CASE STUDY

HILLSBOROUGH COUNTY PUBLIC SCHOOLS

CASE STUDY

HILLSBOROUGH COUNTY PUBLIC SCHOOLS

BY PATRICK E. SPENCER she says. However, if a machine didnt have the latest update when it was first turned on, then it would kick off an update that consumed nearly all of that systems resources. We had users sitting in front of their computers for 20 or 30 minutes until the updates completed. This caused a significant productivity drain on staff and impacted the learning environments in the classroom.
Sharon Zulli, Manager, Customer Service and Support Department, Hillsborough County Public Schools

Endpoint Matriculation
Hillsborough County Public Schools educates hundreds of thousands of students by protecting tens of thousands of endpoints
anaging the IT systems for a public school district that is the eighth largest in the United States and covers an area larger than Rhode Island requires just the right mix of technology, processes, and people. Get it right, and the learning curve is greatly diminished. Get it wrong, and the learning curve becomes very steep. We have approximately 85,000 endpoints supporting 27,000 faculty and staff and 190,000plus students, says Sharon Zulli, manager of the Customer Service and Support Department. Zulli has been with Hillsborough County Public Schools in Florida for more than 25 years, including the last 20 in IT (except for a few years at IBM as an education specialist). And shes been getting it right since she spearheaded an effort to roll out IBM PCs in a baseband network configuration in the late 1980s. It was one of the initial rounds for technology resource teachers in the schools and I applied, she remembers. It was truly a very exciting time, and it was a great opportunity to do something that had not been tried before.

Centralizing client management

Matriculate a few years forward to 2007. Being able to manage patches and updates across the entire school district IT environment from a centralized console became a bigger and bigger issue for the Hillsborough County Public Schools team. We also needed a centralized means for delivering software to faculty, staff, and students, adds Christopher Amato, a technology specialist at Hillsborough County Public Schools. Imaging and reimaging and provisioning were factors as well. Zulli and her team looked at several options and decided to extend their investment in endpoint management tools from Symantec, electing to implement Altiris Client Management Suite. The policies in Client Management Suite enable us to define exactly when patches or updates occur, Amato relates. As an example, for computers in the classrooms, we dont want patches or updates performed when classes are taking place. This interrupts learning and needs to be managed during nonclassroom hours. Disruptions during testing sessions are another issue that Client Management Suite solves. Amato explains: We had instances where a machine would begin patching or making updates when students were taking tests. This disruption was not something faculty or students could tolerate.

Blaster wakeup call

Though computers in Hillsborough County Public Schools can process in a fraction of second what the old IBM PCs could do in many minutes or even hours, the challengesand opportunitiesremain just as large. Until 2003, the IT team maintained a manual endpoint management approach. When a new version of a software package came out, we would make a copy of it onto a CD, replicate 250 copies, and then send these out to hundreds of schools to update onto their systems, Zulli recounts. While we made this process work, this was inefficient and not an effective way to manage risk. The wakeup call came in 2003 with the Blaster Worm, which brought down several schools in the district. My
52 CIO Digest January 2013

PATRICK E. SPENCER

manager at the time came to me and directed that we do something, Zulli recalls. He told me to get something that could be managed centrally and that would automate a lot of our manual management processes. After looking at several different technology solutions, she and her team settled on Symantec endpoint security and its management console, mandating that all machines were to have the Symantec endpoint security client on them if they were to be on the districts network. But it was more than managing risk through standardization. We had staff going from one school to the next patching and updating machines, she describes. To automate this process and put the sneakers back in the IT locker, we began using Altiris Deployment Server. But this configuration had its limitations, too. We deployed the antivirus updates through group policy,

For assistance in planning and implementing the rollout, Hillsborough County Public Schools turned to Symantec Partner Advanced MarketPlace. Advanced MarketPlace helped with our initial Altiris deployment in 2003, Amato recalls. We were very pleased with their level of expertise and using them again for our 2007 rollouts made complete sense. In addition to making patching and updates intelligent, Client Management Suite enabled the Hillsborough County Public Schools team to improve their percentage of patched machines from 85 percent to almost 95 percent. This improves our risk posture, Zulli says. Further, hardware-independent imaging reduced the number of images from 20 to just two. This dramatically simplified the update process and eliminated instances where the wrong image or image version was put onto a machine. The software portal capability was also a real bonus, Amato adds. Managing the deployment of approved software titles was a real problem for us before. With Client Management Suite, we are able to take all of the approved applications that are commonly used and place those on a centralized software portal where faculty and staff so that they can download the software they need.

