Schools thrive on free and open exchanges of information, but as soon as a principal reviews attendance records or examines student grades held on a district server, that openness must end.
Schools thrive on free and open exchanges of information, but as soon as a principal reviews attendance records or examines student grades held on a district server, that openness must end. That’s because the internet was designed for a simpler era and lacks the security needed to protect a school’s ever-increasing cache of sensitive information.
Protecting all the data districts hold relies on secure communications between schools, as well as with parents and third parties such as psychologists, online curriculum providers and public safety officials.
In fact, it’s the law: The Family Educational Rights and Privacy Act (FERPA) treats everything from class lists to transcripts to disciplinary files as protected material.
If any of this confidential data is released without the family’s permission—even accidentally or as the result of a hack—the district runs the risk of legal liability. After a thorough examination, the result is generally a voluntary agreement that mandates specific improvements to the district’s digital defenses.
“Schools are in a bind these days,” says Steve Caimi, senior cybersecurity expert at network-equipment maker Cisco. “Schools accumulate more and more student information every day that’s subject to FERPA and there’s potentially a hacker hiding behind every router.”
The best defense when it comes to keeping data secure is a good offense. Today, that means using a virtual private network (VPN) to guard sensitive or confidential data. As its name implies, a VPN keeps a school’s data private while it is traveling on the open web.
Because the added security is virtual, a VPN doesn’t require an expensive dedicated physical data line between district facilities.
A VPN’s extra security allows only those at both ends of the online conversation to view the data, creating a private internet. “Every school needs to have and use a VPN to secure its communications,” says James Punderson IV, president of K12USA, a provider of security hardware and services for schools.
“Without one, everything that teachers do online is potentially wide open to snooping and interception. It is absolutely essential today.”
Questions of speed and cost
The way a VPN works boils down to hiding in plain sight. As opposed to using the web, with the ever-present danger of someone snooping or planting malicious software on a system, VPN data travels over the same cables and routers of the internet—but everything is encrypted.
For instance, a teacher sending grade reports to the district’s server could be open to interception by an enterprising hacker. When a VPN encrypts the data stream, everything is kept secret (See sidebar below, “Let’s Get Technical”).
All this encrypting has two big drawbacks: speed and cost. Because it takes time to encode and decode the web address and data, the typical VPN adds latency—the time you wait for data to go from source to destination—and can slow upload and download speeds.
“There’s a small penalty for using a VPN,” says Kyle Bisignani, lead technologist at New Jersey’s Hopatcong Borough Schools. “You hardly notice it when doing school business, though.”
The big VPN snag is that it can be expensive due to the hardware and software required, which might add up to tens or hundreds of thousands of dollars. “If you’re connected, you’re vulnerable,” adds Cisco’s Caimi. “It’s a big investment for some districts, but I can’t imagine any school not using a VPN today.”
In-house or outsourced?
Large districts tend to buy and operate their own VPN hardware. Take Mesa Public Schools in Arizona, with 64,000 students, 70 schools and a VPN that cost $100,000 to set up four years ago. “It is a major part of the district’s security plan,” says Dave Sanders, the district’s chief information officer.
The VPN secures communications for staff, students and outside vendors who need access to the district’s network. “It provides an additional layer of security by encrypting traffic when staff or students connect to an open, unsecured network,” says Sanders.
Some smaller districts, such as Hopatcong Borough Schools, follow a different VPN path. The district has 1,500 students, five schools and a central office, but doesn’t own its VPN hardware. Instead, K12USA provides Hopatcong with a VPN for $2,500 per year. The service also provides a firewall and website filtering.
Rather than running all communications over it, Hopatcong uses the VPN primarily when schools interact with legacy human relations and payroll software that’s housed at the district’s headquarters. Without the VPN, all the data would potentially be open to snooping.
“We could not have afforded traditional VPN hardware,” says Bisignani, the district’s lead technologist. “For us, the most cost-effective way to get the security of a VPN was to treat it as a service. To get that level of protection with our own VPN would have cost us tens of thousands of dollars at a minimum—money we didn’t have.”
Sleeping well at night
There’s an alternate approach for districts on a very tight budget: Consider doing all sensitive work while protected by a software VPN, which requires an annual subscription of under $100. It works best for schools with one or two people who need this level of protection.
Like with dedicated VPNs, communications are encrypted, but the heavy lifting is done by a cloud service. There’s even a free VPN that’s part of the Opera web browser. But, rather than being encrypted for the entire journey from screen to screen, software VPNs encrypt the data only as far as the service provider’s servers.
For the last part of the web journey—from the service provider’s hardware to its destination—the data is open to the world of hackers.
While important, a VPN is not for every online use. It can help make routine data transfers more secure, tighten up the movement of files between teachers and allow contractors limited access to the district’s network.
That said, Cisco’s Caimi says the costs and lost performance mean that a VPN probably shouldn’t be used for distance learning, videoconferences or similar activities.
A VPN is just a part of a school’s digital defenses. Each institution should assess its entire risk profile individually, but the plan needs to cover data interception, malicious software, and training teachers and students to practice good digital hygiene.
“Any school security plan is a balance between cost and hassle on one side, and openness on the other,” says Caimi. “A VPN can let you sleep well at night by managing the risk.”
Brian Nadel is a freelance writer in Pelham, New York.
