Every industry has its unique set of network security challenges. In retail there’s dealing with credit card data and PCI compliance. In healthcare you need to deal with patient data and privacy requirements. Suffice it to say, the education sector has challenges that one might not initially consider and yet are very challenging in their own right.
Public school budgets are often strained today, forcing many IT managers to ‘do more with less’ and with growing security threats and booming IT innovation this is especially challenging. And while larger universities and campus-based schools may have larger budgets, they have larger challenges. Here are five network security challenges facing schools and campuses today:
1. Bring Your Own Device (BYOD) – The growing use of tablets and mobile devices by educators and students as they move to new ways of teaching and learning creates numerous network security challenges. BYOD device management is now a major need in districts and at campuses across the country. Just like any corporate organization, schools now need to think about network access policies, managing passwords more carefully, and understand how mobile devices are connecting to their networks.
2. Web 2.0 – Today’s students are more connected through social media than ever before and the Internet is playing an increasing role in education as teachers use it as part of their teaching arsenal. IT managers need to be able to allow access to certain sites and applications while restricting others. Finding this balance is not an easy challenge and requires new network security tools like Application Access Control.
3. Secure Remote Access – Student and teacher collaboration are playing an increasing role in education in today’s connected world. Today, students collaborate on projects and teachers provide feedback through cloud-based tools and by accessing school networks. IT managers need to be able to provide secure remote access to the tools that teachers and students are connecting to.
4. Multi-Point Access Solutions – Today, especially in campus environments, it’s not uncommon to have tens of buildings all connected to a single network. Being able to manage a distributed environment and its inherent security challenges needs to be simple and intuitive.
5. Identity Management – IT managers today need to be able to ensure that only authorized students and teachers can access computer and network resources. It’s through identity management that schools are able to effectively manage their acceptable usage policies and provide adequate control over access to applications.
There are many other challenges that education sector IT managers face, but these five are prevalent today and yet weren’t that long ago. Fortunately there are network security companies offering highly sophisticated unified threat management (UTM) tools and solutions, like WatchGuard. They’re flexible, powerful, robust, affordable, and can go a long way in easing the network security challenges facing schools and campuses. And, because the threat landscape is always changing, UTM solutions need to be designed to be able to easily add new network defense capabilities through security subscriptions, so costly hardware upgrades are not necessary.
Growth is exciting! Growth brings opportunities! Growth can also be somewhat scary when you’re goal is providing network security to three large, city campuses while also providing secure remote access to 40,000 students and over 1,500 staff.
That’s what Dave Newsham, the ITSS Service Delivery Manager at Leeds City College in the UK, was challenged with recently and we were delighted he turned to us at WatchGuard for assistance. With help from their IT partner, Epic Net the IT folks at Leeds decided to standardize on the WatchGuard Unified Threat Management (UTM) platform.
The first WatchGuard XTM 1520 replaced a Cisco firewall at the Technology Campus to deliver greater performance and control; while a second appliance has been installed at the brand new Printworks Campus, opened for the first wave of students this September. The third XTM 1520 will be installed in the Park Lane Campus this October to complete the secure multi-site network.
Our UTM firewall appliances provide safe IPSEC or SSL VPN authorized secure remote access to the College network and resources for all staff and students from multiple Apple, Windows, or Android platforms. As well as support for the full Microsoft Office suite of applications, every student has an Office 365 email account and associated online collaborative workspace.
In addition to providing full Layer 7 firewall protection and intrusion prevention, Leeds City College now has a central point of management, with the ability for policies to be easily deployed across the network, along with simplified administration and centralized logging and reporting.
With up to 14Gbs throughput, our XTM firewall appliances will be able to handle anticipated bandwidth growth over the next five years as well as the addition of increasingly complex rule sets, without loss of performance; while the clustered hardware configuration provides 100% resilience.
Dave sums up his experience in his own words:
The expansion of the College posed significant security challenges, but the WatchGuard solution has allowed us to efficiently and comprehensively implement network security for staff and students wherever they are on the network. The WatchGuard XTM firewalls are both affordable and uncomplicated to deploy and maintain, helping us ensure we meet compliance standards, and can easily scale to accommodate future growth. Deployment was pain-free, and we now have a more centrally managed, secure, and easy to administer multi-site solution and we are able to track, monitor, and review real-time access and reporting.
