SECURITY REFERENCE

BLUEPRINT FOR K-12 IT

IT network and security teams in K-12 institutions around the
world must keep students and their data safe while providing
­appropriate network security for diverse groups of ­users. They
must also detect and block a rising volume of ­ransomware and
other threats, while ensuring high performance and a­ vailability,
and complying with applicable policies and regulations. The
­Security Reference Blueprint for K-12 allows IT teams to keep their
­students and data safe in modern learning e ­ nvironments, while
reducing threats and simplifying security ­administration.

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper
Table of Contents

I. Security Concerns for K-12 Institutions 3

II. Reference Blueprint Goals and Security Principles 3

III. Core Security Principles 4

Application and User Visibility 4

Virtual Segmentation 5

Extending Coordinated Protection To Cloud Environments and Endpoints 6

Private, Public and Hybrid Clouds 6

6
Endpoints

Advanced and Zero-Day Attack Prevention 8

Threat Correlation and Timely Reporting 8

IV. Security Reference Blueprint for K-12 IT 7

Virtual Segmentation Within a School 8

DMZ 8

School Endpoint Zone 9

Administration Zone 10

Data Center Zone 10

Securing the Data Center, Public and Private Clouds 10

Software as a Service (SaaS) 11

External Student, Staff or Third-Party Access 11

Threat Intelligence and Correlation 11

Migrating to Palo Alto Networks Next-Generation Security Platform 11

V. Summary 12

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 2
I. SECURITY CONCERNS FOR K-12 ­INSTITUTIONS
The Palo Alto Networks Next-­
Keeping students and their data safe is becoming more of a
Generation Security Platform natively
challenge in modern learning environments. Online safety, while
integrates network, cloud and end-
an important aspect, is only one element of network security.
point security into a common architec-
Schools are becoming more networked all the time. New mul-
ture, offering IT teams comprehensive
timedia content, e-learning tools that complement traditional
visibility and control. This platform ap-
learning, and staff and students who BYOD all require protection
proach ensures your organization can
from modern cyberthreats, which strains security services to their
detect and prevent attacks, streamline
breaking points. The increasing use of SaaS applications, while
day-to-day operations, boost secu-
increasing efficiency and productivity, has also introduced new
rity efficacy, and prevent threats at
threat vectors. For IT staff, this means continually monitoring the
each stage of the attack ­lifecycle.
networks and their resources for cyberthreats. Navigating and
https://www.paloaltonetworks.com/
monitoring this changing minefield is a difficult and time-consum-
products/designing-for-prevention/
ing task for security teams, some of whom are attempting to repel
security-platform.
dozens to thousands of attacks per day.
Optional security subscriptions seam-
Reams of student and staff online data combined with limited
lessly integrate on the platform to add:
IT resources has resulted in K-12 institutions becoming an
protection from known and unknown
increasingly successful target for ransomware1. Hackers infiltrate
threats; classification and filtering of
networks, disrupt operations by encrypting data, and extract a
URLs; and the ability to build logical
ransom in exchange for decryption keys.
policies based on the security posture
An effective security strategy that incorporates key security of a user’s device. https://www.­
principles can address this type of exposure and damage, while paloaltonet-works.com/products/
improving the visibility and control of IT and security teams. This platforms/subscriptions.html.
paper discusses how the Palo Alto Networks® Next-Generation
Palo Alto Networks cloud-based
Security Platform enables schools to implement these principles
or on-premises malware analysis
to detect and prevent threats to networks, devices, and infor-
environment, WildFire, provides
mation, on premises and in the cloud, while monitoring policy
dynamic analysis of suspicious content
effectiveness and reducing complexity and unnecessary overhead.
in a virtual environment to discover
The end goal: efficiently manage a high-performance learning
unknown threats, then automatically
environment while protecting students, staff, and their data, and
creates and enforces content-based
ensure ongoing compliance with policies and regulations.
malware protections. It also detects
malicious links in email, proactively
II. REFERENCE BLUEPRINT GOALS AND SECURITY PRINCIPLES
blocking access to malicious websites.
This Security Reference Blueprint for K-12 Education IT describes
a security framework using the preventative capabilities of the
Palo Alto Networks Next-Generation Security Platform. Using this blueprint enables education security and IT
professionals to protect students and their data while maintaining a high-performance, high-availability and safe
learning environment. To do so, this blueprint can help K-12 institutions:
• Meet academic needs for internet connectivity while keeping students safe.

