In this podcast, experts from Zscaler & Garnet River discussed how K-12 organizations can provide a secure and seamless transition for their Home Internet Access for Students that includes remote learning, as well as, ensuring compliance through simple Internet safety, privacy and security policy implementation. As the Internet is utilized more and more, deeper protection is required to keep students, teachers, principals, and administrators safe without compromising the educational processes.
Speaker 1: On behalf of Zscaler and Garnet River, we would like to welcome you to today's podcast focused around ensuring compliance and security for K-12. Home internet access, where Jose Padin, US Public Sector Director of Sales Engineering at Zscaler, and Edward Nadareski CxO, Executive Advisor of Cybersecurity, Data Privacy and Global Risk Management at Garnet River, we'll discuss how K-12 organizations can provide a secure and seamless transition for their home internet access for students, that includes remote learning, as well as ensuring compliance through simple Internet safety, privacy and security policy implementation.
Jose Padin: Right. Thank you. Those were some excellent introduction. So I appreciate that so much. And one thing I'd like to add to is I'm also a proud graduate of New York State Public Education. So I this topic today is near and dear to my heart to make sure that we're taking care of our students in New York State and putting them in the best position to be successful in the future. We had a great introduction, let's get into the agenda of what we'd like to talk today. The first thing we think is a good idea to start with is to make sure that we're all looking at the landscape the same way, there are definitely some issues impacting cybersecurity today. And this is an ever growing, ever changing landscape, where there's a lot of things that we need to take into consideration going forward. After we talk about some of the top cybersecurity trends, I think it'd be a good idea to go into a case study and we could talk about some success we've had. And then we will get into actually add who as the zoic Garnet River is uniquely qualified to really get into some of the specifics on New York State, the accreditation and standards policy that we all need to meet and make sure that that we are in good shape with in order to move forward. And then specifically, we'll get into some detail of how Zscaler can help your state school systems achieve their cybersecurity goals. Let's get started. When we look at the trends, the one trend that is number one, and will probably continue to be number one for a long time is student safety. So we want to make sure from a Cisco perspective that we're taking into account what students are looking at. But it's more important than that today, it's not just the basic ability to see what a student may be accessing on the internet and filter that but it's also to make sure that we build a community around that. And that we can give appropriate alerts and let people into the information as necessary to make sure that everyone is aware and can make the appropriate decisions. Social media now more than ever, to make sure that we're protecting from that as well as self-harm and cyber bullying. These are long standing trends and something that is primary focus for any cybersecurity solution in education. For New York State and for really across the country and the world. It's the main cybersecurity trend and will continue to be if we look at a second trend that's definitely growing over time, and specifically in 2020. With everything that has happened with remote learning people being moved into different locations, access equity is a critical cybersecurity component to take into consideration and how we help our students learn going forward. We have people in rural community where there may or may not be sufficient access to internet, we have urban community where again, there may be access to internet, but it's in shared locations where we may not understand or comprehend the network that's being used. Or it could be a shared service that there could be some security concerns around that. People need to learn in multi modes and multi different areas and multi households. And as users and as our students, and teachers are working in these different environments, we need to make sure that we take that in consideration, and then connectivity tight, right. So we've seen a trend where there may be inconsistency or insufficient network connectivity. And we need to understand how we can still apply cybersecurity and use these as design mechanisms in our cybersecurity stance going forward. The days of having all students in school on our own condition network are long gone. And we're going to move into a world where there's definitely different access methods and scenarios that are coming into play here. The third trend is device availability. So what we've seen is, again, a traditional mindset of a standard device used on a school system and that's the only device that students will use has changed, and especially in today with what's happening from the pandemics perspective, people are home, they're on the road, they're everywhere. They're also using lots of different devices. And these different devices can be Windows machines can be Mac can be Chromebook, can be Android devices can be really different smart devices that are out there that people can get access into the school system. And we need to take that in consideration from a security stance. Each one of these platforms has different capabilities, different security stances that can go across that. And we want to be able to build a platform that's flexible to be able to take that into consideration. Also, there's growing increase of contractors and third parties that are part of this, and they might have their own standard devices. So asking for difficult configurations on these devices, they may be locked down or have no ability to make change. And we need to understand that and again, comprehend that into our cybersecurity stance and make sure that we're giving access for people to help. But we're also protecting the school system and the data that's important there. And then when we talk about are on that near net off net type of mentality, so we might own specific networks in the school system, there may be ability to extend those a little bit further into near net situations, and to be able to extend the range of those proprietary networks. But there's also a growing number of off net, so people that need to be able to get connected, but may or may not be on a managed School Network, right. And as of today, I know everyone sees that has always been a trend just accelerated and going forward in the future. It doesn't expect to be an elastic snap back to everything being back on to a non-net configuration, we need to think about how this is going to affect us in the future. So if we get into the next trend, we're talking about targeted cyber threats, and more than ever in 2020. In particular, this has