CAPTCHA, policies secure Catholic Education SA's VDI-driven cloud transition

Recognising that there isn't much latitude for wasting time managing an expansive, mission-critical network that typically supports more than 30,000 concurrent users, Catholic Education South Australia (CESA) has used a range of policy controls to clamp down on external attempts to access its expanding range of networked services.

Those controls come on the back of a series of significant infrastructure projects – including WiFi and fibre-optic connectivity as well as centralised application delivery – for CESA, whose centralised IT organisation manages technology for 6000 staff and 49,000 students located at 104 schools across the state.

Given that many of these are small schools located in rural areas, the centralised model – enabled through the extensive use of virtual desktop infrastructure (VDI) servers running from CESA's centralised facilities – proved particularly important as CESA progressively upgraded wide-area network (WAN) connections to have dedicated fibre-optic connectivity even to schools in rural areas.

Although VDI is “very much a transitory technology”, senior engineer Simon Sigre told CSO Australia at the recent Cisco Live! Conference in Melbourne, the infrastructure around VDI had facilitated the equitable delivery of educational content, systems and applications.

Heavy use of application templates allowed for commissioning of new server instances with a few clicks, with infrastructure systems using API hooks to automate scaling to meet changing demand.

Growing adoption of completely cloud-based tools will eventually obviate the need for VDI, he added, but in the meantime CESA's remote-access infrastructure was helping bring high-end applications to even the smallest, most distant schools.

“Getting all those technologies down to schools is pretty rewarding,” he said. “The abiility for a child to just go home and access complex services using a commodity device like an iPad, is pretty cool. But there are a lot of intermediate technologies you ned to provide that, and that's what we offer schools centrally. There's no point building something at a school level if you can't access it from wherever you are.”

Delivering such extensive remote-access capabilities has, however, expanded CESA's exposure to potential malicious outsiders – necessitating the construction of a security infrastructure that allows the restriction of access to networked resources.

Sigre and his team addressed this need using application delivery controller (ADC) technology from F5 Networks, which includes F5 tools like Access Policy Manager (APM) and Big-IP Local Traffic Manager (LTM) to tightly monitor and manage access to networked resources.

Read more: ​Visibility and control over SSL traffic in an era of HTTP/2.0

Such monitoring calls on a range of operating parameters around new access requests, not the least of which is the geographical location of the user trying to access particular resources. Given the heavily South Australian focus of the services, for example, it has been relatively straightforward to use APM to enforce an access-control regime that requires users from outside the state, and from overseas, to pass through a CAPTCHA challenge-response gateway that, Sigre says, has all but stopped potentially malicious bots dead in their tracks.

Any bots trying to access the system detect the CAPTCHA and inevitably move on to their next target without being able to sniff out the telltale signs of the applications running on CESA's network. This prevents potentially malicious attackers from determining which vulnerabilities might allow them to access the educational network.

“Wherever possible, you want to make your security gates as transparent as possible so customers aren't constantly challenged with hurdles to get to a service,” Sigre explained. “But by putting CAPTCHAs up for scans that originate outside of Australia, the script kiddies don't even bother; the just go on to the next target.”

“With security, you have to make it expensive for the people that are trying to get in, in time or resources, because there is always someone else that is not as protected.”

Read more: Australia is world's fourth-largest holder of network-security patents, analysis finds

Overall, the setup has provided a level of security that has proven to be an intrinsic part of CESA's confidence in its online service delivery – validated by extremely strong performance in regular penetration-testing audits. This was a big step forward from the enterprise-styled structure of CESA's former security model, in which “multiple components making up the security tier, were causing multiple issues with agility,” F5 systems engineering director Martyn Young said.

“Because they moved to such a service-oriented delivery of what they were doing, they needed a lot more agility to be able to do that centrally and to be able to deploy applications rapidly. Rolling out new applications to schools is a very efficient and agile process now, whereas previously it was a lot more tedious.”

CESA is also routing requests for cloud services through the F5 system, providing similar levels of security as the organisation's adminstrative and student-facing systems increasingly shift towards cloud-based delivery.

“We've got to be secure,” Sigre said, “so we've got to have a very rigid, very reliable security and presentation tier to be able to do that – particularly when you're centralising finance systems, where security is ridiculously important.”

Policy-based application management had allowed this approach to scale without imposing an undue burden on CESA's IT team, Sigre added: “With so many services being constantly published and out on the Net, we don't have time to be constantly reviewing security. Being able to put something in and keep ahead of the various threats and mitigation strategies, keeps us from spending all day trying to keep on top of this.”

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags cloud-based toolsF5 NetworksSA's VDI-drivencloud transitionBig-IP Local Traffic Manager (LTM)Catholic EducationcaptchaCatholic Education South Australia (CESA)

More about ADCAPMCiscoCSOF5F5 Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place