• Prevent data breaches and the loss of sensitive information.

Palo Alto Networks can provide a
• Maintain high availability and performance while ­Security Lifecycle Review that consists
­continuously scanning for and preventing new threats. of a one-week analysis of your envi-
• Identify best practices for network security deployment ronment with a complete report at the
and management. conclusion. For more information:
https://www.paloaltonetworks.com/
• Comply with federal and state regulations relating to
company/contact-support.html
­personal data, protection of children and more.
Like most industries, schools must protect their staff, computers
and servers from cyberthreats. But unlike most industries, the majority of K-12 network users are children, not
employees, who require protection from inappropriate content as well cyberthreats. These children and the staff
that serve them may even be allowed to connect their own laptops, tablets and smartphones to campus networks.
Many K-12 institutions are now evaluating how to protect student-owned devices – and be protected from the
risks of those devices – without impacting network performance or significantly adding to overburdened IT teams.
For IT teams, this means continuous network monitoring for new threats.

1. http://money.cnn.com/2016/04/04/technology/ransomware-cybercrime/

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 3
There are several types of cyberthreats that impact K-12 networks: opportunistic malware with no specific targeted
victim; exploits of vulnerable applications; and, increasingly, targeted attacks. Using some key security principles,
K-12 institutions can prevent these threats, minimize network interruption or downtime, and protect against
unauthorized access and leakage of sensitive data. These core security principles include:

• Application and user visibility and monitoring to reduce the threat footprint, enforce usage policies, and
assist with capacity planning and appropriate access controls.

• Virtual segmentation to prevent movement of malware through the network and strengthen security posture.

• Coordinated protection across endpoints, in data centers, in remote locations and at major internet
­gateways and cloud locations.

• Advanced prevention of zero-day and known malware attacks.

• Timely reporting to enable IT, cybersecurity and intelligence professionals to coordinate actions.

• Immediate and automatic sharing and distribution of threat intelligence between systems.
Subsequent sections address each of these principles in detail.

III. CORE SECURITY PRINCIPLES

Application and User Visibility

Visibility into the applications traversing the network, how often they are being used, which people are using
them, and how much bandwidth they are consuming helps IT teams make informed security policy decisions.
They can use this visibility to make contextual, policy-based decisions about which applications should or should
not be allowed; who should be able to use certain applications; what they are allowed to do and under what
circumstances; and cater to the needs of different groups of users while controlling the risk to the network.
Schools can choose to block applications that carry the highest risk, for example P2P applications that can
lead to exposure that can damage reputations, or proxy server applications that bypass necessary web content
filtering. Next-generation security platforms should also ensure that downloaded applications are not carrying
risky payloads. In contrast, applying port-based policies in traditional security products cannot distinguish risky or
unauthorized applications or users, and therefore cannot effectively protect the network.
By integrating security platform information with user repositories, IT teams can identify users and user groups
instead of devices or IP addresses. This identification enables IT teams to build security polices that limit certain
applications to certain users or groups.
To move to an application-based threat prevention model:

• Identify frequently used applications so you can more-easily highlight unknown or potentially risky appli-
cations. You can monitor traffic across your Next-Generation Security Platform to learn and understand
current traffic patterns.

• Start implementing application-based rules for a few non-critical applications with smaller user bases in
order to demonstrate success. For example, a K-12 institution may choose to limit staff payroll access to
only the human resources group.

• Develop a strategy to roll out application-based rules in line with the institution’s objectives and applica-
tion and user awareness gained. For example, the next move may be to target vulnerable applications, for
example by limiting access to billing and invoicing applications to only the finance department user group.

• Iteratively lock down applications according to the approved strategy, and enforce consistent security
policy rules for users and groups with similar access and application requirements.

