Enable equitable, secure network access to educational resources for students and teachers across a broad and varied geography, maintaining strong, province-wide security practices while affording individual school districts flexibility to meet their particular requirements.
Deploy Palo Alto Networks Security Operating Platform® to enable students and teachers to maximize educational opportunities and outcomes with a safe, accessible online experience regardless of the size or location of their school.
Threat Prevention, URL Filtering (PAN-DB), WildFire, GlobalProtect, Panorama
(Please note: the list below includes initial deployment and the expanded deployment begun in Oct., which will be ongoing through March 2020.) PA-5250 (4), PA-5220 (40), PA-3260 (60), PA-3250 (12), PA-3020 (141), PA-850 (2), PA-500 (213), PA-220 (1,478), PA-200 (1,183)
The British Columbia Ministry of Education is the central government authority overseeing and supporting the educational development of more than 560,000 students across sixty school districts and more than 1,600 public schools and facilities in British Columbia, Canada. Through curriculum development, strategic resource management, effective policy-making, and province-wide partnership with local school authorities, the ministry strives to maximize individual student potential for acquiring the necessary knowledge and skills to contribute to a healthy society and a prosperous, sustainable economy.
With schools spread across a wide, highly varied landscape— some in very rural and remote locations—the British Columbia Ministry of Education needed a way to provide students and teachers with safe, equitable access to network services. A key requirement was applying standard network and security practices across the province while empowering individual schools to tailor security measures to meet their own policies and educational needs. By deploying the Palo Alto Networks Security Operating Platform, the ministry can now provide schools throughout British Columbia with secure access to the applications and online resources they need to maximize educational opportunities. “The number of incidents has since dropped from a high of 500 per month to fewer than ninety, and the time to remediate incidents has dropped to fewer than 15 minutes on average. Moreover, since implementing the new network and security services, the ministry has been able to achieve numerous network and security efficiencies, resulting in a return of more than C$20 million to the school districts to put directly toward education. Ultimately, with a province-wide network protected by the Palo Alto Networks Security Operating Platform, the ministry is improving opportunities for students.
Bringing Secure, Equitable Access to Students Province-Wide
The province of British Columbia in western Canada spans a large and varied geography. From soaring mountains and dense forests to island communities along its Pacific coastline and remote outposts in the far north, the province covers nearly 1 million square kilometers. Outside the major cities of Vancouver and its capital city, Victoria, population density varies greatly. However, the same educational opportunities must be assured for all students, whether they live in tiny villages or large metropolitan areas. This is the great cause—and challenge—for the Ministry of Education. One way the ministry addresses this challenge is through technology. James Shypitka, executive director of the Strategic Infrastructure Initiatives Branch within the Ministry Strategic Infrastructure Initiatives Branch within the Ministry of Education, led a multiyear effort to transform the data network connecting the province’s 1,600-plus schools and facilities with each other, the internet, and the ministry. “What we do with our next-generation network is provide equitable access to every school,” says Shypitka. “Working collaboratively with school district staff, we make sure our students have secure access to the plethora of digital resources available, either inter-school or out on the internet, as well as at their local data centers.”
Shypitka is quick to point out that, while the ministry provides the network services and a set of standards for cybersecurity, each school district and individual school retains autonomy to determine what its students and staff are permitted to access on the network. “There are cultural differences between school districts, individual schools, and even specific classrooms,” he states. “So, what’s right in one is not necessarily right for another.”
One example Shypitka shares is an application like Snapchat®. For some schools, Snapchat could be a useful educational tool that helps kids collect and share information while on field trips before working on a related project back in class. Other schools may have behavioral problems with students using Snapchat to share inappropriate photos and other unwelcome content with each other.
However, the ministry’s previous network had an “all or nothing” security model. If Snapchat were blocked for one school, it would be blocked for all schools in the province. Similarly, from a cyberthreat perspective, if one school suffered a DDoS attack, every school was affected. The ministry needed more flexibility to provide the right access, based on the culture of each classroom, school, and school district, along with effective segmentation and preventive measures to keep cyberthreats at bay.
