Author Archives: John Krull

cloud enablement summary
AWS logo

As an AWS partner, Tech Reformers, strives to help organizations to innovate with the cloud. The goal is innovation while improving information technology (IT) in six areas: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability, The 6 Pillars of the AWS Well-Architected Framework. The Cloud Enablement Engine (CEE) is a guiding process bringing together the business and technology teams and, in education, the instructional team. The goal is a digital transformation moving from an on-premises operating model to a Cloud Operating Model (COM) to achieve district goals.

Once dubbed a “Cloud Center of Excellence,” Philip Potloff, the Head of Enterprise Strategy at AWS, describes it in Challenging Conventional Wisdom About How to Build a Cloud Center of Excellence as

“a multi-disciplinary team that is assembled to implement the governance, best practices, training, and architecture needed for cloud adoption in a manner that provides repeatable patterns for the larger enterprise to follow.”

He cites research and experience that shows the best team is not a well-honed IT team, a successful project team, or an egalitarian mix of staff. Transformation enterprisewide is more likely when there is a mix of “A-team” players with success in IT and project management working with “new blood” that brings in a supply of new ideas relevant to the district.

The team must have top-down support from an influential executive sponsor. In school districts, this would be the superintendent or other cabinet leader. A key pattern for success is to have not just an executive sponsor but an Executive Cloud Steering Committee that includes senior executives that are not on the CEE. They serve as the North Star and ensure the CEE is in support of district strategy and goals.

The CEE is ready to go upon completion of the 5 kick-off activities:

  • Build the team
  • Train and coach
  • Pilot projects
  • Architect for the cloud
  • Operate in the cloud.

Build the Team

The initial team member may be the CIO, CTO, or director in IT with hands-on experience who knows the capabilities of AWS but also has the political capital to bring in business leaders aboard with the CEE. With other leaders on board, the goal is to build a ‘two-pizza” team, small enough to share a couple of pizzas. To start, less is more. Technology is the team focus initially. Some successful organizations have also had a larger cross-functional Cloud Steering Committee that ensures progress, removes roadblocks, and helps with decision-making that affects the organization.

Train and Coach

Initial members beyond the leader may include infrastructure, networking, and operations which will be cloud leaders. Core member training is the next step. Creating learning paths and training in cooperation with Human Resources creates a process for extending cloud adoption. The CCE team leverages the AWS Well-Architected framework and will become familiar with AWS reference architectures, AWS Quick Starts, and AWS Solutions. Successful CEE implementations include AWS training for the entire organization. At AWS, for example, every employee becomes a Certified Cloud Practioner. Districts could have a Cloud 101 that covers the core of transforming with the Cloud.

IT probably has an existing Project Management Office (PMO) or project management team. This team is critical to the success of the CEE. They are closely aligned with the business verticles and should be armed with agile project management skills. Now a Cloud PMO, the team can create a manifesto to guide decision-making for project onboarding, process changes, role definitions, organizational changes, cloud architecture, and cultural change. Communication skills are the key to bringing the organization along the cloud journey.

Pilot Projects

The CEE then develops pilot projects in a lab environment. It’s important to keep the sponsor and senior leadership engaged in the progress and aware of the pilot projects. What pilot may have an impact beyond the IT team? Identify pilots that could improve the business, have the potential to save money, would increase reliability, or can deliver on a business need.

Architect for the Cloud

Before going live with AWS, it’s important to architect the AWS environment for the enterprise. AWS must be integrated into the fabric of the technology environment. Plan on using Organizations or Control Tower. Build a multi-account architecture with unified security controls, centralized billing, and governance. Integrate with an existing Identity Provider like Active Directory to provide familiar login credentials and account management.

Operate in the Cloud

The Well-Architected pillar, Operational Excellence, focuses on people, not technology. The CEE should develop a Cloud Operating Model (COM). The COM may include infrastructure as code, code repositories and version control, monitoring, alerting, notifications and reporting, escalation policies, financial tracking and auditing, service deployment policies, and examination of opportunities for agile practices. This is important even if your district has few or no custom applications. The “Super Power” of the cloud is automation. So, even compute, storage, databases, and Commercial Off-The-Shelf Software (COTS Software) can all be deployed by code using, for example, Cloud Formation Templates and user data scripts.

