at a glance

INDUSTRY
Education

CHALLENGE
Gain more visibility and precise control to prevent phishing attacks and other sophisticated exploits that could disrupt digital learning platforms or exfiltrate private student or teacher information.

ANSWER
The Palo Alto Networks Security Operating Platform®, using threat intelligence to prevent successful cyberattacks on the school network and providing a platform for adopting a Zero Trust security posture.

SUBSCRIPTIONS
Threat Prevention, URL Filtering (PAN-DB), WildFire, GlobalProtect

APPLIANCES
PA-5250 (2), PA-5050 (2), PA-3050 (2), PA-3020 (4), PA-850 (2), PA-220 (15), PA-200 (36)

OUTCOMES

  • Automatically detects and thwarts malicious executables.
  • Blocks malicious links used in phishing attacks.
  • Standardizes rules and protocols to strengthen overall security.
  • Extends consistent security posture to all users, regardless of location.
  • Enables inspection of all traffic with SSL decryption.
  • Sets stage for adopting hybrid cloud and Zero Trust security posture.

Story Summary
Innovative charter school management organization Achievement First faced a surge of phishing attacks and other exploits that threatened to disrupt its digital learning platforms as well as put private student and staff information at risk. Working with its trusted local partner Digital Back Office, Achievement First retired its previous port-based firewall and adopted the Palo Alto Networks Security Operating Platform. The platform brought next-generation security capabilities and threat intelligence to automatically detect as well as block malicious network traffic without impeding everyday learning activity. Achievement First also gained direct visibility and precise control over its network traffic—which its prior security lacked—to apply consistent rules and protocols across its network. With the Security Operating Platform, Achievement First can support its long-range objectives, which include adopting a Zero Trust security posture with complete protection from the network core to endpoints and clouds.

Securing a Digital Learning Environment
Every child should have the opportunity to get a fulfilling and empowering education. It shouldn’t matter what ZIP code they’re from or how much money their parents make—children from all walks of life deserve a learning environment where they can thrive and succeed. That’s what Achievement First is all about. As Marques Stewart, senior director of network infrastructure, puts it: “We believe in helping all America’s children achieve the greatness they have inside them.”

What started in 1999 as a single school on a mission to eliminate gaps in academic performance due to limited access and opportunity—gaps often falling along lines of race and income— has grown into a network of 36 schools focused on fulfilling that same mission. The core is developing great teachers and equipping students with the tools and resources to perform at the highest levels. That means graduating students from high school, preparing them for success in college, and inspiring them to pursue fulfilling careers.

Technology plays a vital part in Achievement First’s innovative learning environment. Scholars, as the schools refer to their students, all have access to Google Chromebook® computers and a host of digital learning platforms that ascertain their individual achievement level and learning pace. For example, a third-grade scholar performing at a fourth-grade level will automatically be challenged with higher-level lessons and exercises. Analytics in the system can identify a scholar falling behind in one subject area or another and give him or her additional help as needed. The digital learning platform even responds to a scholar showing special interest or aptitude in a particular subject—for example, math, English, or science—and systematically feeds that scholar additional content and resources in that subject area to encourage more in-depth learning.

Digital learning environments, like the one Achievement First and its schools uses, are powerful tools for advancing educational objectives. However, they also open the door for malicious actors to exploit vulnerabilities, potentially disrupting the learning process—or worse, exfiltrating private information. According to Stewart, Achievement First has seen a surge of phishing attacks and other cyberthreats in recent years. Local IT partner Digital Back Office (DBO) had been managing a Cisco ASA firewall for the organization as a first line of defense against cyberattacks, but as threats were getting more and more sophisticated, network security required a next-generation approach. Moreover, Stewart wanted more hands-on visibility and granular control over security for his team. That’s when DBO presented the Security Operating Platform.

