sigré understands that the system cannot be totally locked down. With 50,000 student records under management there’s a need for security, but “we are not a bank and we don’t get to define that work will take place between 9am and 5pm and expect everyone to swipe a fingerprint for access”.

F5’s Application Delivery Controller

To tackle the challenge CESA deployed F5’s Application Delivery Controller, Big IP Local Traffic Manager and Access Policy Manager systems. It established a customisable framework that could scale to meet the changing and growing demands of the school while maintaining rigour around the security of data and applications.

“It’s a modular piece, a bit like a Swiss army knife. As we fold out more pieces we are able to deliver services faster,” according to Sigré.

CESA’s decision to invest in the F5 software was a watershed moment for Sigré. “I came on board five years ago – it had been floundering and was never able to give the schools the services it wanted. There had been a move for mediocrity. That’s not good enough. If you are doing that in education then you are not doing your job.”

The solution (F5) uses access and identity management, along with geolocation markers. The latter can help identify spurious access attempts, which can then be blocked.

CESA leveraged the scripting syntax of F5’s iRules to enable it to inspect inbound and outbound application traffic for malicious content and also customised load-balancing algorithms to improve efficiency and availability.

To the users of the system the security framework is transparent, and does not rely on complex access provisions. “Teachers don’t have time to mess around to scan a face – they just want to take a roll call,” he said.

Martyn Young, systems engineering director at F5 Networks in Australia, acknowledged the significant challenges faced by schools and universities in ensuring that their systems were secure while accessible.

Read more about IT security in Australia

“The education sector has a lot of challenges. While there is common movement it’s probably not as advanced as other sectors. There is a restricted budget and a plethora of services. To try to deal with that at a departmental level is a challenge,” said Young.

He said the approach taken by CES – where the wide area network (WAN) was centrally managed for the schools, instead of devolving security to each individually – made a lot more sense.

Traditional methods didn’t scale

“The ability to have a skills set that is centralised is a much more cost effective approach,” he added.

“This allows organisations to template the services they want to offer, even down to the bandwidth across the network, and then push to centralise those instances,” he said.

Sigré noted that with the multiple schools connected to the WAN the aim changed from how to get the customer to connect fast, to how it could serve content and provision new services faster.

“Traditional methods simply didn’t scale and we couldn’t keep up. We needed a customisable framework for deploying applications and automating tasks,” he added.

The Application Security Module (ASM) allows CESA to wrap a security layer around all of its services in a way firewalls couldn’t, and use iRules to tailor for its needs.

“ASM gave us that extra advantage, where we were able to build some high-level templates that matched the base technologies in use and then start customising to accommodate the subtle differences of each new service,” said Young.

“Specifically, ASM allowed us to tailor security profiles to fit like a glove and therefore wrap seamlessly around every application. It also gave us a level of assurance that all our applications are delivered in a secure manner,” he said. 

Read more on Identity and access management products