With the 5 kick-off activities complete, the CEE moves into production and continuous improvement.

Cloud Enablement Engine summary graphic

Kickoff and Continuous Improvement

With guidance from the executive sponsor, steering committee, and stakeholders, the CEE delivers early value. Like the pilots, identify projects to improve the business to save money, to increase reliability, or to deliver on a business need. An IT focus with financial and reliability benefits might be to move from tape or local disk backup to backup to Amazon S3. A project for educators may be to deploy Amazon AppStream 2.0 to enable Career and Technical Education (CTE) students to use high-end applications on any device. Or is there an application from the AWS Marketplace that could fit the need for, say, HR?

Striving for continuous improvement builds on early successes. Perform AWS Well-Architected Reviews on the new workloads and on potential legacy data center workloads. This builds the capacity of the team while driving the CEE forward. Organization-wide improvement can be achieved by leveraging early adopters to help others. A Community of Practice identifies and shares best practices not just to IT but to business units and other stakeholders.

Cloud Adoption is a journey, and the Cloud Enablement Engine: A Practical Guide provides prescriptive guidance. Following the CEE will enable a district to transform and innovate with the cloud. Additionally, information technology (IT) will improve in six areas: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability.

zero trust lock image
Zero Trust logo with lock (decorative)

There has been a lot of talk about Zero Trust, so let me try to give an overview. I’ll finish up with an example from iboss and a deep dive from AWS. First, think of it more as a methodology and not a new product category. It is a cybersecurity approach that has gained attention for its ability to prevent data breaches. It is not just for enterprise or commercial use. Educational institutions, both in K-12 and higher education, and the public sector find value in implementation as well. It’s built on the principle of “never trust, always verify” (NOT: trust, but verify). Zero Trust aims to protect digital environments by leveraging the cloud. It rethinks how we implement identity and access management and network security. Capabilities include inspection, network segmentation, preventing lateral movement, providing threat prevention, and simplifying granular user-access control.

Beginnings

It was also born out of the need to think beyond just protecting the perimeter with a firewall because trusting everyone inside the firewall was not working. Also, more resources are outside the firewall (i.e. in the cloud) and more users aren’t behind the firewall (i.e. at home or Starbucks). The approach uses information derived from Identity, Credential, and Access Management (ICAM) systems. ICAM consistently verifies all users, devices, applications, and data based on context and user activity. Have you had a website that you use a lot reverify you because you’re not in your usual place? That’s Zero Trust at work.

“Zero trust is a way of thinking, not a specific technology or architecture,” says Gartner Distinguished VP Analyst Neil MacDonald. “It’s really about zero implicit trust, as that’s what we want to get rid of.”

Gartner

ZTNA

Zero Trust Network Access (ZTNA) extends this strategy. ZTNA provides remote access to applications and services based on defined access control policies. Policies combine role-based, granular, encrypted access controls with post-connect threat monitoring. It involves micro-segmentation of the network (micro perimeters).

Existing infrastructure and technology work for Zero Trust. There are no specific products! Rather it’s an integral part of a complete modern cybersecurity architecture. The approach enables complete end-to-end visibility and rich policy-based controls to mitigate even the most sophisticated threats.

Zero Trust Principles from Gartner: Verify explicitly, Use least privileged access, and Assume Breach
Zero Trust Principles from Gartner

Don’t Do It Yourself

Leading solution providers now incorporate the tenets of ZTNA. Comprehensive, end-to-end platform architectures to address even more use cases come from a single vendor or a mix of “best of breed” suppliers. This approach offers educational institutions and the public sector several advantages. Context-based access encompasses all users, all devices, all applications, and all workloads. Zero Trust provides uncompromising security by continuously examining all content to prevent both known and unknown malicious activity in real-time.

Furthermore, it enables global and consistent access security everywhere, regardless of the location of a user, device, or application. This is best achieved through physical, virtual, and cloud-native firewalls that leverage artificial intelligence and machine learning to enable context-based access on-premises, in the cloud, in remote work environments, or across campuses. Simply put, all traffic, whether to or from campus, the office, home, or, say, a cafe, goes through a cloud firewall and a series of checks.