Comprehensive Security in Schools and the Cloud
The answer to this challenge was a multipronged transformation of the ministry’s network, security, and governance model. First, Shypitka worked with the school districts to build an understanding of the strategic value of a secure, next-generation network, such as faster, more responsive access to digital resources—locally and on the internet—to enable personalized learning plans. Shypitka and his team then worked with the districts on business requirements and expected outcomes, developed architectures, and negotiated joint investment between the districts and the ministry.
“Working with the school districts is like having sixty independent businesses, each with its own elected board with their particular legal and investment priorities,” Shypitka notes. “To make this work, we had to have transparency, build trust, and create effective co-governance.”
The effort paid off. Now, four years later, the ministry has entered Phase 2 of its ongoing plan. The pilot of three school districts has been a resounding success, increasing reliability and identifying further efficiencies in network connectivity, and once again secured by the Security Operating Platform. This initial deployment includes more than 140 Palo Alto Networks next-generation firewalls deployed in school district data centers. Each next-generation firewall is configured with Threat Prevention, SSL Decryption, as well as URL Filtering, GlobalProtect™ service for net work security on endpoints and WildFire® service for malware pre vention. Over the next year nearly 1,400 additional next-generation firewalls will be deployed at the network edge to secure individual schools. The ministry relies on Panorama™ network security management for centralized management of the entire security infrastructure.
Although British Columbia has strict privacy laws, Shypitka foresees some opportunities for schools to adopt cloud strategies, albeit on a limited basis. “We have a few districts moving to Microsoft and Google clouds,” he acknowledges. “We have virtual licensing for the Palo Alto Networks Security Operating Platform, and are working with the school districts to provide structured security into and out of those environments.”
Shypitka adds that, from the ministry’s perspective, incorporating cloud services into the network infrastructure is also an opportunity to strengthen disaster recovery. “If somebody’s fiber link gets dug up and the school can’t get to its data center or out to the internet, we could reroute their traffic through our virtual firewalls to a burstable cloud environment so they’re survivable.”
Students and Teachers Assured of Safe Access to Online Resources
Now, the ministry can assure its schools, students, and teachers of safe access to the online resources they need, with no barriers to safe learning. This includes the time they spend in the classroom as well as working from mobile devices. The Palo Alto Networks platform ensures consistent security practices across the province, preventing successful cyberattacks. At the same time, it enables the districts to prioritize access to applications and content based on individual school policies, helping avoid rogue traffic and increase available network bandwidth.
Shypitka reports that, by making network security a strategic priority and applying consistent security practices across the province, the number of incidents has dropped from as many as 500 per month to about ninety, half of which are not directly related to network services. Remediation used to be on a best effort basis, but now, the ministry has set service levels of less than four hours for remediation, with an average time of fewer than fifteen minutes. In addition, service uptime is now 99.99%—distinctly higher than the target of 99.90%. Meanwhile, overall customer satisfaction is 88%.
“Because of what we can do with Palo Alto Networks, we have a consistent security platform across all districts,” Shypitka remarks. “Schools can safely share information and leverage each other’s resources while we provide standards around that and prioritize the traffic. This not only improves access to educational resources but also reduces our costs. In fact, we’ve been able to achieve cost avoidance over the last five years through network efficiencies and standardized practices to return in excess of C$20 million back to the schools, which they can put toward improving opportunities for the students.”
Having a standardized network and security infrastructure, with common best practices applied across the province, is changing the classroom dynamic. Jon Rever, assistant superintendent of Central Okanagan Public Schools, elaborates, “The enhanced cybersecurity services we now have with the Palo Alto Networks platform means that teachers and students can just focus on the business of learning without worrying about security. Our goal is to provide a level of security on our network for all mobile devices that enables the education process in a flexible, safe way. Teachers don’t have to adjust their processes or behaviors because they’re concerned a student might land on an inappropriate site. Instead, they’re free to get as creative as they like. We’re removing barriers to learning while ensuring the online safety of our kids.”
Empowered Schools Strengthen Security for All
As part of the co-governance model, the ministry has given each school district the opportunity to send staff to Palo Alto Networks training courses on the operation and administration of the Security Operating Platform so the districts can take active roles in securely enabling their schools according to local priorities and policies.
Shypitka says, “District security administrators can see where there are problems and trace them more effectively to shorten the time to resolution. They can also improve local performance based on traffic shaping to strengthen the security and safety of students by blocking things they find outside our security core.”
