When one thinks of data theft, an urban school district may not be the first victim that comes to mind. Yet, the Atlanta Public Schools district utilizes interactive web applications that, if breached, could result in the loss of the same sensitive data that any major financial institution strives to protect.
In a district with 92 schools, around 50,000 students and over 8,000 employees, countless names, Social Security numbers and financial records are stored on internal network applications. While deploying these applications online puts the data at risk, it also allows the district to create new web programs for students and to facilitate administrative tasks for faculty. To protect its online applications, the district has deployed NetContinuum's Application Security Gateway, an application firewall that filters users accessing applications from the internet.
“We were always concerned about security, and that's why we were never able to provide remote access,” says Sam Pointer, IT network manager for the district. “We had requests before, but we couldn't find anything that would allow us to sleep at night.”
The NetContinuum product that Pointer and his team chose acts in the same capacity as a network firewall — just as that prevents unauthorized access to the network, the Application Security Gateway, set in the demilitarized zone (DMZ), acts as a buffer between users logging in on the internet and the enterprise applications.
According to a Symantec Internet Security Threat Report, vulnerabilities in web applications outpaced any other attack vector. “Essentially, the issue of mail viruses and worms has very much come under control,” says Pete Abrams, former vice president of marketing at Santa Clara, Calif.-based NetContinuum. “Where there has been much less focus is around application security.”
Traditionally, application developers have not employed strict secure coding practices, leaving security gaps in the architecture of applications. Hackers have begun to focus on these weaknesses, and to profit from them.
“When you look at the reason that the district purchased NetContinuum, they were very clear that they were going to be putting a mission-critical application directly out on the internet,” explains Abrams. “Whenever you expose an application on the internet, you've gotten the core benefit of making it extremely easy and simple for users to get access to processes, and you've publicly exposed, with extremely simple access, this critical application to hackers.”
For the district, those benefits outweighed the risks. Having deployed the NetContinuum solution, the school system has used its new remote access capabilities to upgrade some administrative systems. The staff is now able to manage their payment history and financial records online, eliminating the need for printed pay stubs. Substitute teachers use a program which allows them to receive and accept job requests without ever picking up the phone. And the hiring process has been radically simplified with the implementation of an online job recruitment application that sends candidate data directly to the district's human resources department.
Alongside these improvements, the school system has also been able to expand and innovate. It has created a high school math application that allows students to work on problems from home. This application, currently being tested in two schools, is an example of the district's desire to connect students, teachers and parents online, outside of school hours, says Pointer. Plans for further additions are in place, including applications that will allow teachers to not only share homework, but also lesson plans and class rosters online.
For the district's three-person IT department, the application firewall was critical to safely allow these types of programs. “If we just opened up our firewall directly to the application, then anybody on the internet could access our environment. That's the main reason that before this product came in, we never opened up,” says Pointer, who chose NetContinuum from among four or five products for its price and the ease and speed with which his small team could implement it.
Web risks: Securing applications
Because of their often weak architecture, applications are susceptible to a variety of threats. Attacks such as SQL injections (which manipulate HTTP requests), parameter tampering (which alter parameters in web code), and cross-site scripting (which send malicious code to a different end-user), are some of the most common ones.
“These are some of the doors and windows that an application has — the input forms and the ability to mess around with what is put into various fields. You can make the application behave in an unexpected fashion and yield a lot of information back to you,” says Varun Nagaraj, CEO, NetContinuum (right).
Clearly, the Atlanta school district's applications contain a huge amount of personal information — from Social Security numbers of students and staff to the criminal histories of potential employees. This type of data needs protection across all organizations.
Though about 15 percent of NetContinuum's clients are in the education sector, the truth is, says Nagaraj, “When the district is taking job applications, the fact that they're a school district is almost irrelevant.”
All organizations, the ones in the public eye and the ones that may be less so, have the responsibility to protect their client's data.
“Any company that has access to the web is at risk, but not every organization takes the steps to get application security,” Nagaraj adds. — Dina Kleyman