Application-based policies can help control access in the following ways:

• Identify risky applications, for instance:
◦◦ SaaS storage apps that can allow data transfer and exfiltration
◦◦ Suspicious DNS
◦◦ P2P applications such as Tor and BitTorrent
◦◦ Proxy servers such as UltraSurf and PHproxy

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 4
 • Look for other dynamics within your environment, such as:
◦◦ Port scanners and/or vulnerability scanners
◦◦ Third-party networks that are not approved
• Build groups for traffic to always block:
◦◦ IP ranges including geo-location – does your data center need to talk to China?
• Identify, monitor and analyze all encrypted traffic, especially from external websites (SSL/TLS). While
many applications and websites use encryption for privacy, malware authors are increasingly delivering
encrypted malware payloads. All encrypted network traffic should be examined for the presence of
­malware or inappropriate usage (see Figure 1).
By implementing granular application identification, not just port-based filtering, administrators gain greater
visibility and the opportunity to reduce their risks significantly.

Figure 1: Palo Alto Networks Next-Generation Security Platform Application Control Center shows the top
applications in use on your network, activity by user, threats, and other activity that is helpful in gaining
visibility and developing security policies.

Virtual Segmentation
In some of the latest attacks against K-12 industry2, attackers broadcast emails with infected email attachments,
then unsuspecting recipients open them and infect internal networks. Any such attack can impact network
integrity, student and staff data, and regulatory compliance within your institution.
The Zero Trust approach, first coined by Forrester® 3, makes it very difficult for such an adversary to succeed.
This same approach makes it difficult for everyday malware to move across the network. Zero Trust boundaries4
verify all users, devices and applications traversing your network, effectively compartmentalizing user groups,
devices and/or data types, such as social security numbers or student grades. Scanning data that moves in and
out of the zone not only prevents the spread of threats, it can also prevent data from being exfiltrated.
There are three major benefits to segmenting your systems into virtual network zones:

• Limit the scope of vulnerability by separating vulnerable devices, such as old servers that cannot be
patched from others, or those containing sensitive data such as student health records.

• Limit data exfiltration by limiting the amount of data that is compromised in a breach.

• Limit the scope of compliance since only the devices, workstations, and servers in a particular zone are
subject to compliance audits.

2. http://researchcenter.paloaltonetworks.com/2016/11/ransomware-common-attack-methods/

3. www.forrester.com

4. Some organizations use virtual local area networks (VLANs) to segment their network, but VLANs simply isolate network traffic – they
are unable to enforce the control of privileged information. In addition, by itself, a VLAN cannot inspect traffic for threats.

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 5
Two separate, but complementary, virtual segmentation strategies control traffic in different ways:
• North-south segmentation controls traffic entering a network or a private, public or hybrid cloud.
• East-west segmentation controls traffic entering and exiting a virtual machine (VM).
Zero Trust boundaries, zones, or virtual network segments enable you to apply controls at every entry and exit
point of the zone, preventing malware from moving between zones and lateral movement of advanced attacks.
Virtual segmentation zones can include:
• Applications and databases containing private or regulated information (for example payroll records,
personal information of students, and payment information).
• School Wi-Fi internet access.
• Access to third parties, such as affiliated institutions.
• Smart machines and sensors, such as building and facilities management systems.
By applying this Zero Trust approach, educational institutions can protect critical servers and sensitive informa-
tion from unauthorized users or data exfiltration, reducing the exposure of vulnerable systems and preventing
the movement of malware throughout the network.

Extending Coordinated Protection to Cloud Environments and Endpoints

To further improve security posture, IT and security teams should apply the principles of Zero Trust and virtual
segmentation to cloud environments and endpoints.

