Industry Trends

Simplifying Back to School Security with SD-WAN and SD-Branch

By Peter Newton | August 26, 2019

School is back in session with the second busiest retail season of the year, and technology sales—along with digital subscriptions to applications and services—are predicted to show double-digit growth this fall. Students of all ages, from kindergarten to college, are buying iPads and laptops and subscribing to SaaS applications to better access digital curricula and complete online coursework.

However, Back-to-School falls on the heels of an even more extensive summer of preparations by school teachers, administrators, and IT staff. School districts have spent the spring and summer investing in and deploying interactive whiteboards, instructional software, and other in-classroom technologies. Likewise, many teachers have spent the summer training to launch new digital learning initiatives—allowing them to individualize instruction, expand learning beyond the confines of the traditional classroom, and maximize student engagement using such things as digital classrooms and resources, online testing and assessments, and student collaboration tools.

Summer is also when school districts schedule building maintenance projects. From the construction of new facilities incorporating energy-efficient “smart” climate controls to the retrofitting of wireless door locks, digital access control systems, and integrated IP cameras, school buildings across the country have received numerous technology-enabled upgrades this past summer that allow them to start the new school year with new environmental sustainability and improved physical security.

Implementing Digital Learning and “Smart” Classrooms Securely

Months before students and teachers powered on these innovative classroom and building technologies, IT teams needed to think about how to maximize their use and ensure that new management and control systems could keep up in spite of budget and staffing limitations. This includes ensuring that these expanded networks perform well across multiple remote school buildings, remote access by students and faculty, and increased usage of bandwidth-hungry applications such as streaming video and heavier reliance on cloud-based learning tools. Even more challenging is trying to manage these technologies through an ever-expanding array of management consoles and interfaces.

Of course, more networked devices and applications also mean an expanded attack surface for IT teams to manage, correlate, and secure against cyber threats. And cybercriminals remain highly motivated to test the limits of those security measures. Creating a safe digital learning environment despite these issues is no easy task. And those difficulties are compounded by the fact that cybercriminals are targeting the very devices that schools are turning to in order to improve student safety.

According to a recent Threat Landscape Report, one-third of the 12 most prevalent global exploits targeted IP-enabled security cameras. Not only could these compromised cameras be recruited into botnets to launch distributed denial-of-service (DDoS) attacks, but they can also be remotely disconnected from networks (leaving students unprotected), have surveillance video footage intercepted (a breach of student privacy), or can be used to deliver malicious payloads (to impact the rest of the network). 

Of course, education IT directors understand that digital transformation can improve learning outcomes. It’s why they embrace these additions and expansions to the district network. But realizing such outcomes without compromising security requires careful planning, forethought, and the right technology investments.

Secure SD-WAN Offers Cost Consolidation and Administrative Ease

Adding cloud-based educational applications to network infrastructures, especially remote campuses, buildings, or classrooms, also requires network connectivity solutions to be upgraded. Wide-area network (WAN) connections need to handle the increased reliance on web applications, and accompanying traffic volume and bandwidth needs. Unfortunately, traditional WAN connections can actually inhibit performance due to inefficient routing, inflexible connections, or by introducing performance bottlenecks by requiring the backhauling of traffic to a centralized data center either because of a fixed hub-and-spoke network design, or for firewall inspection because of an outdated centralized security strategy.

Today’s software-defined wide-area network (SD-WAN) solutions deliver vastly improved application performance by routing traffic over the most efficient WAN connection available at the time. Because resource allocation and dynamic connectivity are automated, once basic connection, security, and minimum bandwidth policies are set, the process of maintaining and managing an adaptable software-defined network is also much simpler. This is a significant benefit for school IT departments, since they often have limited staff resources and must accomplish all network administration from a single, centralized location.

