The rapid and unexpected transition to remote learning led many schools to scramble for solutions to a new teaching experience. This led to many schools being forced to stretch their cybersecurity capabilities to their absolute limits. This is a real issue, especially for schools that don’t have significant resources and funding in that area. Read here how an Illinois School District updated their onboarding solution to improve security and lower their overhead costs.
As schools begin to reopen and prepare for the 2021 school year, IT teams face a new batch of challenges. Many schools plan to operate a hybrid learning environment by splitting in-classroom and remote learning. Below we have researched and recommended some tips for providing a secure and efficient network experience as students return to the classroom.
Enabling Device Trust
To facilitate remote learning, many schools distributed managed devices, such as Chromebooks, to their students. Unfortunately, a steadfast rule in computing is that for end users, convenience wins out. Users often opted to use personal devices rather than managed devices for their learning.
Using an unknown personal device instead of a managed device creates difficulty when it comes to device trust. The primary idea behind device trust is reconciling which devices can be trusted to connect to your secure network. Being able validate the identity of each user and device and their identity behavior is vital to preventing outside attacks.
Credential-based authentication is unable to provide clear identity context for admins. Passwords are too easily shared among users or stolen by outsiders to be considered an accurate identifier. Additionally, they can be used on any device; a password is not tied to identify a single device.
To compensate for the weaknesses of passwords, many organizations have transitioned to certificate-based authentication. When distributed to users, certificates are tied to the identity of the device and user, allowing for accurate authentication always. A certificate cannot be removed from a device, so it always accurately identifies the user and device. If a certificate is confirmed, admins can be confident it is the approved network user on a trusted device.
Because certificates are tied to device identity, admins can determine which devices should be trusted. If personal devices are deemed too risky, the organization can simply not distribute certificates to any non-managed devices.
It’s considered a safe policy to distribute certificates only to MDMs and allow them full network access. An MDM will run a malware check to ensure it is safe to distribute a certificate. With a gateway API such as SCEP, admins can automatically distribute certificates to devices with no end user interaction. The result is a managed device that has been postured by the MDM and is ready to accurately authenticate a user.
Streamline Network Onboarding
When an organization deploys credential-based authentication with LDAP, there are some features that may not be automatically configured that are critical to network security. Perhaps the most glaring is server certificate validation. Missing features and the potential for misconfiguration can directly lead to various data breach vulnerabilities.
If an organization uses certificates for authentication, they have three primary onboarding options. The first is to allow manual configuration, but for the average network user, the high level IT concepts required will likely lead to confusion and misconfiguration. The second requires IT to configure user devices for certificates, but this is extremely time-consuming, especially for a school of hundreds or thousands of students and staff.
The best solution for most will be to use a 3rd party onboarding software that simplifies the process for both users and admins. SecureW2’s JoinNow solution allows users to self-configure in minutes with only a few clicks. The result is a certificate ready for authentication and assurance that every user is accurately configured.
Providing an automated onboarding solution creates a far better user experience than any manual method. Each user will be guaranteed accurate configuration with features such as server certificate validation. Additionally, the IT department will have far fewer support ticket requests and be able to focus on value-add tasks.
SecureW2 provides onboarding solutions for BYOD, MDMs, servers, IoTs, and more, so you always know what devices are on your network and that they are accurately configured.
Comprehensive Device Management
Having an accurate overview of the network is required for normal operation. Admins should be able to oversee who connects to the network and ensure they have a fast and secure connection. As stated above, credentials are simply incapable of enabling an accurate picture, but certificates provide numerous visibility benefits. 
With SecureW2’s management software, admins can view all authentication events and remote troubleshoot any issues users may run into. They can manage the devices that are allowed to obtain certificates, such as a situation where they may bar personal devices for security reasons.
After the onboarding and authentication, admins have more options when managing the certificate lifecycle. With dynamic RADIUS, they can update a user’s permissions in real-time without having to replace each of a user’s certificates. And our CRL allows for easy certificate revocation. The end result is only approved users with certificate-equipped devices have access to the network.
Block Outside Attacks
Procedures such as RADIUS authentication with server certificate validation are perfect to block various over-the-air attacks like Man-in-the-Middle, but phishing and other social engineering attacks have become far more common and effective. Attackers have developed sophisticated methods of designing realistic-looking emails or posing as authority figures to trick users into willingly giving up protected information.
These sort of attacks target both organizations and everyday internet users, which highlights the need for identity-driven security and device trust. If a user accidentally infects their personal device, it can do significant harm if they are authenticated to the secure network. Considering which devices are trusted is vital to overall security.
Perhaps the most important security step a school can make is to educate their students and staff about how they will be targeted. It’s not enough to talk about the risks of phishing; they must be shown real world examples and practical application of diligence to avoid being a victim.
In times of change, people must quickly adapt to new situations and prepare for unexpected realities. While no one could have predicted the drastic change in how we teach students, we must prepare and protect the tools needed to ensure their success. Check out SecureW2’s pricing page to see if our certificate security solutions can provide a safe learning environment for your students.