Example: iboss Secure Access Service Edge (SASE)

The iboss Zero Trust SASE allows all protected resources within an organization to be labeled and categorized, including Security Objectives and Impact Levels. This provides organizations with a clear understanding of where sensitive applications and data reside while providing insight into what users and assets are interacting with those protected resources. The iboss Service follows the NIST Risk Management Framework (RMF) and implements tenets from the NIST 800-207 Zero Trust Architecture Special Publication.

iboss zero trust edge diagram with network connections going through the iboss cloud.

Components

cloud icon

Overall, Zero Trust represents a convergence of secure network transport with a cloud-native security stack that includes components such as ZTNA, Secure Access Service Edge (SASE), Cloud Access Security Broker (CASB), Secure Web Gateway, Firewall-as-a-Service), Software-Defined Wide Area Network (SD-WAN), and micro-segmentation. But don’t think of it as a “rip and replace“, but an additive approach to what you’re already doing.

Deep Dive: What is Zero Trust on AWS

AWS describes Zero Trust as a security model that emphasizes strong identity verification and authorization rules before granting access to data, applications, and systems.

AWS definition of Zero Trust
AWS definition of Zero Trust

Zero Trust is not solely based on network location and operates within highly flexible identity-aware networks, which reduce surface area and eliminate unneeded pathways to data. AWS provides several identity and networking services that can be used as building blocks for implementing Zero Trust. To move towards Zero Trust, AWS says, evaluate the workload portfolio and apply Zero Trust concepts, such as rethinking identity, authentication, and context indicators.

AWS, itself, implements Zero Trust in interesting ways. When using the console every API (application programming interface) call is authenticated. Also, when using services in an account, the services do not automatically have access to other services. You must set up a role that is authenticated when that service is instantiated and every call it maqkes. Security Groups and Network Access Control Lists are another way AWS implements Zero Trust. They can limit traffic north-south and east-west. Remember, Zero Trust is a process and architecture, not a product.

To dive deeply read Zero Trust architectures: An AWS perspective and watch the re:Invent session Zero Trust: Enough talk, let’s build better security.

video thumbnail for AWS re:Invent talk "Zero Trust: Enough talk, let's build better security"
https://www.youtube.com/watch?v=751NZpS6s78

By adopting a Zero Trust approach, educational institutions and the public sector can strengthen their cybersecurity posture and better protect themselves against the ever-evolving threat landscape. Tech Reformers is a consultancy focused on education and the public sector that can help assess your needs.

Download image for NIST zero trust

Download the full NIST publication on Zero Trust

Tech Reformers K-12 Digital Transformation

Organizations want to spend money wisely, whether private sector, non-profit, government, or a school district. Superintendents and CFO’s strive for effective use of capital and operational cost savings. Operations leaders want the agility to meet the immediate needs of the district. CTO’s want a secure and resilient infrastructure that allows for innovation. And all school district leaders pursue equity to meet the needs of each student. What makes this all possible today? The cloud or “cloud computing.” The public cloud powers digital transformation that is impossible or impractical in traditional data center infrastructure that, today, still many districts operate.

EdTech companies have leveraged the public cloud for years. But, districts themselves have lagged. We’ll look at what the cloud is and how districts can leverage the advantages of the public cloud.

Google Apps

2006 GAFE logo. Early K-12 cloud.
2006 “GAFE” logo

The cloud in K-12 began with Software as a Service (or SaaS). Third parties started to offer software on their cloud. In 2006, Google began to provide Google Apps and, from the beginning, it was free to schools. I had recently started at Envision Schools, a public charter school in the Bay Area. Google Apps appeared to be great for our students and staff. Our Microsoft Exchange server was a lot of overhead for our small organization. Consequently, I rolled it out Google Apps that summer for the start of the next school year. Most school districts have adopted Google (See below). So, today, couldn’t it be similarly said that much of the legacy data center infrastructure is overhead?

Google’s then vice president and general manager for enterprise, ironically a former colleague, outlined the benefits for customers.

“Organizations can let Google be the experts in delivering high-quality email, messaging, and other web-based services while they focus on the needs of their users and their day-to-day business.”

(2006 Google Press Release)

As they say, the rest is history. Today, Google Workspace, née Google Apps, controls over 80% of the EdTech Apps in the Education market and has 8 of the top 10 apps as measured by Learn Platform.