Private, Public and Hybrid Clouds

Many K-12 institutions are considering adopting public or private cloud architectures. Implementing virtualiza-
tion for existing applications within the data center not only reduces costs and improves security, it also provides
a foundation that simplifies future migration to a full cloud architecture.
While Zero Trust addresses the protection of both north-south
(network segmentation) traffic entering and exiting the data Did you know?
centers and east-west (VM segmentation) traffic between ap- Palo Alto Networks Next-Generation
plications within those data centers as their own segments, it is Security Platform provides visibility and
worth noting a few more considerations for these environments: control over SaaS applications in your
• Reliability: Consider active/active high availability for network. Then, among your sanctioned
north-south boundary appliances to continuously synchro- SaaS applications, Palo Alto Networks
nize their configuration and session information, ensuring Aperture provides protection of your
that performance does not degrade and no traffic is lost in data in those SaaS environments, with
the event of a hardware failure. complete visibility across user, folder and
file activity to prevent exposure.
• Orchestration and management: Use centralized man-
agement to ensure policies can keep pace with the rate
of change to your virtualized workloads. In VMware® NSX™ deployments, automate security appliance
provisioning through predefined APIs.
• Policy consistency: Centrally define and consistently apply policies to all devices to reduce complexity and
avoid gaps in threat protection. Use centralized management to serve as a single point of management for
all security appliances, both physical and virtual.
Extending Zero Trust to your SaaS environments is important to protect data from accidental disclosure and to
protect networks from threats originating in SaaS. Application visibility helps identify the SaaS applications on
your network. Then, with the proper tools, you can extend your security policies to SaaS applications.

Endpoints
K-12 education has a plethora of devices accessing the network – some managed by the school or district and
many that aren’t. An effective endpoint security strategy takes into account all endpoints, including virtual and
physical desktops, laptops5, virtual and physical servers – regardless of patch, signature or software-update
levels, or ownership. IT teams have a duty of care to prevent ransomware and other malware from affecting not
only school-owned devices, but also students’ devices.
For managed and owned computers and servers, IT should enforce the Zero Trust model, particularly on
laptops or those with unpatched or unpatchable systems that are no longer supported by their vendors, such as
Microsoft® Windows® XP.

5. Laptops can be especially at risk if users access a vulnerable public network, such as a Wi-Fi hot spot at a coffee shop. If a returning
user then connects an infected laptop with your school network, the risk of infecting other systems undetected increases significantly.

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 6
The main threats affecting managed endpoints include executable malware and exploits that target specific
application vulnerabilities. To protect against them:

1. Employ lightweight agents that continually monitor for exploit techniques and malicious executables.
All managed devices should be protected from exploits and malicious executables. Ideally, only devices
that have these protections should be able to access institution applications and data.

2. Apply policy-based restrictions to prevent the spread of threats. IT teams can easily set up policies
restricting specific scenarios, such as only running applications that have been signed or other policy
enforcement options. For example, you may want to prevent files in Outlook.tmp directories or on a USB
drive from executing directly.
To protect communications, mobile devices such as laptops, smartphones, and tablets should always connect to
the institution network via a VPN.
Endpoints not owned by your institution should be inherently untrusted. However, through user identification
and virtual segmentation, schools can still identify many of these devices, grant or deny them access to certain
applications, and monitor and prevent threats from spreading. For example, you may want to grant a teacher
­using their laptop access to the zone that contains student assessment software. However, through usage
policies, you may want to prevent them from uploading executable files into the zone or using the upload option
of Dropbox to remove data from the zone.

Advanced and Zero-Day Attack Prevention

Advanced attacks and zero-day malware can strike swiftly, so discovery and remediation to repel attacks must
be equally swift. Automation is critical to immediately discovering and preventing zero-day threats and repelling
not only that attack, but subsequent similar attack attempts. Any unknown file attempting to enter a trusted
perimeter or network zone should be detonated within an advanced malware execution environment (sandbox)
for analysis. Once zero-day attacks are recognized and analyzed, only automatically generated and delivered
signatures are fast enough to ensure that zero-day attacks don’t get past next-generation security appliances.

Threat Correlation and Timely Reporting

Preventing threats from impacting school networks requires a coordinated view for IT, cybersecurity and intelli-
gence professionals. Yet any coordination that may exist today between endpoint, data center, networking and
security teams is typically manual. Emailing or calling another team to confer takes valuable time that attackers
use to exploit your network, which takes minutes6, or exfiltrate data, which takes days at most. The only way to
pre-emptively prevent threats is to automate collaboration, coordination and reporting across network, endpoint
and cloud, without relying on the human factor. Collaboration and coordination must extend to any potential attack
vector (URL, known and unknown threats) at any zone or location (network, endpoint, and cloud). Refer to the
Threat Intelligence and Correlation section for an overview of unique Palo Alto Networks capabilities in this area.