Achieving secure connectivity with failover, content-based Web filtering and centralized management of more than 500 locations is never an easy task for an IT team, but when it’s a financial institution with over 2,250 employees based globally it gets even more complex. This is what Adarsh Credit Co-Cooperative Society, a leading multi-state financial institution in India, was tasked with and they turned to our team here at WatchGuard for help.
Adarsh deployed our XTM 8 and 5 Series UTM appliances in its data centers, as well as XTM 2 Series UTM appliances at all of its branch locations. While banking accessibility was vital, the organization also needed to restrict Internet usage at branch sites. Setting up the right IT security policies and ensuring uniform administration across these sites was a key driver in the selection process, as it should be!
Adarsh’s AVP of IT, Ramlal Arya, summed up his challenge and spoke of his experience…
We implemented the Core Banking application and needed to connect all the branches with the central location so it could be accessed seamlessly. When employees and members access the Core application, speed is important, but the bigger challenge is ensuring all transactions are secure. Deploying WatchGuard helped achieve both goals. WatchGuard’s XTM also helps us achieve higher throughput, which results in faster application access across the board. Installation of the appliances in high-availability mode ensured uninterrupted connectivity and smooth failover from one appliance to the other. It proved fast and straightforward with the centralized policy management capabilities and has reduced our need for site-to-site travel. And, working with WatchGuard’s Expert Partner, TM Systems Pvt., made the entire process fluid.
WatchGuard has given us a secure platform that allows us to connect all locations seamlessly and gives members and employees secure connectivity quickly to the applications they need. On the IT side, it gives us more control and the ability to easily manage these appliances and policies from a centralized location.
UTM security can play a role in solving many complex challenges, from banking to PCI DSS compliance to distributed retail environments. Whenever evaluating a UTM appliance you need to consider five core traits:
These five traits were paramount to Adarsh and their requirements for the ultimate in network security management. Be sure they’re on your consideration check-list when you’re looking to secure your network!
Today’s retail environment has become increasingly more complex and sophisticated. IT demands continue to increase due to growing risk management concerns and regulatory compliance requirements. Distributed retail environments are particularly challenging. Each endpoint (store) is an attack vector waiting to be exploited; each store has to meet PCI DSS regulatory requirements.
The PCI DSS requirement affects any merchant who accepts credit card transactions. In a distributed retail environment, this means IT professionals must apply uniform security measurements across all distributed store endpoints. Failure to provide a uniform network security strategy and protective systems deployment can result in substantive penalties, as well as high risk exposure to a variety of data and network threats.
Here are six steps you can take to make network security management a little easier in distributed retail environments:
1. Build and maintain a secure network. The first requirement here is to install and maintain a firewall configuration to protect cardholder data. Specifically for distributed retail environments, we offer RapidDeploy, a unique cloud-based configuration utility that enables uniform, rapid deployment of UTM appliances across a distributed environment. This eliminates the need for IT professionals to pre-configure devices or travel to deployment sites for installation, which significantly reduces total cost of ownership, while also reducing the risk of UTM misconfiguration.
The second requirement under this rubric is to not use vendor-supplied defaults for system passwords and other security parameters. In fact, we require administrators to change default passwords when first configuring appliances. And, with role-based access controls, administrators can effectively manage who can make firewall/UTM changes so that systems are always protected from unauthorized access.
2. Protect cardholder data. The third and fourth requirements call for the protection of stored cardholder data and encrypted transmission of cardholder data across open, public networks. In general, no cardholder data should ever be stored, but if it need be, the data should be encrypted. If you’re transmitting data, then be sure to use a VPN solution so that transmission is secure. Our VPN solutions are especially suited for a distributed retail environments, because they can create tunnels that provide secure site-to-site connections between networks or distributed store locations. This way, encrypted cardholder data can be securely transmitted and protected from hackers and identity thieves.
3. Maintain a vulnerability program. Here, the PCI DSS requirement calls for regular updating of antivirus software or programs. Our UTM appliances offer gateway antivirus to protect against all sorts of viruses, trojans and malware variants. With the security subscription, all of our UTM appliances are automatically and seamlessly updated to thwart the latest virus outbreaks. It’s worth noting that, with our proxies, many “zero-day” attacks can be stopped prior to receiving an antivirus update. And, with our cloud-based Reputation Enabled Defense, dangerous websites and IP traffic can be shunned before it ever reaches a retail branch location.