increased from Zscaler's metrics six fold. In the last six months, we're seeing increase hyper targeted cyber threats, that are very customized and specific to either specific schools, even specific administrators, that the trend instead of General, wider phishing is to be able to sculpt and create hyper specific targeted threats on a per school system or per customer basis. So it's something that needs to be considered and think about as we go down this path and take into consideration the trends that are growing ransomware is still you know, a major threat, and is again only growing, the increase in actually delivering these via encrypted mechanisms is actually creating a blind spot and a lot of school systems cybersecurity and a trend that needs to be considered. Again, we talked about phishing, spear phishing, very hyper targeted phishing attacks that, again, if we think about what happens in a school system, we have, maybe staff that we go through cybersecurity training. But often there's a lot of volunteers that come into play. There's people that are in the school system that are there to assist and help and may have access to systems and may not have the same level of sophistication or training that's available to everyone, and something that we need to think about when we want to protect our school system and data. And then again, we talked about that briefly, but the increase in encrypted traffic is a growing trend. And when we say encrypted traffic, it's not only encrypted traffic on the internet, which over 90% of traffic now is encrypted. But it's actually increase in encrypted traffic in cyber security attacks. This is a trend within the last year that has really exploded, there's been a few kits that have been released, that actually make it easier for malicious attackers to incorporate high levels of encryption into the cyber-attack. So this trend, we're seeing increase we're seeing grow. So if a school system doesn't get visibility into encrypted traffic and what's flowing in and out of the network, that's at an encrypted level. Again, it's a huge blind spot and can cause be the root cause for other cyber-attacks inside the school system. The fifth trend is ease of usability. And again, this trend is growing was really always a trend but is even heightened more today, when we look at the ability to balance the security with speed. So as people are going home as people are in different environments, as there's multi generations that are there support people schooling in other locations, then the actual school building itself, we need to make sure that we take in consideration how easy it is to implement cyber security. If it's a difficult configuration that's brittle and only locked down to maybe specific devices. It could cause inability to actually implement the solution and then increase risk for our students and for our school systems and data. Again, at home on the road. There's various levels of security so we want to make this as easy as possible and what's key is that this is seamless right we want we want this to just work with minimal interaction with minimal configuration and to allow the people to be protected without even having to really know about it or do anything active in order to get the security level that they need and then when we get into our sixth trend it's resource constraint and I know everybody is feeling this today with a pandemic and related tax pressures there is an effect directly on budgets in school systems so making sure that we're prioritizing our spend making sure that we're focused on creating a procurement and requirements that have a broad set is a trend that's very important for us to consider and think about as we're looking at solutions out there so there is federal funding coming but when we look at the flow of that funding we're seeing that some of those funds are reallocated and there is some conflicts in it and getting it to maybe the intention or maybe to the school systems directly the way that we'd like so again making sure that we're getting the most bang for our buck making sure that we're creating requirements that are more than just a niche security stan but actually looking at a holistic solution and being able to get multiple different aspects of cybersecurity and one acquisition is a trend that today more than ever is more than prepared based on the way that funding is falling down and the way that we're looking at how to make sure that we implement a great solution and do it once and make it easy for people going forward so you don't have to go back to the well and get additional acquisition dollars in order to secure the school system the way that you'd like I think what's really interesting and the trend that the pandemic has really let loose is acceleration and I think that could almost be the seventh or maybe the first is as an effect of sending people home sending students home having people work in school from home many of these trends maybe were a lower priority or on everyone's radar but today this is bubbling up as the top and most important trends just to stay on top of the current environment and then when we look out and we you know try to look into the future the question is well what will change what will increase and the ability to work and educate from anywhere the ability for the students to do what they need to do and various connectivity devices or various connectivity states is a trend that we expect to stay and continue so this is really in my opinion a story of acceleration of how all of these trends have accelerated and reprioritized so with that let's get into an actual real world scenario so we have a specific near state school system that we can talk about very large school system over a million users and these users have users that have various connectivity states various devices that are on there and highly mobile and what's really interesting about this environment is when we talk about from a scalability perspective there are many solutions that are out there from an education perspective many niche solutions that may focus on one specific areas cybersecurity or one specific area of being able to assist in us in a student situation or school situation but here we have a large school system that is actively working during the day on a extremely large scale to be able to allow people to have a secure solution all day long as people are working 24 seven whenever they choose to be able to do this from a secure manner and it's really incredible to think about just from a transactions perspective so if we're considering a solution for our school systems and we're thinking about this from the requirements we talked about earlier and we're seeing a growing trend in making sure that we need to have security and encrypted traffic this can be a real challenge for school systems and cause maybe increased investments and hardware that weren't planned for to be able to meet real world today security requirements so instead of investing in that on prem hardware this school system invested in in a secure cloud