Chromebooks

Google was able to start a revolution in K-12 by offering its services on the cloud. The cloud provided simplicity, scalability, cost savings, agility, redundancy, and security that both Google and school districts needed. When Google added the Chromebook several years later, again, it leveraged the cloud. Management and storage leveraged the cloud while eliminating software on the device, so the browser did all the work. In 2013-2014, when I was Oakland Unified School District, we rolled out Google Chromebooks. Students and staff embraced Personalized Learning and equitable access (and a platform for online testing, not so much). At the time, Miquel Helft outlined the “The Dawn of the Chrome Age” in Fortune Magazine on April 10, 2014.

Today, almost every EdTech app runs in the cloud, also called Infrastructure as a Service (IaaS). Most are on Amazon Web Services (AWS). As Bill Maher says, “I don’t know for sure, but I know it’s true.” EdTech companies choose the public cloud, AWS, Microsoft Azure, or Google Cloud Platform (GCP) because of the growing capabilities the cloud brings. Let’s look at some of the attractive features of the public cloud. And why IaaS is becoming the infrastructure of choice for most use cases universally.

Use of Capital

Use capital or operating funds? Picture of currency bills to spend on cloud.
Use capital or operating funds?

One of the first considerations is the use of capital. In the old days, organizations invested in expensive hardware just to get started. This would include servers, network hardware, cabling, data centers, cooling, electrical upgrades, real estate, and a long-term internet contract. Organizations also had to guess their need and often over-provisioned to not be caught under-resourced. All of this was a considerable capital expense that only well-funded or highly taxed organizations could afford. School districts were faced with large bond measures or capital levies just to leverage the internet. These cost then repeat themselves.

Today, with the cloud, organizations need less capital investment. Expenses move from capital to operating expenses. Organizations can start up in the cloud at no cost. AWS, Microsoft Azure, and Google Cloud Platform (GCP) offer a free tier! You can then scale as applications and users come on board. Entrepreneurs with a good idea can start by simply building out what is needed with some or all services free. Any school district can cut down on upfront purchases. There is no need with the public cloud for large capital purchases of hardware. So the first advantage of the cloud is moving significant capital expenses to more nominal operating costs. If a district wants to use its capital funds, spend less upfront!

AWS analysis of School IT use graphics showing varying use of resources and the static tradition IT resourcing. Cloud allow for agility.
AWS analysis of School IT use

Agility and Scalability

The second advantage, related to the first, is agility and scalability. As I said, the cloud enables districts to start small, yet it allows them to be agile. IT can scale up (bigger, more powerful servers) or scale-out (more servers) as needed and when needed. The actual need determines whether to go quickly or slowly. In the cloud, servers can even be set to auto-scale. Hence, resources automatically expand when needed and, notably, scale down to save costs when the resources are no longer required.

Cost Savings

This leads to the third advantage, related to the first two, bottom-line cost savings. Traditionally organizations have had to over-provision for their busiest time. Imagine the early days of Amazon where they needed enough capacity for the Holiday shopping season. But servers sat idle the rest of the year. (That extra capacity is what gave them the idea to rent out their excess capacity and why we have AWS.). Now there is no need with the cloud to buy extra capacity for busy times or “just in case.”

Similarly, the cloud enables users to turn off and not pay for resources that are not needed. For example, organizations turn off servers at night when they are only used during business hours. Or IT can only start development (Dev) or testing (Test) servers when required. In the old days, organizations would purchase complete environments for Dev and Test and run 24×7 with requisite space, electricity, and cooling. The public cloud does not charge for servers that are not running. The cloud enables considerable cost savings when school districts manage their workloads and only pay when used.

Facility Costs and “Going Green”

Another area for cost savings that school districts often overlook is the facility costs. Often these costs are incurred not by IT, but a separate Facilities or “Buildings and Grounds” department. These costs include real estate, building space, electricity, fire suppression, cooling, and generators. These are all costs built into cloud services and are areas for savings for school districts. Cloud providers are experts in these areas, have huge economies of scale, and build the best, most cost-efficient infrastructure. AWS, for instance, describes its green initiative.

“AWS has a long-term commitment to use 100% renewable energy. When companies move to the AWS Cloud from on-premises infrastructure, they typically reduce carbon emissions by 88% because our data centers can offer environmental economies of scale. Organizations generally use 77% fewer servers, 84% less power, and tap into a 28% cleaner mix of solar and wind power in the AWS Cloud versus their own data centers.