“We have a lot of trust in DBO,” says Stewart. “Those guys are rock solid. They not only understand where we are as an organization, but also that we want to grow to 50 schools by 2023, and are ready to partner with us to make that happen in a scalable, efficient, affordable model. When DBO showed us what Palo Alto Networks could do, we were convinced it would handle the kind of cyberattacks we were seeing and grow with us as our needs evolve.”

Threat Intelligence to Outsmart Bad Actors
DBO operates a PA-5050 Next-Generation Firewall for Achievement First, providing Stewart and his team with access to the firewall management plane for direct visibility and control. The Next-Generation Firewall is configured with Threat Prevention and URL Filtering as well as WildFire®, a malware prevention service that automatically identifies and thwarts malicious executables that enter through the network.

Stewart notes, “A lot of our malicious traffic comes via email and someone clicks on a link. Now they’re blocked from accessing the link because Palo Alto Networks has used threat intelligence to block that link in our environment.”

Having direct access to the Next-Generation Firewall with the ability to establish standard sets of rules based on App-ID™ and User-ID™ technology provides Stewart and his team with the control they want to make changes more quickly and efficiently. “Previously, if we wanted an external NAT [Network Address Translation] for one of our services, we had to coordinate with DBO. Now, we can create that NAT ourselves using a standard set of protocols. For example, if the only ports I want for that NAT are HTTP and HTTPS, we have a set group of protocols that I can just apply. It’s standardized, so I know the protocols are applied consistently. Since moving to Palo Alto Networks, we’re bringing much more consistency and standardization to our network, which reduces the chance for human error and makes our network more secure.”

Achievement First also uses GlobalProtect™ for network security on endpoints, extending the same level of security to mobile users to allow them to securely connect to the school network. These users are primarily members of the IT team but include a few others as well, such as the data analysis team.

“I appreciate the fact that, with GlobalProtect, anyone coming in remotely is passing through the same security as everyone else on our network,” Stewart remarks. “I also like that since GlobalProtect is connected to Active Directory, we can put people in groups, and if someone leaves the organization, we can just take them out of the group and they no longer have access. That’s a level of security we didn’t have before.”

One of the most valuable capabilities Achievement First relies on is SSL Decryption. With more and more traffic being encrypted, Stewart’s team needed a way to get inside that traffic and inspect for anything malicious. Stewart explains the motivation behind enabling SSL Decryption: “We were having a bandwidth problem a few years back, and we couldn’t tell if certain traffic was the cause because it was encrypted. Using SSL Decryption, we discovered it was Google traffic coming all at once from all our Chromebooks. Once we identified it, we were able to make changes and resolve the bandwidth issue.”

He adds, “SSL Decryption is really big for us because, now, we’re able to monitor all the traffic traversing our network and make sure it’s not malicious.”

Allowing Scholars and Teachers to Work in Peace
Looking to the future, Stewart foresees Achievement First moving more applications and services to a hybrid cloud model as well as adopting a Zero Trust security posture. “We’re focusing on securing our network now. But we need to get to the point where we’re securing the endpoint, access to SaaS applications like Office 365, and everything in between. So, we’re not trusting anything and only letting through what is secure and protected.”

Over time, Stewart anticipates leveraging other capabilities available of the Security Operating Platform to support his long-term vision. “I know there’s much more Palo Alto Networks can do that we’re not taking advantage of yet. We’re a relatively small operation and can’t use all the bells and whistles going in. But knowing that they’re there when we are ready is something I really appreciate in a vendor. It means we can put those additional capabilities on our roadmap and not be waiting for the vendor to catch up to our needs.”

Ultimately, Stewart undertakes security initiatives with Achievement First’s primary mission in mind. He concludes, “Everything comes back to providing an environment where our scholars and teachers can focus on learning. We don’t want them to have to think about IT, or worry that malicious software is getting on our network, or into their private information and playing havoc. We want them to be able to work in peace. Protecting them with the Palo Alto Networks platform is allowing that.”