By: Tony DePrato | Follow me on Twitter @tdeprato

Many countries have begun to create or enforce new rules concerning online anonymity.

Here are some examples of anonymity rules: South Korea , China, The United Kingdom

These rules are manifested in places like coffee shops that require a phone number to be verified via SMS. It is not optional anymore to allow students or staff to be online anonymously. Cyberbullying, hacking, and other issues cannot be addressed if the person (or persons) involved cannot be identified. Most school administrators may not realize how prevalent anonymous access is on many K-12 campuses.

General Policies and Procedures

There is often a knee jerk reaction to fix problems by spending money. There are plenty of nifty IT solutions to help with security, but without proper policies and procedures in place, technology will eventually fail.

Policies and procedures must be adopted and implemented from the highest levels of the organization. Any exemption creates a vulnerability. Luckily, the concepts and steps are simple enough, and they apply to both BYOD and non-BYOD schools:

1. Every user on the network has a login.
2. Logins are either genuine/legal names or employee/student ID numbers.
3. Passwords are not shared or common;
4. Every device on the network, printers included, must have the default username and password customized.
5. School owned devices must require individuals to login; generic logins like “classroom1” cannot be permitted.
6. Very young children who cannot manage a username and password must be assigned devices, and those devices need to have a static IP address.
7. Children from grade 1 and up should learn to login with an individual username or using an ID number; a shared password is acceptable until grade 3.
8. Primary school children should not be on the same network and/or Wifi as middle and high school children. This is essential to prevent older students using a younger student’s account.
9. Teachers and students should not be on the same network and/or Wifi. Sharing should happen in the cloud or file servers.
10. Guest access should be very limited unless there is a major event.

These policies and procedures have a two-pronged effect. First, they set a standard for the type of network equipment and design that is required. Secondly, they take very technical topics and reduce them to yes/no questions. “Are children under the age of six using assigned devices?” “Do all school owned devices require an individual login?” “Can students login to the network with a shared password?”

BYOD Specific Policies and Procedures

There is an underlying truth about letting people use equipment. If a person can take a piece of equipment to an anonymous location, they can hack into the equipment. If a school owns a laptop, and allows a student to take that laptop outside of the school, then that student can own that laptop and manipulate it.

I have demonstrated this to people who were setting policies for school owned equipment, and believing that the equipment was secure. I once unlocked a Windows laptop in 5 minutes with a USB tool I created from free software. I did this in front of three people who had deployed over 100 laptops to my campus, believing the laptops were secure. The last time a school gave me an Apple laptop loaded with “security features” I was able to circumvent the security in less than 10 minutes. The modification were never detected. The truth is, I am not even half as motivated or talented as many students. However, I can think the way they think.

A few years ago I spent an entire day with a CISCO engineer. I wanted to brainstorm with him on BYOD security. We went through all the scenarios. In the end, we came up with a good low cost set of protocols for BYOD management:

1. The school needs 3-4 SSIDs (Wifi Names) per division. For example: Teachers,  Secondary_Students, and Guest. Primary students would not be able use the Secondary_Student Wifi.
2. Students, Teachers, and Staff must authenticate with the PEAP protocol. This means everyone needs to login like they are in a coffee shop. A small pop-up window asks for your username and password every 24 hours (or similar concept).
3. All BYOD access requires a 3-point authentication process: MAC Address + IP Lease + Username. (If anyone wants to know HOW to do this, please email me directly).

These three steps ensure that unless Student A gives their username and password to Student B, it is impossible for Student A to use Student B’s computer (without committing theft). This is the core issue with BYOD. A school needs to be able to show how they know what they know. The access responsibility needs to be on the students, and down to a personal choice.

As with the general policies and procedures, this protocol will help set the network equipment and configuration standards without requiring the administration to have a deep understanding of technology.

Please feel free to contact me directly with further questions or to arrange a discussion.