GREENER IN THE AWS CLOUD

Why should districts try to build data centers and pursue green initiatives when the cloud can efficiently and environmentally be the data center? Then push the local utilities to offer green power for the rest. Some are close like Seattle with 97% renewable energy.

Resiliency and Security

Outsource physical security? picture of silhouette photo of person holding door knob
Outsource physical security?

While districts eliminate significant capital investments, save money, and improve agility, they also strengthen resiliency and security, our fourth advantage. The public IaaS providers, AWS, Azure, and GCP, protect the security of the cloud. They provide physical security and resiliency/redundancy of the data centers. Availability zones (AZ’s or groups of data centers) and regions (geographically isolated areas with AZ’s) compound resiliency and redundancy.

I have some district data center memories. I remember when I was at Fremont Unified, and a water pipe broke. So we had water flowing under our district office data center! At Oakland Unified, the data center overheated, setting off alarms late at night. When I went in, scaffolding fell and barricaded me in the 110-degree room. At Seattle Public Schools, the Facilities department turned off electricity to the data center over a weekend, and the generator failed to kick in. Infrastructure as a Service, the cloud, will let districts avoid these war stories.

The public cloud also excels at backup and disaster recovery. Besides the ability to replicate over AZ’s and regions, the cloud has built-in backup, replication, serverless architecture, and security services that further improve resiliency and security. Many of these are at no additional cost.

Simply by using public cloud resources, districts get world-class security and resiliency unfeasible for most to build and staff on their own. Reducing risk is a significant advantage for K-12 leaders.

Be Wary of Misconfiguration Anywhere there is Data

Yet, despite cloud advantages, organizations must still provide security in the cloud. District IT engineers and administrators must configure and administer applications correctly. IT must secure access and networks. Like traditional data centers, stakeholders must govern access.

Misconfiguration is, by far, the biggest reason for public cloud data breaches per the Cloud Security Alliance. But, districts can improve their security and resiliency with diligent engineering and administration. The public cloud also offers excellent tools for security, access, and logging. Districts now can free up IT staff from running physical servers and data centers allowing them to concentrate on security and resiliency “in the cloud” along with innovation to pursue district goals.

person using laptop computer during daytime

These first four advantages of cloud computing, the wise use of capital, agility, cost savings, and improved security and resiliency, are enough for many to move to the cloud. But the first four are merely operational and tangible improvements that don’t capture some of the long-term value of cloud transformation. We will wrap up with advantages that produce better outcomes for district leaders, teachers, and students.

Innovation

The fifth advantage is innovation. The cloud offers many avenues for districts to improve efficiency, one area for innovation. Many districts see the efficiency advantages in their SaaS applications. Email has become more reliable. Saving documents on the cloud enables files to be available across devices. New applications are easy to find, adopt, and use, thanks to SaaS cloud applications. But Infrastructure as a Service, IaaS, has its own advantages. Districts can adopt cloud-enabled business process automation and “going paperless” in ways more potent than district data centers offer. The cloud can tap into Artificial Intelligence (AI), unavailable in data centers. Machine Learning (ML) takes process automation and digitization to new levels. Now districts can do not only complex text and image recognition but also video and language processing.

Similarly, AI and ML can help with student data. Seattle Public Schools envisioned a system on the AWS Cloud as part of the City on a Cloud Innovation Challenge. Advanced data services, such as predictive analytics was not possible with their on-premises infrastructure.

Equity

What the big companies might not think about when it comes to the cloud is equity. But the cloud can enable just that. As explained above, advanced data analytics, Artificial Intelligence, and Machine Learning can bring new insights to data. Heretofore, educators think of metrics then plot data against a known metric. But what if AI could surface causality from disparate data points unimagined by educators or traditional data systems? New insights enabled by the cloud could bring avenues to closing opportunity gaps. Cloud data capabilities can help ensure educators meet the needs of each individual student.