We have about 85,000 endpoints spread across an area the size of Rhode Island supporting about 27,000 faculty and staff and 190,000plus students.
Sharon Zulli, Manager, Customer Service and Support Department
antivirus, antispyware, firewall, intrusion prevention, and application control. Intrusion prevention gives us a proactive approach to endpoint security, Zulli states. With the large number of endpoints to protect, a proactive versus a reactive stance is crucial for us. The application control feature is proving quite beneficial to Hillsborough Endpoint security and County Public Schools. management facilitates learning while protecting Previously, we had 85,000 endpoints for no means to prevent Hillsborough County students from going Public Schools at go.symantec.com/ around our Web filter hillsborough-video. using ultra-surf proxybypass utilities, Amato says. With application control, we load a hash of the known files that we dont want the students to execute. As a result, when they attempt to execute those files, they are blocked from doing so. Amato actually took the solution a step further when he integrated

the Endpoint Protection application control database into the districts Microsoft SharePoint solution. This enables the Hillsborough County Public Schools team to track which students are trying to circumvent security controls and which applications they are trying to use and which websites they are attempting to log into. It shows us everything, including machine name, time stamp, and user name, Amato quips. The move to Endpoint Protection also allowed Hillsborough County Public Schools to reallocate 250-plus servers that had previously been used as domain controllers. Amato explains: We no longer need dedi-

cated servers for each site. Rather, we manage all of our endpoints from a set of four servers in our main data center. I was able to redeploy those 250-plus servers for a different function and thus avoid the cost that would have been required to purchase 250 new machines. In addition to the cost savings for the hardware and software, the IT team eliminated the time spent maintaining those 250 servers, at least associated with endpoint security.

Controlling and managing the network

With such a huge faculty and staff population and student base, Hillsborough County Public Schools is not immune to consumerization of IT. Technology Specialist Art Mickelson, who focuses on active directory and server management, comments: Managing and controlling the amount of technology from outside of the school district on our network is becoming a growing challenge. In 2011, with this challenge in the foreground, the Hillsborough County Public Schools team decided to upgrade to Symantec Endpoint Protection 12. The primary feature the team wanted to add with the upgrade was host integrity check. Mickelson set up compliance policy rules that prompt users when they are using a machine that is out of compliance. Network access control became the next logical move for Hillsborough County Public Schools. In 2010, Mickelson, working with a consultant from Advanced MarketPlace, added the Network Access Control feature in Endpoint Protection. Using DHCP to enforce configuration of a security standard on every machine that attempts to connect to our network, we are able to reduce risks, he explains. Once they pass the

VIDEO

PROTECTING THE NEW EDUCATIONAL IT REALITY: SYMANTEC SYMED

Online reference material,
assignments, lessons, collaboration, and rich multimedia were once an exception in K-12 educational environments. This is no longer the case. And with many higher education institutions offering fully virtual learning environments, in addition to states mandating that K-12 schools provide one or more online classes before graduation, the importance of protecting the infrastructure, information, and identities of students, faculty, and staff is accentuated. To address these challenges in education, Symantec developed SymEd, an integrated solution suite that allows educational institutions to protect and manage their IT environments with a broad set of tools and services. For more on SymEd, visit go.symantec.com/ symed.

host integrity check, then they are allowed into our production network. If they fail, then they are put into a restricted network zone where they cannot access information or use other applications. In those instances, we offer them services where they can download and implement our security standard and thereby gain access to our network. Offering network access control is important because third-party vendors are on Hillsborough County Public Schools campuses on a regular basis and require access to file servers and other IT resources. The network access control component in Symantec Endpoint Protection gives them the ability to access those. This wasnt always possible in the past, Mickelson says. In addition, access includes both wired and wireless networks.

