Making the grade on report card security

While a lot of school boards are moving toward Web-based report cards,
the TCDSB is one of the few that has developed it in-house, so it could
be tailored to its needs. But teachers had to use a client on the
computers at the schools, which wasn’t network-friendly. Each teacher
had to create individual files, and then an administrator had to take
all those files to generate the report cards.

The application had to be secured internally, and then exposed
externally — that’s when the school board decided to go through a
process of evaluation for an SSL virtual private network (VPN) and
chose Juniper. This allows teachers at any time of day, from any
location, to log in and use the report card application at their
convenience.

“It was a bit of a challenge initially,” says Di Fonzo. “In the
teaching profession you find there’s a large gamut of IT literacy, so a
bit of training had to go on there.” An e-mail forum was set up so
teachers could pose any questions they had about the new technology.

“We had to make sure it was secure and had enough capacity,” he says.
“We didn’t know what time of day they’d be using this, so we had to
make sure we built enough capacity with the Juniper SSL VPN so that if
5,000 teachers wanted to get on at the same time, they could.”
The biggest challenge, however, is the variety of computers out there.
“What you run into is browser issues,” says Di Fonzo. When users have
their toolbars turned on, for example, that causes difficulty with the
application. And some teachers are still using Internet Explorer 5.
“Home machines are all over the place, so they end up being IE5 up to
IE7, so you run into various challenges,” he says.

The SSL VPN technology allows teachers to access the report card
application on the Web ”“ so it’s not a new application, but rather
provides access to an existing one. From a security standpoint, it
allows them to use public transport as an access method, but with
several layers of technology to provide security.

“If you’re letting somebody come in from their home PC across the
Internet you’ve got to make sure it’s the right person, but you’ve also
got to make sure that they’re not transporting viruses or other
potential problems,” says John Dathan, Juniper Networks’ director of
enterprise sales for Canada.

The system checks to see if you are who you say you are. It also has
some pre-defined specifications, such as whether you have the latest
Windows patches, a certain version of anti-virus software and a
personal firewall. In this case, that’s all set up by the school board;
they decide what those parameters will be.

If there’s a virus on your home PC when you log in, the system is set
up to redirect you to the help desk to remedy that situation. “Because
it’s not just who the person is, it’s making sure that the device is
okay,” says Dathan. Depending on whether the computing device is a
corporate asset, a personal asset or a kiosk, the system will provide
different levels of access. So if you were at an airport and used a
kiosk, for example, you’d only get the most basic access. This way,
teachers can access the system from any device that has access to the
Internet, and security is provided accordingly.

This really comes down to policies, says Dathan. And if teachers aren’t
able to abide by those policies, they won’t be able to get access.

What it does, though, is provide that security when they’re working
from home, on the road or during days when it’s not safe to travel to
school. “Take a storm day ”“ it’s dangerous to travel,” he said. “So now
teachers can access that out of classroom hours. If there’s a snow day,
they can have a fully productive day without physical risk.”

Typically organizations have two tiers of security or access control,
such as name and password, but also a more active layer, such as tokens
(which provide a code that changes every 12 seconds). Some
organizations are using this same technology to secure wireless
applications.

So far, the TCDSB hasn’t experienced any security incidents that it’s
aware of. The biggest security issues are still the basics, said Di
Fonzo, such as getting users to regularly change passwords. “We do
enforce the change every 90 days, try to make them use a strong
password and tell them not share their user ID and password.”