The proliferation of tablets, smartphones, notebooks and netbooks in schools has made it necessary for many district IT departments to support users on a wide variety of devices. The ongoing challenge is that the vast majority of these devices are not issued by the district or school, may or may not have any security software installed and often have default access to data that should be secured.
The following steps are recommended to help secure a BYOD environment.
Take the time to develop a written policy, both to get buy-in and to have something specific on hand before the IT department finds it necessary to cut off access to devices that are insecure or not supported. The policy should include which devices are supported or not supported; whether waivers are necessary for unsupported devices; which software is required, such as antivirus or encryption products; what standards of behavior are expected, such as encrypting proprietary data; and to what extent unsupported devices will be supported. Regular bulletins should be e-mailed to users updating them on the latest threats, available security software for their devices and what versions of software are supported.
Most wireless access points will let IT managers set up two types of accounts: user accounts that can access internal networks and separate guest accounts that can access only the Internet. This lets only authenticated users access the internal network, while allowing everyone else to remain connected to the outside world. Some access points will synchronize with Microsoft Active Directory or other user databases, while some may require separate access control lists. Many wireless access points also will let IT managers prioritize traffic, ensuring that guests watching movies won’t disrupt Voice over Internet Protocol or other internal traffic that may be sensitive to network congestion.
Network Access Control (NAC) tools verify that devices attempting to connect to the network meet prescribed criteria. They can check for the latest version of an operating system or antivirus signature and whether proper applications are installed. If a device is not correctly configured, the NAC can block access completely, or allow access only to a segregated guest network. NAC tools can also place restrictions depending on the type of device being used, letting approved smartphones or tablets connect while blocking others.
In addition to log-in passwords, consider internal firewalls to make sure that departments or data that need protection reside behind additional security. With the right equipment, even unauthorized devices that connect to the main network can’t scan for devices or servers to attack on a protected network. For example, the accounting or HR departments can run on a separate network where they can access the Internet and other parts of the regular network, but outside users won’t be able to see the clients or servers in the critical departments.
There are multiple levels of encryption, from per-file encryption to built-in database encryption that encrypts entire databases or only fields that need additional protection, such as Social Security numbers. Whole-disk encryption keeps entire systems safe, even if devices are stolen. This is especially useful for people who log in from portable devices, or who travel with data on USB drives. On the server side, database encryption ensures that even if data is accessed from a compromised device, any data copied will be encrypted. Encryption systems are relatively easy to use. Rather than requiring a long password that must be entered before accessing the data, the password is stored on a separate device, or associated with a fingerprint or other biometric data.