Lead Machine Pink 160x1200

Lead Machine Pink 160x1200

iTWire TV 705x108

Sunday, 24 July 2022 20:29

Protecting our most valuable assets in a permanent hybrid learning landscape

By David Arthur, ANZ security practice lead at F5
David Arthur, F5 Security Practice Lead – Australia and New Zealand David Arthur, F5 Security Practice Lead – Australia and New Zealand

GUEST OPINIONEven before the pandemic forced accelerated digital adoption in the Australian education system, technology used by educators and students alike had come leaps and bounds. From interactive smart boards and learning via tablets, to administrative systems and web-based apps, the digital transformation of the education sector fundamentally changed how students learn, and they outcomes they can achieve.

As empowering as this technology can be, it’s important to assess the risks in order to understand the potential negative consequences and, most importantly, how to mitigate them. Without necessary measures in place to support security across all services and applications, educational institutions will be unable to ensure these evolving digital environments are safe.

It isn’t simply an issue of an increase in attacks, but their ever-growing complexity. Good things can be used for nefarious purposes. Encryption, for example, creates control for confidential communications. However, that same technology can be used by attackers to hide malicious activities or, as we now see routinely, to crypto lock victim systems, crippling them and extort ransom demands.

The almost-overnight pivot to online learning was, in many cases, rapid out of necessity, and therefore often without sufficient attention to security concerns. Many institutions simply relied on existing digital infrastructure, and this exposed numerous flaws.

Schools, universities, and TAFEs have been the target of a growing number of attacks.

A breach caused school computer systems across NSW to shut down just days before students were to begin the new term, presenting the NSW Education Department with a difficult set of circumstances to resolve.

This is just one example; in 2020 and 2021 the education sector saw a 75% increase in attacks.

Educational institutions face quite a different threat profile to normal organisations. While most have the majority of adversaries outside the environment, schools and universities tend to have adversaries inside as well. In other words, students aren’t always innocent.

Identifying the problem

Most state education networks rely on one centralised government entity to provide services and infrastructure. What we see in remote and hybrid learning environments is the entire population of students and teachers using remote networks when working from home, placing strain on remote access infrastructure.

Additionally, with the adoption of Software-as-a-Service (SaaS), externalisation of services, and surging demand for high quality and dynamic content, traffic through these centralised gateways is continuing to grow rapidly. Without increased capacity, the systems won’t cope, leading to poor user experiences at best, or complete unavailability at worst.

Architectures must be changed to have a more distributed egress; but this can present an enormous challenge as a result of how they’ve been built previously. This also presents an operational scale issue; with greater distribution, there are more systems to be managed. Efficiency, consistency, and fleet management via automation are key to scaling.

Another increasingly complex challenge stems from the raft of tools available to, and used by, students to bypass security controls, which is more easily done when egress monitoring is inadequate. Comprehensive filtering and inspection of traffic is needed in order to combat the threat.

Like the multiplying heads of the Hydra, when one cyber security concern is identified and dealt with, another two appear in its place.

Protecting our most valuable assets

As disruptive as the shift to digital and remote learning has been, it has also created an opportunity for the sector to ask: how do we guarantee a system moving forward which meets the significant and increasing demands, but also ensures cyber security and safety?

One answer is to wrap a consistent security layer around all services, protecting apps and APIs across all environments. Adopting a defence in depth approach, focussing on both ingress and egress control, and inspecting all traffic is key.

The 2021 Log4j zero day vulnerability, though not only affecting educational institutions, saw millions of computers hit through software commonly used by students, teachers, and learning institutions. As an example, one of our customers in the education sector was able to provide rapid protection by reducing the window of exposure with Web App Firewall signatures to block Log4j attacks. Then, it turned its attention to preventing malicious payloads from spreading further.

This approach allowed time to undertake the lengthy process of inventorying systems with the log4j vulnerabilities, deploying patches, and waiting for vendors to provide patches for their systems.

Others resorted to the whack-a-mole approach, madly trying to identify and patch everything as rapidly as possible, often unable to determine which systems used the vulnerable component. Or to describe it another way, the difference between a calm and measured response versus many consecutive sleepless, stressful nights with all hands at the pump.

Streamlining application modernisation and reducing complexity by supporting rapid innovation, integrated security, and accelerated app deployment will help improve IT agility, efficiency, and effectiveness, while meeting growing demands for better digital experiences.

Australia’s education sector will continue to face increasing security challenges as it adapts to a world of permanent hybrid learning. The road ahead will not be easily travelled so long as cybersecurity standards are not applied consistently across all environments – traditional and modern.

Read 1061 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News