The ministry also holds provincial webinars that examine trends in cybersecurity, discuss future opportunities, and deliver tips on how to optimize security and investigate issues more quickly. In addition, the ministry has engaged a Palo Alto Networks resident engineer to work with each district on a specific plan for continually improving security, perform periodic assessments to determine districts’ security maturity, advise on potential exposure or vulnerabilities, and provide technical assistance as needed to help mitigate risks.
“Our goal as a ministry is to set reasonable expectations of where the districts should be and work with them on their plans to get there,” Shypitka states. “We work collaboratively with districts on their network security plans and identify opportunities to further harden the threat landscape. This assists districts in their planning and investment prioritization when they go to their boards.”
David Swystun, manager of learning technology with Central Okanagan Public Schools, adds, “We’re building a common framework across our district and others that’s allowing our team to increase our skill set to be more efficient and effective leveraging all the capabilities of the Palo Alto Networks platform. For example, we are able to use SSL Decryption now to get visibility and control over encrypted traffic, which we never had before, and so we were missing a big chunk of traffic on our network. With all the schools on the same platform, we’re able to align all those needs while getting expert advice on settings and best practices from the ministry. That’s something we otherwise wouldn’t have the resources to dig into on our own.”
Harnessing Security Data to Uncover Valuable Network Insights
Following on the success of the initial deployment, the ministry is now expanding the security program to include fifty-eight core, high availability clusters of Palo Alto Networks nextgeneration firewalls deployed in additional district data centers, along with another 1,400-plus next-generation firewalls at schools. With this expanded security infrastructure, Shypitka identifies the value a future analytics platform will bring, given the richness of information contained in the logs from the network and Security Operating Platform.
“The goal is to leverage PAN-OS 9.0 to have a single logging service for the province as a whole, and partition access for administrators at the individual districts to create synergies and information sharing,” Shypitka advises. “We will manage at the enterprise level, but they shouldn’t have to come through us to get the information. They’ll be able to see their own activity, and where they agree to share, we can take the data and use it to improve our forecasting—for instance, what the right amount of bandwidth, should be to a site—and potentially reinvest our expenditures to improve their security maturity in their local area.”
Shypitka and his team are constantly looking at an enterprise level for ways to improve the network as well as expand safe opportunities for students and teachers. Central to this effort is plumbing the wealth of information available from logs in Panorama. Shypitka describes the effort as a three-legged stool. The first leg drills down on how the network is being used—sites visited, applications run, and resources accessed— and uses this insight to shape traffic for improved network performance or block traffic that poses a risk. The second leg will take that log information and apply predictive analytics to identify trends across the province that could inform the ministry on ways to further harden security standards. Finally, the third leg will uncover correlations between network activity and the health and safety of students—for example, if a school population has a high frequency of visits to sites that could impact the health or safety of students—so counselors can take proactive measures.
Rever underscores this point: “Parents rightfully are concerned about what their children are doing online at school and how their private information is being protected. Having the Palo Alto Networks platform and enhanced cybersecurity services supported by the ministry, we can speak confidently that we have the very best technology securing our network and protecting their children online.”
Enables Positive Outcomes for the Classroom
The Ministry of Education has found many innovative ways to take advantage of technology to deliver its next-generation network with strong security measures from end to end. Shypitka emphasizes that the whole point of this effort is to enable education opportunities for students while keeping them safe online.
“The goal of everything we’re doing is to make sure our utility-like network services are there and available for teachers and their students,” Shypitka asserts. “So, when a teacher is driving in to school and hears a story on the radio about an earthquake in Peru, they can change their lesson plan in real time and make it relevant to the moment, as opposed to taking research offline and not bringing it to the classroom until two weeks later.”
He concludes with this illustrative point: “Previously, we’d have a teacher in front of class talking to students, maybe about the Roman Empire or perhaps a modern-day culture. Today, we can have our students in a classroom connected, able to choose the culture they want to study. They might be Skyping with people in another country or taking virtual museum tours while the teacher provides group and individual coaching. Without the network reliability and security for them to be safe online, we lose that opportunity for our students. It’s all about improving opportunities for positive outcomes.”