Expanded IT curriculum with SymEd

In the summer of 2012, as Zulli began to assess broader and longer-term IT requirements for Hillsborough County Public Schools, she determined that a more strategic agreement with Symantec was needed. SymEd Total Management gave us access to a wide-range of integrated toolsets while providing us with the flexibility to evolve our IT environment over time, she reflects. Symantec worked with us to customize the solution to meet our requirements, demonstrating an unwavering commitment to our success. Hillsborough County Public Schools obtained the following toolsets and services from Symantec as part of the three-year SymEd agreement they signed: > Altiris IT Management Suite (including Client Management Suite and Asset Management Suite)

Strategic endpoint security

In 2010, Hillsborough County Public Schools was an early adopter of Symantec Endpoint Protection. The consolidation of various endpoint security functions into one central management console made it dramatically easier to manage the approximately 85,000 endpoints scattered across the hundreds of schools in the district. The IT team leverages most of the available features in the solution, including

HILLSBOROUGH COUNTY PUBLIC SCHOOLS

Location: Southwestern Florida (Tampa/St. Petersburg area) National Ranking: 8th largest in U.S. Schools: 267 sites Faculty and Staff: 27,000+ Students: 190,000+ Website: www.sdhc.k12.fl.us

symantec.com/ciodigest 53

54 CIO Digest January 2013

CASE STUDY
HILLSBOROUGH COUNTY PUBLIC SCHOOLS

SHARON ZULLI AT A GLANCE

> Symantec ServiceDesk > Symantec Mobile Management > Symantec Protection Suite (including Endpoint Protection, Web Gateway, and Messaging Gateway) > Symantec Business Critical Services In addition to the efficiencies of scale and integrated toolsets, SymEd gives Hillsborough County Public Schools a much more predictable licensing model, according to Zulli. We can plan our IT spend much more accurately and prioritizeor re-prioritizeour projects much better, she explains. The biggest challenge with the current tool that we use is that it doesnt have a remote control capability, he explains. Support technicians must go to another console and screen to perform remote control, and the data of that session isnt captured in our existing help desk system. With Symantec ServiceDesk, that information will populate automatically. Centralized reporting is another feature Studenberg believes his team will be able to leverage. For configuring and rolling out ServiceDesk, the Hillsborough County Public devices and control their usage is crucial. The current approach to managing the mobile devices simply isnt efficient. For each of the devices, we had to set up exceptions that were manually entered into our DHCP database, Mickelson says. Being able to automatically provision new devices and then manage them using Mobile Management will make our jobs dramatically easier. We also will have a discovery trail for all of them and the ability to wipe them in the event they are lost. And because Mobile Management is inte-

Sharon Zulli joined

Hillsborough County Public Schools in 1988 as a teacher and guidance counselor. In 1991, when an opportunity arose to manage a baseband network of IBM PCs, she raised her handand her IT career was launched. Except for a stint

Zulli joined the Customer Service and Support Department in 2000 and worked in several different management capacities before assuming overall charge of the approximately 80-staff team in 2010. In this role, she reports directly to Hillsborough County Public Schools Chief IT Officer Dr. David Steele. Zulli summarizes her departments mandate with the following assessment: Administrators and faculty arent really interested in what were doing with different technologies and vendors. They only care if their IT systems are working

The software capability was also a real bonus.

Christopher Amato, Technology Specialist
190,000-plus K-12 students is daunting. Failure to do so means teachers cannot teach and students cannot learn. And for those who might conclude that IT in K-12 education lacks challenges and is unfulfilling, they havent met Zulli and her team. Each of the members interviewed for this article have more than a decade of tenure at Hillsborough County Public Schools. Theres always a new challenge around the corner, reflects Mickelson. And that typically has a meaningful impact on the educational experience. Zulli concludes: Whats really exciting is that what we do makes a real difference in facilitating learning for hundreds of thousands of children each year. Weve been entrusted to protect the endpoints that are used to do so, and we take that stewardship very seriously. n