However, most SD-WAN solutions fail to provide seamless integration between its network connectivity functionality and associated security requirements. This leaves IT teams with the difficult task of managing the costs and overhead associated with trying to purchase and configure an overlay security solution after the fact. One of the biggest challenges is building an overlay solution that can expand and adapt in time with changes to the underlying network connectivity – a task which, if not deployed and managed properly, can create serious lags between network adaptations and corresponding security policies.

By selecting an SD-WAN solution that integrates next-generation firewall (NGFW) security with its advanced routing and WAN optimization capabilities, however, schools are able to ensure defense in-depth for sensitive student and faculty data out of the box. A consolidated and integrated solution that addresses security challenges and network performance issues as a unified system is much easier to administer. IT staff are able to oversee both WAN optimization and security functions from a single interface, set central policies for both security and bandwidth – especially for latency-sensitive applications. They can also manage and coordinate configurations and orchestrate policy changes across all connections, devices and services, even for SaaS solutions. This enables simplified visibility into anomalous behavior that may indicate risk. Additionally, this centralization further reduces total cost of ownership (TCO) by shrinking necessary labor costs.

SD-Branch: A Fully Integrated Approach to Securing the District

School district networks have long been highly distributed, but they’re becoming much more complex and diverse with the addition of digital learning, online educational initiatives, and the integration of IoT devices into school buildings and classrooms, ranging from responsive climate control systems and security monitoring and physical access controls, to classroom tools like electronic whiteboards and digital voice amplification and recording systems. However, deploying such items in each building or classroom means that securing them also needs to occur locally, and this requires extending security functions and controls deep into the local-area network (LAN) of each school and campus.

SD-Branch is a natural extension of the Secure SD-WAN solution deployed at distributed locations. SD-Branch augments the connectivity and security of Secure SD-WAN by adding local network access controls, providing and securing local switching and wireless capabilities, and securing LAN-based IoT devices – all from the same consolidated platform. And this can all be seamlessly tied back to the central management and orchestration system to ensure consistent functionality and policy enforcement across the entire distributed network.

This approach provides IT teams with granular control over the composition of the network. For example, it allows security and networking services to be delivered locally, while still being managed and orchestrated centrally. In addition, many of its functions can be automated to simplify or even eliminate local management, and are also continually augmented using integrated machine learning to continuously raise the bar of protection.

When an SD-Branch solution is integrated into the larger Security Fabric, system administrators can manage theirdistrict’s distributed technology environment as a collective whole. This enables them to see and respond to anomalous IoT device behaviors quickly, regardless of where they occur. It also allows them to proactively restrict network access for potentially insecure IoT devices, such as IP security cameras, to network microsegments – while at the same time enabling them to coordinate with other systems should there need to be an integrated response to an event.

Finally, IT teams can readily onboard, manage, and provision resources for the vast numbers of devices that will be connecting to the network each day across various education and administrative buildings in the district, including personal devices brought on campus by students, teachers, and administrators. This can all be accomplished from within a fully unified platform designed to protect against all exposures, from the remote device and network edge back to the central data center, while weaving security capabilities into all layers of the network.

Security Needs to Serve Multiple Needs Without Complicating Management

School districts face unique technology and security challenges as the pace of digital transformation accelerates. To maintain a secure learning environment and minimize risk exposure, IT leaders must find and implement consolidated solutions that offer multiple benefits within a single, easy-to-manage secure platform. As students head back into their classrooms this fall, it’s time for IT teams to look ahead to next year’s digital demands and think about how taking an integrated, security fabric-based approach can build the efficiencies you need to keep students safe online and help them become productive digital learners without compromising on visibility and control across the extended district network.

Fortinet’s Secure SD-WAN solution includes best-of-breed next-generation firewall (NGFW) security, SD-WAN, advanced routing, and WAN optimization capabilities, delivering a security-driven networking WAN edge transformation in a unified offering.

Read how the District School Board of Niagara implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.  

To learn more about how K-12 educational institutions can benefit from SD-Branch solutions, refer to our SD-Branch for K-12 Security Solution Brief.