platform that can run at the speed of the internet decade handle the transactions that are needed to be encrypted and decrypted on a day to day basis and what's again really interesting from this is that there are many different devices that are on and off network here we're able to provide security when it needs to be where it needs to be in the cloud where most of the LMS and most of the actual information is stored it's a very compelling use case and shows a real world example of mobile devices that are being incorporated as a security standard in a school system and allow people to get their work done from education perspective wherever they happen be and still have that security that's on there from a seamless perspective. A quote from someone in the school system is actually right there on the screen we don't have to think about Zscaler it just works and it just works in the in the background with very minimal configuration to get up and running and once it's there it's there and there's nothing to think about it set it and forget it and it allows you to have protected stance for these users on multiple different devices and multiple different connectivity types so it's definitely a great example of how we can partner with our school systems and get to a place of success.And with that I’m going to turn this over to ad to get into some details about how specifically we could help various New York state school systems and get them to the place they need to be from a security and accreditation perspective. So, Ed, over to you.
Edward Nadareski: Thank you very much Jose. So yes I’d like to pick up with our conversation as we speak about home internet access for students and the challenges that we're faced dealing with this a recent report produced from common sense media stated that over 700,000 students in the K-12 area were not able to get access to the internet then on top of that 18,000 teachers still were not able to gain internet access so we know dealing with this doing with the pandemic and this has pushed us to go to delivering classroom content to the students at home which is now pushing school districts to go to an online solution with this understanding we have gone to the SEPA which is the children's internet protection act with this congress has passed a law that enables us to have a safety policy for SEPA compliance we also need to get e rate funding to get discounts on appropriate levels of telecommunications and internet access some of your benefits for SEPA compliance would be the content filtering and those discounts that era gives you so what does it mean to become SEPA compliant well we know we need the internet safety policies we know we have to enforce monitoring of online activities of minors and the technology protection measures need to be adapted this means that we have to develop around federal and state requirements policies processes and procedures to support us for a SEPA compliance and we can leverage what we're going to be doing specifically in New York state around the EDD law 2d model as well so Garnet River has developed a edlow a 2d part 121 program that enables you to easily maintain and develop a program that supports the NIST framework for cybersecurity or CSF it is pushing the EDD law 2d work around personally identifiable information and we also have it set up so that we can address all 14 sections of part 121 as it applies to the privacy requirements around deadlock plus we also have an easy to follow data protection officer recommendations that we incorporate within our program these enable you to start out with what we build from using two very simple data privacy and NIST self-assessment tools which begin from developing gap analysis the gap analysis then easily creates a project plan and we work our project plan into building out in collaboration with the district moving forward to develop the policies processes and procedures to move forward and get done what we need to get done for the part 121 program in doing so we also provide you data privacy officer requirements we also provide you a NIST program with comprehensive templates that allow us to coordinate with you specifically to build content that you can work on to develop your program get it implemented tested and put in place to support what you need for part 121 security and privacy doing so also positions you so that you can move forward with SEPA the safety policies that we will build support both SEPA and part 121 with this we have the ability now to produce for you what needs to be done on by this side for the part 121 The privacy and the security, remembering that we have over 100 controls in the NIST program that we build content with out of our specific work that we've done on our templates. Moving from that we also help you with your disaster recovery planning. Disaster recovery planning has become a very big component with developing pandemic planning, and working around continuity planning, in order to ensure schools have the ability to develop remote access and to deliver content to students at home. Plus, it also provides us a means of addressing when something does come up as a pandemic or an emergency situation, you have plans in place that are addressable directly to in order to do what you need for in a disaster or an emergency situation. We also provide you a 121 status report that we use and develop with this program that allow you to maintain what's being worked on how things are being addressed, and a status that you can use for board presentations. Or in the event that New York State EDD requires you to produce something that shows what has to be done. On this program, you will have an immediate status update that's very simple and easy to follow. We also provide policies with our policies. These templates are currently worked on with the SCD content requirements around part 121. For our policies, we give you the templates that work, and then we address what minor tweaks and modifications might be needed for the school district directly. Part 121 is also part of what we do on the state government side, so that you can then position yourself with the outcomes of the part 121 work to provide safety policies that get you SEPA compliance. And then SEPA compliance provides us the ability to do the content filtering. And the capabilities to ensure safety is being monitored enforcement's around technology procedures are being done. And we're able to deliver this content securely to students, as well as provide teachers a safe platform to get the content out to the students. With this, we also have an ability to deliver the capabilities of sustaining the policies around what you need to do for privacy, privacy, we have worked in all 14 sections of part 121. Specifically, we also have incorporated, as we mentioned, that data officer checklist. So the data protection officer checklist now gives you an ability to develop what has to be done for your DPO. So that as your DPS requirements are needed to be addressed for Part 121. We also map those to what is being supported on SEPA.