Sharon Zulli
Manager, Customer Service and Support Department

of the

School District of Hillsborough County

Efficiencies of scale
Zulli and her team are quite excited about the different initiatives they plan to drive by leveraging the broader portfolio of Symantec solutions. Our first focus area is to replace our legacy Web security and messaging security solutions with Symantec Web Gateway and Symantec Messaging Gateway, Zulli notes. We will get closer integration with our broader security infrastructure while reducing the cost and time we spend in training and maintaining those two solutions. We also have some compliance requirements for protecting students while they are on the Internet, and Web Gateway gives us the ability to monitor and manage that activity more closely. A second area Zullis team is preparing to tackle is replacement of a legacy help-desk solution with Symantec ServiceDesk. Were looking forward to the efficiencies it will drive for us, Zulli cites. Michael Studenberg, a technology support advisor who oversees Hillsborough County Public Schools support center, indicates that remote control integration was at the top of the list of priorities in the selection.

Managing and controlling the amount of technology from outside of the school district on our network is becoming a growing challenge.
Art Mickelson, Technology Specialist
Schools team will engage Advanced MarketPlace for assistance. And as Zullis team implements Asset Management Suite, including asset tracking, Studenbergs team will be able to use that information when assessing help-desk requests. This will drive efficiencies such as faster resolution of support tickets. Were also beginning to experiment with application metering, adds Paul Richwine, a technology specialist on Zullis team. With the information we glean from it, we hope to reduce our overall software spend by reallocating licenses that arent being used or hardly being used to other machines. A third area that the Hillsborough County Public Schools team plans to address is mobility. We currently have almost 1,000 devices deployed across several schools but know that this number is going to rise quickly, Zulli relates. Being able to manage these grated with Symantec ServiceDesk and IT Management Suite, the Hillsborough County Public Schools team can manage the mobile devices from the same centralized console used to manage the remainder of the organizations endpoints. With some faculty and staff wanting to bring their own devices (BYOD) and connect them to the Hillsborough County Public Schools network, Zulli and her team are investigating the possibility of rolling Portions of the interview out a BYOD policy. It with Sharon Zulli and her Customer Service and Support doesnt make sense team at Hillsborough County for us to provide and Public Schools are available as an Executive Spotlight manage districtPodcast at go.symantec.com/ owned devices, she hillsborough-podcast. says. As a result, if we are going to allow them to connect their own devices to our network, we need to have the right solution in place to segregate district applications

working as an education specialist at IBM for a few years in the 1990s, Zulli has served in a variety of IT capacities at Hillsborough County Public Schools. The time at IBM gave me vendor experience, which Ive really been able to draw upon to build strategic, collaborative relationships with our technology providers here, she states.

and if student computers and mobile tablets are running. Our team works behind the scenes and makes all of this possible. And this isnt an easy feat, according to Zulli: We have about the same headcount as we did in 2002 but are responsible for nearly twice as many endpointsand we now have the added complexities of user demands for choice and mobile devices.

and data from those that are the employees. For this function, Zulli indicates that Symantec App Center might be a solution.

PODCAST

More than just support

Hillsborough County Public Schools also gets Symantec Business Critical Services with the SymEd agreement. The team doesnt turn to Symantec for support very often, Zulli reports. But when we do need assistance, we get an immediate response. Weve had Business Critical Services for a couple years now and are looking at ways to leverage it so that we can become more proactive in addressing
56 CIO Digest January 2013

potential problems and efficient in how to tackle different projects. A good example of the latter is Symantec Endpoint Protection Assurance that comes with Patrick E. Spencer (Ph.D.) is the editor Business Critical Services. Last in chief and publisher for CIO Digest. year, we had an audit of our software deployment across EXCEEDING THE CURVE the entire organization, WITH SYMED TOTAL SOLUTION Zulli recalls. With Symantec Endpoint Protection Assurance, we > Symantec Protection Suite were able to generate a report of Symantec Endpoint Protection our licenses to the machine level Symantec Web Gateway that saved us substantial time. Symantec Messaging Gateway

CIO
PATRICK E. SPENCER

featured in

STRATEGIES AND ANALYSIS FROM SYMANTEC

DIGEST

January 2013

PATRICK E. SPENCER

The endpoint difference

The enormity and importance of protecting the IT environment used to facilitate learning for

> Altiris Client Management Suite > Altiris Asset Management Suite > Symantec ServiceDesk > Symantec Mobile Management > Symantec Business Critical Services

symantec.com/ciodigest 55