4. Implement strong access control measures. This requirement calls for the restriction of access to cardholder data using business need-to-know policies. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on job responsibilities. Here, the best security practice is grounded in the principle of “least privilege,” which holds that access to data should be limited to those who need it for legitimate business purposes.
5. Regularly monitor and test networks. Under this goal, the requirement calls for tracking and monitoring of all access to network resources and cardholder data. Make sure your administrators have the most in-depth and feature-rich array of reporting and logging tools. In our UTM appliances, advanced logging mechanisms support the ability to track individual users, which is critical for forensics and vulnerability management. You’ll also want easy-access, pre-packaged PCI DSS reports that provide you quick information that helps you stay on top of your compliance landscape.
6. Maintain an information security policy. This goal requires that merchants maintain a policy that addresses information security for all personnel. For example, our UTM appliances support extensive policy controls. This way, distributed retailers can maintain and enforce uniform policies across a variety of geographic locations. Delivering additional security services, through something like our LiveSecurity service, can provide best practices and related security updates for retailers to ensure they are up to speed on the latest security developments.
Today’s distributed retail environment architecture is one of the most challenging IT environments, rivaling that of banks and financial institutions. While the distributed retail environment offers substantive business advantages, such as increased sales, improved customer loyalty, and operational efficiencies, it also poses significant challenges. Today’s network administrators need not only be mindful of hackers bent on stealing cardholder data, but they must also be fully apprised of legal and industry regulations, such as PCI DSS.
Just like Principals and Superintendents, school district Network Administrators are facing the challenges of having to do more with less. Many school districts only have a small handful of IT personnel to begin with, their budgets are being reduced and they’re dealing with challenges to network security management. On top of all this, new challenges are putting a strain on networks, including:
These are challenges that, just like corporations, require smart network security solutions that do more than just stop spam or encrypt email. The Cascade School District just outside of Salem, Oregon has five campuses throughout rural Willamette Valley that serve 2300 students with a staff of 300. According to Michael King, their Network Administrator, things were getting a bit out-of-hand:
The IT department employed a mix of point solutions, each with its own management needs. “We were using ISA 2006, Windows Server, Websense for web filtering, and Barracuda for anti-spam and load-balancing, and there were big expenses for each. Yet, we still couldn’t even do things like HTTPS, which is incredibly important these days with Facebook, Google, et cetera. And, it kind of defeats the purpose to even have a web filter in place if the students can bypass it.”
Cascade School District today is leveraging most of the best-of-breed UTM security services on our XTM Next-Generation Security Platform, which includes URL Filtering, Application Control, AntiSpam, AntiVirus, DLP and IPS. This allows their IT team to meet emerging security challenges mentioned above and faced by their district (explosion of mobile device usage by students and staff, application access control to key educational and online resources, and streamlining remote access for staff). Application access control also gives them a new tool to proactively prevent cyber bullying by controlling access to popular bullying platforms such as Facebook, SnapChat or Kik Messenger. They also are able to monitor traffic on its wireless networks and throttle down users who start to bog down the network.
In addition to meeting all the challenges to network security management, the school district is projected to save approximately $24,000 in fees and maintenance and a boat load of time by consolidating these numerous point solutions into one UTM security appliance.
With cloud computing and BYOD permeating almost every organization, shadow IT is beginning to make its way onto the radar screens of business leaders inside and outside of the IT department. The truth is, however, that shadow IT has been around for decades and is not necessarily a bad thing.
Shadow IT are systems and solutions built without the approval of the organization, and they are often innovative, potential prototypes for future IT-approved solutions. The problem is that while creating real value to an organization, they are often built without key network security management protocols in place; namely reliability, documentation, control, security, and budget.
So why the hype and why now? While shadow IT has been around for a long time, the volume and velocity of applications and cloud solutions, not to mention low cost (often free) is multiplying rapidly, creating an IT snowball effect. In fact, according to a PricewaterhouseCoopers’ Digital IQ survey, at 100 companies that PwC considers top performers, IT controls less than 50 percent of corporate technology expenditures – and we’re talking pretty large companies here with typically strict IT policies in place. This is in drastic contrast to ten years ago, when the Dachis Group estimates that only 10 percent of IT spending took place outside of IT. At smaller organizations where IT departments are even less influential, this shadow IT snowball effect is even more rampant.