Jose Padin: Thanks for the rundown. And you know, I think it was definitely interesting to get into some of the specifics there. There's a lot of big concerns that you've brought up as far as being able to make sure that we're meeting our standards for not only funding, but also from a protection perspective, and the appropriate framework is in place in order to be successful. So it's important that, you know, we take that into consideration, because without the plans in place, we can't make this happen. The one thing we do want to get into now is to really tie this all back together, right? How can we make this real? And what are some specific technologies that can assist? So if we get into, from a services perspective, how can we help? What can we do to make this a reality? There's a few things to think about and take into consideration. So when we're talking about home internet access for all students, we definitely think originally about devices, right? We think about ease of use, and there's a lot of areas that come into this. But one thing to think about is an advanced threat protection system. So again, as people are looking at investment strategies, as we're seeing the trends change and grow in cybersecurity, the one area that school systems have the ability to invest in is to actually look at something more than just a basic scanning of unencrypted data that may be on an endpoint, that we can actually look into what's happening from it interaction on the internet, with the students not only from a sip and cyber security perspective, but from an advanced threat. So we are not really familiar or know what's going on in these networks. They can be in a lots of various types of networks, whether they're home, whether it's an after school facility, whether it's a family member's house, whether it's a shared network in a building or some type of cafe situation, we need to make sure that we're protecting the school systems data and that we're protecting the students as they're using these networks. So putting in a requirement that looks at the advanced threats that make sure that people are having interaction with websites and areas that are normal for interaction, and that we're out in front of any of the growing trends and can share that immediately from a cloud effect perspective. So if one advanced threat is picked up in a customer at Zscaler, we can almost immediately get that out to our millions and millions of different users and customers out there and get that Advanced Threat taken care of and prevented at the speed of the cloud, it's very important to think about how advanced threat protection is important in this evolving cybersecurity perspective. And it's something that we can help specifically at C scaler. To be able to assist content filtering, right. Speaking with a school system recently, you know, the word was used table stakes, right, this is a standard that we need to meet. And again, the trend is to grow around this standard from basic content filtering, which is the scaler will be able to help and be able to assess, to a place where we can get to alerting that we can help our customers understand what is going on in the mind in the life of the student and be able to share that with relevant parties as needed, right, and do that in a secure manner. When we think about targeted cyber threats, this is, again, very much a relevant trend. And we have numerous school systems across the country, just within the last six months within the last year that you know, through no sometimes malicious intent by the user have put themself in a position where they've been infiltrated by ransomware, where they've been infiltrated by essentially a targeted threat that looked like a genuine, realistic request for the person to interact with, right. And to be able to filter that to be able to get out in front of those network requests to make sure that we're protecting from known bad sites that are out there from a phishing perspective, or from a compromised perspective is critical when we look at our requirements and how we can help and Zscaler can help with that, instead of investing in resources that we put on prem somewhere, to put boxes out in a facility that, you know, really isn't relevant for the school system, because our apps and data in the cloud, so we should really put our security and firewall in the cloud as well. C scaler can help with making sure that we prevent from a target cyber threat perspective. And then when it comes to the NIST cloud security framework, you know, we want to be able to make sure that we're, you know, looking at the holistic cycle, and that we're not just doing one thing, right, so a lot of the security solutions that are out there will maybe just detect an issue, but then not be able to respond or recover, right or will be able to protect but not be able to detect and respond. So taking that holistic approach and looking at this from the whole lifecycle, it's not a matter of if an event will happen. It's more of a matter of how many events will happen in a day. And if you're protected by modern cyber security threats, and what happens in 2021 and beyond. And that's really a consideration to take into play. Instead of as opposed to looking at a nice product that may help with one area cybersecurity, to look at the entire area of what we can do from a web security perspective, and protect the students and the faculty in the multi-mode, multi device, multi connectivity world that is the reality of 2021. A fifth area that we can talk about of how Zscaler can help is when we get into the concept of getting access to protected data. So there's