Imagine being faced with 100,000 potential hackers inside your organization. With the appropriate human and technical resources, however, it may not be that big a problem, according to one network manager.
Facing a tight IT budget and an assortment of workplace and IT arrangements that made
security management a major headache, David Klein helped move the Toronto Catholic District School Board towards a consolidated system, saving time and reducing the risk of attacks.
It was a process that Klein helped start about five years ago.
“”I pretty much fell into the role of chief bug hunter,”” he says.
At the time the school board had installed anti-virus software provided for free by the Ontario Ministry of Education, which had negotiated a province-wide lease for all public schools.
However, problems with the board’s IT setup and upgrades to the package made it difficult to run an effective security system.
Many schools were running autonomous local-area networks, making it difficult to distribute updates and alerts on new threats. Technical support staff had to visit each site individually or rely on other ways to get the word out.
“”There was no way of centrally pushing it out,”” Klein says.
“”We were actually relying on e-mail to get updates out to our users.””
Pushing the envelope
The ostensibly free anti-virus software actually ended up costing the board time and money, according to Klein. An upgrade that was supposed to work with Windows NT created so many headaches that the board ultimately opted to find — and pay for — its own package.
“”We were basically confronted with the breakdown of the anti-virus software.””
After issuing a request for proposals, the Klein says the board considered a number of bids, including broad-based vendors and more application-specific vendors.
In September 2001, Symantec Corp. was awarded the contract and now provides support through its Norton antivirus offering.
“”We actually pushed the envelope,”” Klein says. He points to a number of requirements in the RFP, including the ability to manage security policies centrally, scalability (the initial contract was for 10,000 computers and has been expanded to more than 12,000) and a streamlined licensing plan.
The board has revamped its IT services and now provides a wide-area network (what Klein calls “”One Big Network””) to more than 200 sites across the city. Uninstalling the old software and implementing the new, however, meant sending staff out to each location to work on each computer separately.
“”Getting it out in the first place was very labour intensive,”” Klein says.
Now, monitoring for virus threats and other security problems can be done centrally from the school board’s head office. Klein says he comes across six to 10 virus alerts every day, but that in almost all of the cases, the bad code is eliminated automatically, thanks to the new system.
“”It allows me to co-ordinate centrally.””
For Kevin Krempulec, the project gave Symantec a chance to use its experience with other school boards, and to learn from a challenging project.
“”It was a tough environment,”” says the corporate manager for Symantec in Canada. Different types of users (such as teachers, administrative staff and students), with different IT systems spread across the city, can make for a unique deployment scenario.
Facing fiscal constraints and a variety of demands from users, buyers in the education sector are looking for vendors who can adapt, Krempulec says.
“”The biggest thing there was we needed to be flexible.””
Citing a rise in more sophisticated attacks, Krempulec says it’s important that network security offer a depth and breadth of tools and technologies, such as intrusion detection capabilities running alongside firewalls and anti-virus software.
Carrot, not stick
Another challenge is getting senior management or head decision-makers to invest in and support greater IT security. This means providing incentives and rewards for safe network behaviour, not just issuing warnings and punishments for those who break the rules.
“”It seems like right now there’s a lot of the ‘stick’ approach,”” he says.
The school board has more than 30 secondary and about 160 elementary schools, running on about 100 megabits of bandwidth. Secondary schools have servers on site to manage their share of the network, while primary schools are connected directly to the central office.
With more than 100,000 students, it’s inevitable that some users will test the limits, but not necessarily with any harmful intent, Klein says. Young users may simply be playing pranks on their classmates or letting their curiosity get ahead of them.
To help keep computer use safe and appropriate for each set of users, the school board has developed a set of rules for all students and employees.
It’s an important step towards shoring up the human component in network security, Klein says.
“”It is an ongoing cultural transformation at the board.””
This includes having higher ups recognize the value of network security by improving both technology and user behaviour. Both elements have received strong support at the board, he says.
Klein says that he’s managed to keep ahead of threats without additional financial support. Better technology has meant the more than 50 IT staff at the board can work more efficiently.
Looking ahead, Klein says he’d like to see greater automation through software. Currently, primary school computers can be managed centrally, with high-school PCs scheduled for remote control in the near future.
As the board expands its technology offerings, including wireless networking capabilities in the near future, it’s important to have sound technical support in the background, he says.