Achieving a Higher Level of Mobility and Security
Cisco ISE helps a Florida school district secure both enterprise and users’ own devices.
When Sarasota County Schools started experimenting with a bring-your-own-device program, students, faculty and administrators were able to connect to the district’s guest network. So, problem solved? Not exactly.
“Students and staff aren’t really guests,” says Joe Binswanger, IT director for the Florida school district. “The guest network was just a straight tunnel to the internet. It was very vanilla, very locked down, very filtered.”
The internet connection was useful for some basic tasks, but it didn’t allow for access to student and staff folders, instructional resources and other district resources that require a user to be logged in to the network.
As a result, users weren’t able to unlock the program’s full potential. Only district-issued devices could tap into the district’s learning management system and collaboration tools. Teachers couldn’t use their own devices to distribute quizzes and tests, and students couldn’t use their own devices to take them.
“We wanted staff and students to log in to the network and get the resources they needed, without being seen as just a guest,” Binswanger says. “Before, it was kind of black or white. You either had district-owned devices, or were on the guest network. We needed some gray area.”
The challenge was to find a way to allow student- and staff-owned devices onto the network without compromising security.
Al Nelson, a security solution architect at CDW, says personal devices present a greater security threat than district-owned devices, even when users don’t have malicious intent.
“When you issue something, you have more control over that device,” Nelson says. “You’re maintaining the anti-virus, paying attention to any alerts that come out, addressing them, installing anti-malware. You have a higher level of trust for a device you’re in charge of maintaining, versus something that someone brought from home that may have malware on it.”
Binswanger wanted a solution that would let the district grant access to student- and staff-owned devices, but in a way that gave district staffers the visibility to monitor activity and respond immediately if a problem emerged. He and his staff consulted with CDW, which presented three different options for the district.
Binswanger ultimately opted for the Cisco Identity Services Engine (ISE) security policy management platform, implementing the solution in spring 2014.
“We were already a Cisco shop, so ISE was the obvious solution for us since it integrated with the hardware and other applications we had in place,” Binswanger says. “We prefer to stay with a consistent vendor or application, because it prevents the finger-pointing game when there’s a problem.”
Cisco ISE hasn’t caused any problems, Binswanger says — it’s actually solved them.
Photography by Jensen Larson
A Simplified Solution
Nelson says one of the chief draws of Cisco ISE is its simplicity: from quick out-of-the-box setup and self-service device onboarding, to the way it functions as a “single source of truth” for all connected devices.
“You have one central location for all your security policies instead of implementing them on each device,” Nelson says. “In the past, if you wanted that level of security, you would have to manually configure each switch, controller and firewall. As time goes on, people make changes that impact security, and they might not even realize it.”
Nelson cites many practical benefits to an attractive, user-friendly interface, even for IT staffers with deep tech knowledge. “You get that one place to log in, and you see alerts if things are no longer configured to best practices,” he says. “It’s a big time-saver. It’s not just easier to use or friendlier to look at — it’s a necessity.”
Binswanger says ISE also gives his staff a better overview of the district’s network. “We can analyze use at the building level and proactively look at whether we need to adjust capacity,” he says. “We can begin to address performance before a school even realizes there is any type of performance issue.”
“The user interface for ISE is far more user-friendly than solutions we’ve had in the past. This, hands-down, has the best user interface that we’ve had, in terms of both simplicity and usability,” he says.
In Sarasota, the impact of Cisco ISE goes beyond making life easier for the IT shop. Because students and teachers are able to instantly log in to the network and access their applications and stored files with a single sign-on, teaching and learning can happen with little to no lag time.
“A high school science teacher told me that it used to take several days to get through student presentations with a class” because network access and authentication were so complicated, Binswanger says. “Now they’re able to do it in one class period. They’re able to spend more time on instruction and learning and less time trying to get access to the resources they need.”
Cisco ISE offers authentication, authorization and accounting capabilities in a single solution, meaning organizations can identify and grant access to devices, then create comprehensive activity logs for each.
Nelson likens authentication to “looking at a driver’s license” — a function that proves the identity of the person (or device) in question. Cisco ISE not only validates a user’s credentials, but also profiles the associated device.
“Before, you weren’t able to determine what types of devices were being used,” Nelson says. “If a user had an authentication account, they could log in with any type of device. You just didn’t have the visibility.”
Call us at 800.800.4239 to set up a consultation with a mobility expert.