a large amount of data that is school system and administrator protected. That we want to make sure from a PII perspective, there's a lot of personal identifiable information that schools collect. And that data, we don't want to be either x filled, and we want to make sure that it's that it's protected. And asking, you know, maybe parents are asking third party contractors or even asking, you know, for teachers to put together a complicated VPN technology to use a client and ask them to configure that is something that is an area where sometimes these solutions really fall down. And it's difficult to configure this from an endpoint perspective. There's a lot that goes into it. What we can do at Zscaler's help and make this access to these private protected applications as seamless as possible. We can make it as easy as just a URL that that a user enters and we can do that in a secure manner that creates an inside out TLS protected tunnel down to these users. if an attacker or someone is looking to compromise this connection type there's really nothing there to compromise it's invisible to attackers and furthermore as opposed to VPN technologies where once someone creates a connection they can move laterally here in this type of private access connection that uses zero trust fundamentals the application is allowed access to a specific identified user at a specific point in time and from that access method there is no way to move laterally within a school system to get access to other data and again we've seen areas where people have shared information or get access to information that is protected and by mechanism of the connection method the device that's connecting into the protected data set can move laterally there's an exploit on those devices and they were able to exfil data pull that down and share that inappropriately on the internet causing a security incident this can protect you against security events like that and again important to think about from a secure platform and an investment strategy to be able to invest in a secure cloud platform one time and get many of these benefits and then you know we can tie this up from inappropriate disclosure of personal information again looking throughout the last year and looking at school system compromise you know we see a lot of PII that may have been inappropriately shared whether it was uploaded to a cloud service and the cloud service was in appropriately configured that allowed people to get access to that data again no malicious intent moving data around from one repository to another created an event where PII was moved around and then was shared on the internet and people's driver's license information student ids for out there that shouldn't have been and we see these events happen in many school systems across the country so if we're able to actually inspect that data look at what's happening ensure that the appropriate data should be moved around or shared or block it prevented alerted and stop maybe data moving whether maliciously or by accident we can get out in front of that and work this into our solution to make sure that we're putting our school systems in the best place as possible so all of these are areas that we can focus on you know the one piece that I want to put into play here is it's not just Zscaler and Garnet River talking about why the solution is effective and why this is great when we look at the marketplace we often see school systems use as a downselect mechanism for procurements that go out third party analysts review of technology right often we'll see actually a downselect to magic quadrant as a requirement if you're in the magic quadrant please respond that's what we see most commonly and what's really interesting is the latest magic quadrant that was just released it puts Zscaler in the top right corner of the magic quadrant by ourselves and i think what this is really a testament to our focus on making sure our customers are taken care of in the best way possible that people have a great user experience that they are getting a great ROI and they're reducing costs and their networks and their infrastructure and all of those are very much important characteristics when Gartner looks at how to analyze this market and I’ve been in it for over 20 years now I don't always tell people how long it's been but it's you know kind of interesting to look back on it and I’ve never seen a magic quadrant like this before so it should help increase confidence that you know that we're you know we're putting people in the best place possible and that we have many customers across the industry that have been able to work with us to get to a place where they can have security in the cloud and do that at a reduced cost and get a lot of value for that investment across many different areas of cybersecurity that often aren't really thought of on the forefront when people are putting together requirements upfront I think with that we've kind of run the course on content and making sure that we are addressing some of the needs that we see some of the trends get specific into how we can help New York state and get specific into some solutions and requirements that people should think about as they're putting together you know their cybersecurity plan as they're putting together their network infrastructure and as they're modernizing under the current pressures of today's world
Speaker 1: Thanks for listening if you'd like more information on how Carahsoft or Zscaler can assist your educational institution please visit www.carahsoft.com or email zscaler@carahsoft.com. Thanks again for listening and have a great day.