So what can IT departments do? The answer is securing the network and protect the organization from outside threats. Containing the growth of shadow IT may not be an option, but reducing outside threats is. Select a strong, multi-function Unified Threat Management (UTM) system that goes beyond a simple firewall to deliver strong network security management, and make sure it has these FIVE key elements:
Without question, BYOD and the cloud is accelerating shadow IT, but strong network security can reduce and eliminate the inherent risks. As a leader in network security, we work to develop solutions to enable a safe and productive BYOD ecosystem. By enforcing a practical policy, we believe that organizations can enable workforce productivity, foster goodwill and trust across the organization, achieve compliance demands, and maintain strong security–without sacrificing flexibility.
Java (not the coffee) can be found on most computers and mobile devices these days, despite the fact that most operating systems don’t need it. The pervasive nature of Java (not the coffee) along with its familiarity is a hackers dream; fueled in part by what we call ‘drive-by download attacks.’ This is where a person is browsing the Internet and comes across an infected website – often times a legitimate site. The website forces a malicious piece of Java onto the computer, which takes advantage of vulnerabilities and infects the computer.
If you aren’t using an app that requires Java, we’re recommending that you remove it from your device. Today, Oracle has created a process that allows Java to run for certain apps, but disables it on your browser. Cory Nachreiner, our Directory of Security Strategy, sat down with USA Today and discussed the vulnerabilities inherent with Java (not the coffee). Check out the video below…
Most network security management professionals have a pretty good understanding of the technology they employ to protect their company or data center from cyber-criminals. From UTM appliances offering the latest and greatest in compliance management and data security to wireless network security and BYOD device management, most people in the trenches know the clicks and feeds necessary to protect the mother-land. But do you know your enemy? I mean do you really know them; their personalities, friends, motives?
We just released an Infographic that profiles the three types of hackers that make network security management a challenge that is likely to become even more complex in the days and months ahead.
The Hacktivist – Hacktivists are politically motivated cyber-attackers. Activists, including the more extreme ones, have over the past five years, begun to realize the power of the Internet, and have started using cyber-attacks to get their political message across. Some examples include the infamous Anonymous, and the more recent Syrian Electronic Army. Most are decentralized and often not very well organized or with a central leadership.
While disorganized, these activist groups can cause significant problems for governments and businesses. They tend to rely on fairly basic, freely available “Skript Kiddie” tools – their most common weapon of choice being a DDoS attack, using tools like HOIC or LOIC. More advanced hacktivists also tend to rely on web application attacks (like SQLi) to steal data from certain targets, the goal being to embarrass —something they often call Doxing.
While hacktivists are not as sophisticated as other hackers, they still cause havoc for many large organizations as well as governments. Since these hacktivist’s political agendas can vary widely, even small businesses can find themselves a target depending on the business they are in or partnerships they have.
Cyber Criminals – Cyber criminals have been around longer and so more is known about them. This group’s motive is simply to make money using any means necessary.
Cyber criminals range from a few lone actors who are just out for themselves, to big cyber-crime organizations, often financed and headed by more traditional criminal organizations. The cyber criminals are responsible for stealing billions of dollars from consumers and businesses each year.
Cyber criminals participate in a wealthy underground economy, where they can buy, sell and trade attack toolkits, zero day exploit code, botnet services, and more. They also buy and sell the private information and intellectual property they and others steal from victims. Lately, they’re focusing on web exploit kits, such as Blackhole, Phoenix, and Nuclear Pack, which they then use to automate and simplify drive-by download attacks.
Their targets can vary from small business and even the individual consumer, whom they attack opportunistically, to large enterprises who they target with specific goals in mind. In a recent attack on the banking and credit card industry, a very organized group of cyber criminals was able to steal 45 million dollars from global ATMS in a very synchronized fashion. The attack was made possible due to an initial, targeted network breach against a few banks and a payment processing company.
Nation States (or State-Sponsored Attackers) – This is the newest, and most concerning new threat. They are government funded and guided attackers, ordered to launch operations from cyber espionage to intellectual property theft. These attackers have the biggest bankroll, and thus often can hire the talent to create the most advanced, nefarious, and stealth threats out there today.
A couple of recent examples of Nation State attacks that made headlines include:
Unlike the other hackers’ tools, state-sponsored attackers create very customized and advanced attack code. Their attacks often incorporate previously undiscovered software vulnerabilities, called zero-day, which have no fix or patch. They often employ the most advanced attack and evasion techniques like using kernel level rootkits, stenography, and encryption to make it very difficult for you to discover their malware. They have even been known to carry out multiple attacks to reach their ultimate target. These advanced attacks are what coined the new industry term, advanced persistent threat (APT).
