Securing VDI with Micro-segmentation for the Education Sector: A Classroom in the Cloud

I have 4 kids, and 3 are still school age. Like everyone else, they are now spending most of their time online, including their school time. Naturally, the following topic is close to my heart.

Schools and educational institutions offer an ‘X marks the spot’ for hackers looking to leverage sensitive and personally identifiable information (PII). For extended periods of time during a student’s progress from K-12, schools will store and manage varied information for both minors and their guardians, that includes addresses, healthcare records, aptitude assessments, payment information, and social security numbers.

A number of issues make security even more complex for stakeholders in school districts. They work across multiple campuses, have large and complex IT networks, often depend on legacy systems to store and manage critical data, and experience regular turnover of both students and staff.

In 2013, Lahiri, M. & Moseley, J.L. published a research paper, called “Migrating educational data and services to cloud computing”. Inside, they listed the different challenges for educational institutions that were migrating to the cloud. Out of the five challenges (control, performance, security, privacy and reliability), the security challenge is yet to be solved effectively by either the cloud providers or the educational systems.

Whether school districts are moving to the cloud to modernize their environments, or to address the current online learning challenges, a hybrid environment increases their exposure and risk. It’s not surprising that cybersecurity incidents against public K-12 schools tripled in 2019.

Getting on the Syllabus: Where Does Virtual Desktop Infrastructure Fit into Remote Classrooms?

The benefits of VDI in education are clear. Firstly, the technology provides a simple way for students to learn remotely and gain the access they need to course materials and lessons. Devices such as Chromebooks are a low-cost way for schools to level the technology playing field and offer their student body a streamlined learning experience.

In addition, for teachers, VDI is a flexible way to create learning spaces and computer-based assessments that can be accessed in any location, for any student with an internet connection regardless of the age or type of machine. This is an essential part of democratizing learning, and making shared spaces that are accessible to anyone, from any background or of any means.

In fact, VDI in the classroom is nothing new, and has even supported schools in addressing some important security issues, such as lessening the reliance on legacy systems or end of life machines. Of course, it needs to be implemented with its own security controls at the start, such as segmentation over user access and smart protection of critical applications. School districts like Madison City in Atlanta for example have been using virtual machines for almost a decade as part of a program to securely save on high hardware costs and upgrades.

According to Katrina Bowling, Technology Coordinator in Madison City for 9,000+ students and 1,000+ staff,

“VDI lets us replace old machines as they die a natural death, as opposed to being forced to do it because they are inadequate. It takes us out of the endless process of refreshing PCs. Before we deployed VDI, we were four years behind on our refresh schedule, and 3,500 PCs — more than 75 percent of our inventory — were more than five years old and incapable of being upgraded to run anything beyond Windows XP”.

However, this year, as students head back to school during COVID-19, VDI adoption is being rolled out faster than ever before, which may lead to school districts skipping vital security steps.

Citrix has highlighted “the urgency with which higher education institutions need to transition quickly from a traditional campus-based model to a remote-ready model and put in place a long-term digital learning strategy”. Whether students are heading back to the classroom this semester, continuing to study from home, or somewhere in between, VDI can support schools in being ready for anything. However, when schools are being trusted with the confidential data of minors, this should only be considered when districts have the right segmentation controls in place.

The Required Reading: Understanding the Security Risk of Learning from Home with VDI

Being ready to make the leap to VDI in response to COVID-19 means understanding the heightened need for segmentation and access control when using virtual machines, as opposed to when relying on traditional data centers.

When using VDI, your critical applications and sensitive data are sharing the same server as your end users. In the case of education, those end users are any students that are studying remotely, diverse in age and experience, as well as teachers that may be utilizing this kind of technology for the first time in their careers. You’re opening an environment that is designed to be shared by many users, unencumbered by a perimeter firewall, and in which the traffic is likely to be encrypted using SSL or TLS.

As your VDI is largely open, it only takes a single infected machine for an attacker to launch a threat against an entire network, making lateral moves to other machines, accessing administrative controls or critical and sensitive information.

VDI has great security capabilities, but it is missing the ability to restrict lateral movements and reduce the risk of using the shared server environment.

A Quick Study: Handling this Threat with Micro-segmentation

The cheat sheet for securely seeing the benefits of VDI for your school environment is centered around access control. It goes without saying that students shouldn’t have the same ability to move freely through a network as is given to the IT team, or that school administrators or bursars who handle financial or aptitude data should have different permissions than are provided to the math department or the gym teacher.

Here’s how an intelligent microsegmentation choice makes it happen:

  1. Application segmentation: Enhance governance across your school district by ring fencing critical data or systems at the VM, application, or even process level. Visualize applications by role, or interaction.
  2. User identity access policies: Tightly manage data access by creating process level policies for specific users or groups, based on information pulled automatically from the Active Directory.
  3. Baked-in compliance controls: Show that you’re taking FERPA compliance seriously, and in case of a data breach, protect financial or medical information held under your institutional roof.
  4. Strong visualization: Being able to see across a hybrid environment is essential when you have a large distributed network. Rather than segmenting based on trial and error, gain visibility from day one.
  5. Integration with breach detection: Gain immediate insight when suspicious activity is detected, alongside information-rich alerts that show exactly where and how the incident occured.

Do the Math: Citrix +Guardicore = Secure VDI Environments for your District

Virtual Desktop Infrastructure through industry leading solutions such as Citrix Virtual Apps and Desktop is an intelligent route to a safe school year for K-12 around the world. It sets up students with virtual spaces to learn from anywhere, and provides teachers with the technology they need to support remote learning, touchless lessons, or a mix of home and school study.

However, safe also needs to include secure.

The FBI has announced its own fears that malicious actors will use VDI to launch attacks against educational facilities, and without an A+ segmentation strategy for using VDI, your school district and the schools within are left unprotected.

Guardicore Centra is certified as Citrix-ready, and successfully validated with the latest versions of Citrix Virtual Apps and Desktops. It can run on your environment on premises, in the cloud as well as for a hybrid model. As technology partners, the combination offers extremely quick time to value for school districts that need a fast turnaround on providing a new technology to their staff and students.

If you need support in shoring up your defenses ahead of time with a microsegmentation solution that leaves nothing to chance, find us in the Citrix-ready Marketplace, and get in touch to discuss your specific requirements.

Want to know more about securing VDI with microsegmentation?

Read our recent white paper

Or find out how one school district improved their PCI-DSS compliance posture with Guardicore in our case study.

From Guardicore's
Resource Center

Using the Mitre ATT&CK framework, this webinar will dive into the adversarial techniques that precede and follow the deployment of ransomware itself.
After several unwieldy firewall control deployments, the team learned about the Guardicore Centra Security Platform and began internal discussions about the benefits and possibilities of next-generation segmentation.

Subscribe To Our Newsletter

No spam, we promise. We’re only going to send you insights on how to reduce risk in your data center and clouds.

See Centra in Action

Reduce your attack surface and prevent lateral movement with fast and simple segmentation that works everywhere.

See Guardicore Centra in Action

Schedule a demo customized to your specific security needs