Recognising that there isn't much latitude for wasting time managing an expansive, mission-critical network that typically supports more than 30,000 concurrent users, Catholic Education South Australia (CESA) has used a range of policy controls to clamp down on external attempts to access its expanding range of networked services.
Those controls come on the back of a series of significant infrastructure projects – including WiFi and fibre-optic connectivity as well as centralised application delivery – for CESA, whose centralised IT organisation manages technology for 6000 staff and 49,000 students located at 104 schools across the state.
Given that many of these are small schools located in rural areas, the centralised model – enabled through the extensive use of virtual desktop infrastructure (VDI) servers running from CESA's centralised facilities – proved particularly important as CESA progressively upgraded wide-area network (WAN) connections to have dedicated fibre-optic connectivity even to schools in rural areas.
Although VDI is “very much a transitory technology”, senior engineer Simon Sigre told CSO Australia at the recent Cisco Live! Conference in Melbourne, the infrastructure around VDI had facilitated the equitable delivery of educational content, systems and applications.
Heavy use of application templates allowed for commissioning of new server instances with a few clicks, with infrastructure systems using API hooks to automate scaling to meet changing demand.
Growing adoption of completely cloud-based tools will eventually obviate the need for VDI, he added, but in the meantime CESA's remote-access infrastructure was helping bring high-end applications to even the smallest, most distant schools.
“Getting all those technologies down to schools is pretty rewarding,” he said. “The abiility for a child to just go home and access complex services using a commodity device like an iPad, is pretty cool. But there are a lot of intermediate technologies you ned to provide that, and that's what we offer schools centrally. There's no point building something at a school level if you can't access it from wherever you are.”
Delivering such extensive remote-access capabilities has, however, expanded CESA's exposure to potential malicious outsiders – necessitating the construction of a security infrastructure that allows the restriction of access to networked resources.
Sigre and his team addressed this need using application delivery controller (ADC) technology from F5 Networks, which includes F5 tools like Access Policy Manager (APM) and Big-IP Local Traffic Manager (LTM) to tightly monitor and manage access to networked resources.Read more: Visibility and control over SSL traffic in an era of HTTP/2.0
Such monitoring calls on a range of operating parameters around new access requests, not the least of which is the geographical location of the user trying to access particular resources. Given the heavily South Australian focus of the services, for example, it has been relatively straightforward to use APM to enforce an access-control regime that requires users from outside the state, and from overseas, to pass through a CAPTCHA challenge-response gateway that, Sigre says, has all but stopped potentially malicious bots dead in their tracks.
Any bots trying to access the system detect the CAPTCHA and inevitably move on to their next target without being able to sniff out the telltale signs of the applications running on CESA's network. This prevents potentially malicious attackers from determining which vulnerabilities might allow them to access the educational network.
“Wherever possible, you want to make your security gates as transparent as possible so customers aren't constantly challenged with hurdles to get to a service,” Sigre explained. “But by putting CAPTCHAs up for scans that originate outside of Australia, the script kiddies don't even bother; the just go on to the next target.”
“With security, you have to make it expensive for the people that are trying to get in, in time or resources, because there is always someone else that is not as protected.”Read more: Australia is world's fourth-largest holder of network-security patents, analysis finds
Overall, the setup has provided a level of security that has proven to be an intrinsic part of CESA's confidence in its online service delivery – validated by extremely strong performance in regular penetration-testing audits. This was a big step forward from the enterprise-styled structure of CESA's former security model, in which “multiple components making up the security tier, were causing multiple issues with agility,” F5 systems engineering director Martyn Young said.
“Because they moved to such a service-oriented delivery of what they were doing, they needed a lot more agility to be able to do that centrally and to be able to deploy applications rapidly. Rolling out new applications to schools is a very efficient and agile process now, whereas previously it was a lot more tedious.”
CESA is also routing requests for cloud services through the F5 system, providing similar levels of security as the organisation's adminstrative and student-facing systems increasingly shift towards cloud-based delivery.
“We've got to be secure,” Sigre said, “so we've got to have a very rigid, very reliable security and presentation tier to be able to do that – particularly when you're centralising finance systems, where security is ridiculously important.”
Policy-based application management had allowed this approach to scale without imposing an undue burden on CESA's IT team, Sigre added: “With so many services being constantly published and out on the Net, we don't have time to be constantly reviewing security. Being able to put something in and keep ahead of the various threats and mitigation strategies, keeps us from spending all day trying to keep on top of this.”
Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.