IV. SECURITY REFERENCE BLUEPRINT FOR K-12 IT

The key security principles outlined in this paper can be fully realized with the capabilities of the Palo Alto Networks
Next-Generation Security Platform, which can protect your organization from endpoint to network core to cloud,
and prevent threats from impacting availability, performance or your institution’s reputation. This section provides a
high-level reference blueprint for K-12 IT using the Next-Generation Security Platform.
While architecture decisions, including appropriate virtual segmentation, will be determined by your unique
network requirements, the example blueprint in Figure 2 shows a large school with its own connection to the
internet, its own data center and administrative offices.

Virtual Segmentation Within a School

In this example, a large school with its own data center is segmented into an administration zone, a school
endpoint zone, a data center zone, and a DMZ. While this architecture might not be representative of your
school or district, virtually segmenting these areas from one another is a security best practice. The data center
is in green, the endpoint zones are in blue or purple, the DMZ is black, and external networks (including other
schools) containing institutional data are in orange.

6. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

Palo Alto Networks | Security Reference Blueprint for LK-12 IT | White Paper 7
 External
Software as a student &
Service (SaaS) staff access Public Cloud Administration Zone

TR TR
Traps

GP Virtual V GP
Next-Generation SeMrie-
Next-Generation
AP GlobalProtect
Security Appliance s Security Appliance

Aperture

Site-to-Site VPN
V
Internet or Private Network
SeMrie- School Endpoint Zone
s GP
WildFire DMZ GP TR
The next-generation
security platform can GP School-owned endpoints
be deployed as physcial
or virtual devices.
Next-Generation Next-Generation
Security Appliance UF Security Appliance
VPN Gateway URL Filtering BYOD endpoints

Data Center

Network zones
Role-based TR
PA

Private
N
O
RA

permissions for: Cloud • Limit traffic to specific applications,

M
A

Virtual users sources and destinations

• Students Next-Generation Next-Generation
V • Reduce risk level, compliance scope
SeM
• Faculty Security Network Security Appliance
• Staff rie- Appliance security Enterprise • Conserve network bandwidth
s management directory

Figure 2: Security Reference Blueprint for K-12 IT

Protecting each zone with the Next-Generation Security Platform offers several benefits. Beyond validating
appropriate applications and/or their intended users, the Next-Generation Security Platform scans all traffic
entering and exiting every zone to prevent data leakage and malicious payloads from spreading:

• WildFire™ cloud-based threat analysis service detects and then subsequently blocks zero-day threats by
­automatically creating protections and distributing them in as little as five minutes to the Palo Alto Networks
platform and endpoints.
Data center
• Threat Prevention blocks ­malicious zone V
files with signatures for known threats. SeMrie- Servers

• URL Filtering enforces internet surfing

s
policies, prevents access to malicious
websites and malicious URLs, and Administration zone
shares newly discovered malicious
Workstations and any servers at
domains and IP addresses as they are administration headquarters, i.e.,
­discovered. HR, finance, student records

DMZ
The DMZ is the primary internet-facing School
School-owned laptops,
endpoint zone
zone and contains a next-generation se- workstations and mobile
curity appliance. External users can access devices, as well as
BYOD devices
specific resources, such as the school
or district website and possibly library
services or course content for remote
DMZ Zone
learning, from the internet. Staff and
valid third parties working remotely (such DMZ servers
as contractors) can also access internal
systems via a VPN.