While you’d expect nation state attackers to have very specific targets, such as government entities, critical infrastructure, and Fortune 500 enterprises, they still pose some threat to average organizations as well, since many private organizations are government contractors and suppliers. To up the ante even further, their techniques and tools are slowly becoming visible to cyber criminals and hacktivits.
Today’s network security management professionals need to know more than just the technology available to stop threats, they have to really know who’s knocking at their back or front door. Check out the Infographic today and share it with your colleagues or make a poster out of it, but at the very least be sure to know your enemy. After all, they know you!
Best-in-class… It’s an adjective that gets overused quite a bit; especially in marketing departments that are looking to give their product an edge, a perceived value that may or may not exist. Best-in-class UTM solution for the ultimate network security protection. It certainly has a nice ring to it.
Here at WatchGuard, we use best-in-class too in defining our UTM solution, but we do it based on its design. It’s actually how we built our UTM appliances. While the other UTM providers struggle to develop the many diverse security technologies in-house, we partner with the category leaders in each specialized technology sphere. This means that our customers get mature, highly vetted, best-in-class network security solutions from AVG, Websense, BroadWeb, MailShell, Kaspersky, and other leading technology specialists.
If you are going to consolidate a security feature typically provided by a point solution into a UTM appliance—we believe that the UTM security feature should be of comparable efficacy to truly deliver best-in-class network security solutions. We understand and accept that no single company will ever be able to adequately research and develop the best technology for each discrete security problem. A shortcoming of the homegrown approach to multilayered network security, is that these UTM vendors end up producing a watered down security solution at each layer. We believe this practice contributes to the reluctance of some organizations to choose UTM appliances for their security.
No other network security vendor incorporates the best-in-class mantra to the extent that WatchGuard does, nor does any other company match our effectiveness at seamlessly integrating the partner security service into the user interface (UI).
Our best-in-class approach means our customers do not have to make security tradeoffs in order to benefit from consolidating security services and management and reduced cost. Layer-by-layer, our XTM multi-function network security firewall provides superior security over what competitors’ combination of in-house technologies can possibly muster.
Does our best-in-class approach work? Well many vendors who freely tout their raw throughput numbers are not so quick to publicize their UTM throughput numbers— the performance of the firewall once all the UTM security services are turned on. Our UTM performance is up to 3 times faster than UTM appliance performance of corresponding models from the other guys. If you are using a network security firewall for security (as we expect most organizations are), UTM performance is the only firewall performance metric that matters.
This is why we use best-in-class to describe how our UTM appliance is built, and why we use The Smart Firewall to describe the actual UTM appliance itself.
Just when you think you’ve got your BYOD device management policies nailed down, the game shifts again. Recently, the term BYOX (or BYOA: bring-your-own-anything) has forged itself into IT vernacular to characterize the phenomenon by which employees not only use any device, but also any application, content, or service to accomplish their work. When these activities occur beyond the oversight, or explicit authorization, of the IT department, they are commonly referred to as “shadow IT.”
Shadow IT has been around for quite some time, but BYOX adoption is exploding fast and permeating organizations to the point of no return. In fact, PricewaterCoopers (PwC) estimates 15% – 30% of IT spending now occurs outside the IT department budget. Today’s workforce is imbued with the mindset that, for any task–“there is an app for that.” Illustrating this, Netflix recently found that its employees were using 496 smartphone apps, generally for data storage, communications, and collaboration; while Cisco Systems found that its employees were leveraging hundreds of apps, as well as services for shopping and personal scheduling.
It’s been argued that BYOD can increase employee productivity, and an iPass survey of 1,100 mobile workers suggested that employees who use mobile devices for both work and personal needs put in 240 more hours per year than those who do not. BYOD and BYOX can also result in higher employee satisfaction and greater worker collaboration. All these benefits aside, there still needs to be tools and processes in place for network security management and data security… and there are.
Embrace the benefits of BYOD and BYOX and consider these FIVE network security management protocols:
BYOD, BYOX, shadow IT… these aren’t going away, and will likely only continue to proliferate your organization as more apps, devices, and cloud tools become available. These five network security management protocols can help get you started. For more information and five more tips, download the whitepaper – Illuminate Shadow IT and Securely Manage BYOX.