Figure 3: Segment your education network into zones

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 8
School Endpoint Zone
The school endpoint zone is the main zone for the school. Anyone, whether staff, students, known third
parties or guests, can access the school endpoint zone using their own computers or mobile devices (laptops,
tablets and smartphones), or school-owned computers and mobile devices. This network should be consid-
ered inherently insecure. Depending on the size of the school
and the information contained in it, some schools may want to
subdivide this zone into a Wi-Fi zone (primarily for student and Palo Alto Networks Traps advanced
guest devices) and a LAN endpoint zone (which school-owned e
­ ndpoint protection is designed to iden-
lab computers, staff computers, printers, and smart boards tify exploits as they attempt to execute
connect to.) and block the execution of malicious
code. Traditional antivirus software de-
This should be the only zone students can connect to, so pends on malware signatures, which may
schools can use URL Filtering, application identification, and not always be up-to-date in the case of
user identification capabilities of the platform to enforce zero-day malware or exploits. Rather
internet-­usage policies or comply with regulatory requirements. than run as a separate process scanning
To keep students safe from inappropriate material, IT can block for malware, the Traps agent automat-
entire URL categories, and implement granular web content ically injects itself into each process as
filtering rules that can vary based on user group. For example, it is started and monitors all application
some schools may grant different web surfing access to junior activity, looking for patterns of behavior
and senior school students, where senior students have more that are unusual or that have been seen
freedom to access social media sites. Staff using their personal with previously documented exploits.
computers may have more freedom than their students. IT When it identifies such behavior, the
teams can monitor web activity through the Application agent will automatically trigger and
Control Center, view URL Filtering reports, or generate group block the advanced attack that would
activity reports that help inform policy updates. A global URL otherwise evade detection.
Filtering database synchronizes with WildFire and automatical-
ly generates protections every 15 minutes, which means that
URL categories, including malware and phishing, are always up to date.
In addition to establishing effective policies and segmenting the endpoint zone, schools can apply exploit and mal-
ware prevention solutions directly to school-owned endpoints. Protecting school-owned computers and servers
with Palo Alto Networks Traps™ advanced endpoint protection ensures that:

• Any exploits on vulnerable systems, regardless of patch status, are immediately thwarted. Traps automati-
cally prevents attacks by blocking exploit techniques, such as thread injection.

• Any malware is discovered and thwarted. When unknown .exe files are discovered, the Traps agent will
automatically query its local caches, and then if necessary WildFire to assess the file’s standing.

• Any applications or content disallowed by policy are blocked on the endpoint.

Palo Alto Networks GlobalProtect consists of three components:

GlobalProtect Gateway
Prevents mobile threats and policy enforcement based on applications, users, content, device and device state.
Extends a VPN tunnel to mobile devices with GlobalProtect application. Integrates with advanced malware
analysis environment to prevent new malware.
GlobalProtect Application
Manages device, provides device state information, like encryption status, and establishes secure connectivity.
Connects to the GlobalProtect Gateway to access applications and data in accordance to policy. Exchanges
device configuration and device state with the GlobalProtect Mobile Security Manager.
GlobalProtect Mobile Security Manager
Provides device management to configure the device. Uses advanced malware signatures to identify devices
with infected applications. Shares information about the device and device state with GlobalProtect Gateway
for enforcing security policies. Hosts an enterprise app store for managing business apps. Isolates business data
by controlling lateral data movement between business and personal apps.

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 9
IT teams can protect mobile devices (including laptops, tablets and smartphones) with Palo Alto Networks
­ lobalProtect™ network security client for endpoints. GlobalProtect sends unidentified files coming to and
G
from the mobile device to the WildFire malware execution environment for static and dynamic analysis of
potential mobile threats. GlobalProtect supports two-factor authentication for even more protection for
mobile devices.

Administration Zone
Schools may want to create separate zones that specifically limit which users can access the zone. This
segmentation helps limit the zone of compliance for regulated information, such as personally identifiable
information (PII) or financial information. In this example, finance teams, student records administration, and
HR staff are segmented in their own zone, along with any servers and related applications not in the data
center. Only users in that zone can access applications in that zone. For example, if an HR staffer travels to a
school with their laptop and tries to log in to HR applications from the unsecured school endpoint zone, they
can be denied access.

Data Center Zone

As previously noted, Zero Trust principles segment both north-south traffic entering and exiting the data
centers,and east-west traffic between applications within those data centers. In addition to the north-south
and east-west protections, Palo Alto Networks Next-Generation Security Platform can address the reliability,
orchestration and management, and policy consistency that is necessary in these environments. For more
information, see Securing the Data Center, Public, and Private Clouds.
The data center zone isolates applications and data from users in the school endpoint zone, which have
to pass through a next-generation security appliance located at the zone boundary. The Next-Generation
­Security platform prevents unauthorized users from accessing the zone, and blocks all traffic except for
whitelisted applications contained in the data center, such as those handling student records data. Role-based
access control is made possible based on the user’s security groups in enterprise directories, which specifies
which applications the user can access. Additional application-specific role-based permissions (e.g., HR
administrator, IT administrator) can be handled by the application.

Securing the Data Center, Public, and Private Clouds

Palo Alto Networks VM-Series virtualized platform extends the security of the on-premises school network
to public and private clouds. Palo Alto Networks virtualized platforms support the same security features
available with physical on-premises platforms, safely enabling applications flowing into and across your pri-
vate, public, and hybrid cloud computing environments. The virtualized platform protects AWS® and Microsoft
Azure® environments and private clouds from advanced cyberattacks while providing application-level control
between workloads, policy consistency from the network to the cloud, fast deployment, and dynamic security
policy updates as workloads change.
For orchestration, Palo Alto Networks offers an XML manage- Did you know?
ment API that enables external cloud orchestration software
to connect over an encrypted SSL link to manage and config- VMware and Palo Alto Networks have
ure the Palo Alto Networks platform. An exhaustive and fully integrated security for software-defined
documented REST-based API enables security administrators networks that provide:
to view, set, and modify configuration parameters as needed.
• Automated, transparent insertion
You can define turnkey service templating for cloud orches-
of next-generation network secu-
tration software, so that the security features within the
rity services in software defined
Next-Generation Security Platform become part of the data
data centers.
center workflow. Palo Alto Networks Panorama™ network se-
curity management can also centralize management to ensure • Complete next-generation security
policies keep pace with the rate of change to your virtualized capabilities for all traffic within
workloads. Automate platform provisioning in VMware NSX the data center.
deployments through predefined APIs.
• Dynamic security policies that un-
The VM-Series supports VMware® ESXi™, NSX™ and vCloud® derstand the context of the virtual
Air™, Amazon® Web Services, KVM/OpenStack® (open source), machines in the data center.
and Citrix® Netscaler SDX™. For a complete list of private
and public cloud security considerations, refer to Security https://www.paloaltonetworks.com/
­Considerations for Private vs. Public Clouds. partners/vmware.html

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 10
Software as a Service (SaaS)
Data resident within enterprise-enabled SaaS applications is typically not visible to an organization, but can be
a source of malware and a popular vector for data exfiltration. Palo Alto Networks Aperture™ SaaS security ser-
vice connects directly to the most popular enterprise SaaS applications to provide data classification, sharing/
permission visibility, and threat detection. This yields unparalleled visibility, allowing IT teams to inspect content
for data risk violations and control access to shared data via a contextual policy. For example, schools can block
known and unknown malware that may be coming form files resident in the SaaS application. ­Aperture can also
quickly quarantine data if a policy violation occurs, such as an attempt to exfiltrate PII.

External Student, Staff, or Third-Party Access

Sometimes the weakest security link is the endpoint device, particularly if it is outside the campus network.
GlobalProtect extends both a VPN and granular security out to school-owned and third-party devices –
­computers, tablets and smartphones – no matter where they travel. For example, students can access e-learning
applications from home. Remote devices maintain the same security posture and access capabilities as inside
the network perimeter, ensuring schools comply with all security regulations and policies even if their users are
remote. Suspicious files and content are automatically sent to WildFire for analysis.

Threat Intelligence and Correlation

With new ransomware and millions of other potential threats a day, network and security teams need tools that
seamlessly work together to prevent quickly changing attacks and help separate truly dangerous or targeted
threats from more everyday ones. Palo Alto Networks platforms and subscriptions automatically work together,
so your IT and security teams can provide better security against threats with the same or fewer resources. The
platform automatically:
• Correlates and analyzes new threats from any vector.

• Creates new signatures to combat those threats.

• Reprograms security functions across the network with those new signatures.

• Makes available artifacts from any new threat for ongoing or later analysis.
You can customize appliance and management appliance views per administrator or department, allowing IT
and security teams to share views of alerts and other activities of interest across your network.
Palo Alto Networks also provides prioritized, actionable security intelligence on attacks that merit immediate atten-
tion. AutoFocus™ contextual threat intelligence service organizes and presents the largest collection of emerging
malware data in the world. It builds on billions of threat artifacts from over 10,000 advanced malware execution
environment subscribers, applies unique large-scale statistical analysis, human intelligence from the Palo Alto
Networks threat intelligence team, and tagged indicators from your organization and a global community of cyberse-
curity experts also using the service. AutoFocus provides full context on attacks, such as who is attacking, how they
are attempting to compromise their network and if any indicators of compromise are already present on the network.
Often, the same industry faces attacks by the same adversary. In K-12 institutions, where there is growing
interest in obtaining data for cybercriminal profit or sabotage, there is more reason to act swiftly. Palo Alto
Networks Threat Intelligence community cloud enables swift sharing of threat signatures so that all parties can
benefit from threats discovered across all organizations within your industry, while AutoFocus enables organiza-
tions within the same industry to understand what others have seen within their industry.

Migrating to Palo Alto Networks Next-Generation Security Platform

When you are ready to realize the threat prevention benefits of Palo Alto Networks Next-Generation Security
Platform, the Palo Alto Networks Migration Tool makes it easy to migrate from IP/port-based firewall rules in
legacy firewalls7 to application-based rules in Palo Alto Networks platforms. As shown in Figure 1, Palo Alto
Networks Application Control Center offers valuable visibility into the applications on your network and how
often they are used. You can use this view to create application-based policies that meet the needs of your
institution, while making decisions on how best to reduce risk. We recommend using a phased approach via
documented change control. Successful deployments typically first perform a like-for-like migration of firewall
rules to the Palo Alto Networks platform. Then, after about 15 days, the deployment team uses the migration
tool to begin the iterative process of defining application-based policies to replace legacy port-based policies.
The last migration phase removes the port-based rules, and only the application-based policies remain.

7. The Palo Alto Networks Migration Tool is compatible with Juniper, Cisco, Check Point, Fortinet and McAfee configuration files.

Palo Alto Networks | Security Reference Blueprint for K-12 IT | White Paper 11
In future phases, the deployment team can work with network and security departments to take full advantage
of the Next-Generation Security Platform. The platform can identify unique network users by leveraging user
information from a wide range of identity and directory systems (for example, Active Directory®/LDAP, Microsoft
Exchange, Captive portal, and more) and limiting access to individual applications based on the desired criteria (for
example, Active Directory security groups, or location-based user IP address ranges).
K-12 education institutions are subject to government and industry regulations. For example, in the United States,
schools that want to access federal grants available to offset the cost of internet access or internal connections
must comply with the Children’s Internet Protection Act (CIPA.) Through granular web filtering and security policy
administration, ability to monitor activity by user, application and user logs, and application visibility and control,
the Palo Alto Networks platform helps schools address CIPA and other children’s protection initiatives. Similarly,
education institutions have used the Zero Trust approach and Palo Alto Networks platforms to support compliance
with health regulations (such as the U.S.-based HIPAA Security Rule) and the protection of personal information
(such as PIPEDA, the EU Data Protection Directive, or other country-specific regulations).
For more information on how Palo Alto Networks can help address CIPA compliance, please visit https://media.
paloaltonetworks.com/documents/CIPA_Compliance.pdf.

V. SUMMARY
Implementing effective security controls with a Zero Trust prevention focus helps K-12 institutions protect them-
selves against cyberthreats and safeguard student and staff data. Palo Alto Networks Next-Generation Security
Platform provides K-12 institutions around the world with coordinated, highly effective, and easily administered
threat prevention, protecting sensitive data and ensuring regulatory compliance while maintaining high network
performance.
To learn more, please visit https://www.paloaltonetworks.com/solutions/industries/education/education-lower.

4401 Great America Parkway © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a
Santa Clara, CA 95054 registered trademark of Palo Alto Networks. A list of our
Main: +1.408.753.4000 trademarks can be found at http://www.paloaltonetworks.
Sales: +1.866.320.4788 com/company/trademarks.html. All other marks mentioned
Support: +1.866.898.9087 herein may be trademarks of their respective companies.
K-12-security-blueprint-reference-wp-030317
www.paloaltonetworks.com