Remember the Chromebook, part of the cloud revolution in education? Chromebooks had 60% of the Education marketing in 2018. But, the demand exploded with the pandemic, and 30 million Chromebooks shipped in 2020. While we wait for the actual estimate of the percentage of Chromebooks in schools in 2021-2022, we need to address an equity gap. “What?” you say, “Haven’t Chromebooks improved equity by providing equitable access to devices?” True. Low-cost, web-only computers expand the breadth of distribution, closing the so-called homework gap. However, there’s now a gap between those with powerful full-featured multimedia workstations at home and those with just a district-issued Chromebook.

Cloud Brings Equity

While some students go home with just a Chromebook, others eschew the simple laptop and log into their desktop. A powerful processor and graphics card enables them to go deeper into programs introduced at school in CTE, graphics, multimedia, computer science, and other classes. Programs such as Adobe Photoshop, Adobe Premiere, Autodesk, Blender, and Visual Studio need a standard Windows or Mac computer. Or these privileged students may do competitive gaming, now an avenue to a college scholarship. Students with just Chromebooks are missing out again on opportunities.

But wait. With the cloud, Infrastructure as a Service – IaaS, that opportunity gap disappears. A Chromebook or any home computer with an internet connection can tap into all the powerful applications streaming from powerful computers in the cloud. Fife School District deployed AWS Workspaces and AppStream 2.0 to “make students innovators 24-hours a day,” and it “fills a void in equity in education.” Tech Reformers offers a streaming service for apps on a per-student subscription basis.

Districts Should Pursue Cloud Further

Like Google Apps and the Chromebook, the cloud is offering new opportunities for districts. CFO’s should be looking for wise use of capital and money savings. CTO’s should be gaining agility and scalability to efficiently meet district goals while improving security and resistance to lower district risk. All district leaders should recognize opportunities for innovation and equity with new data capabilities and resources only available in the cloud. It’s time to get on board with the cloud revolution.

Tasha Penwell image

We want to welcome and congratulate Tasha Penwell for recently earning her AWS Authorized Instructor (AAI) Certification. The AAI Program is a global program that supports instructors authorized to deliver the AWS curriculum. 

Who is Tasha Penwell?

Tasha Penwell is one of the newest Tech Reformers instructors and brings with her several years of experience as an educator. Tasha brings to Tech Reformers over 8 years of experience as a higher ed instructors teaching classes ranging from web development, data analytics, and cloud computing. She lives in Southeast Ohio with her husband and son. She loves to travel and hosts computer science workshops at her local high schools to introduce exciting new concepts such as augmented reality, AI/ML, and NLP (natural language processing). Her experience was made evident in her feedback from AWS after the three-day process which tested not only her knowledge of AWS services but also her skills as an educator. 

The feedback Tasha received showed her background as an educator and her use of tools such as Figma to help build visuals and to provide communication and explanation on specific AWS services such as the global infrastructure that supports AWS to specific services such as DynamoDB, API Gateway, and Lambda

Tasha was also recognized for her ability to go the extra mile to follow up with learners who had questions that were not answered or explained fully during her 20-minute presentations. She went above and beyond by providing not only supplemental links but using Loom to record her review of the links and resources she shared to ensure that the learners had the information they needed.

Additional Facts about Tasha Penwell

  • Led the creation of one of the first AWS Academies in the state of Ohio
  • Inaugural AWS Educate Cloud Ambassador
  • She’s a frequent blogger for us sharing great resources and tips
  • She is an Associate Solutions Architect
  • Her areas of interest are cloud security, AI/ML, and augmented reality
  • She is a Snapchat Lens developer and is presenting at Stir Trek in May

You can find one of Tasha’s recent articles about AWS Educate and other services below. If you haven’t checked out AWS Educate yet, we’d highly recommend checking those out. If you have questions about AWS Educate or her Computer Science Workshops, you can email her at tasha@techreformers.com.

Tasha will be teaching virtual classes in July 2023. Sign up here to receive an email and register for her next class!

Recently K12 Security Information Exchange (K12 Six) released its annual State of K-12 Cybersecurity, Year in Review. K12 Six has been tracking cybersecurity incidents in K-12 for several years and has been attracting a following among school district Information Technology (IT) leaders. They are perhaps best known for their heat map which is a visualization of publicly disclosed school cyber incidents from 2016 to now. Besides the map and this research, they are an information exchange where IT leaders can learn from each other, leaders in the cybersecurity field, and cybersecurity vendors.

cover of The State of K-12 Cybersecurity: Year in Review
2022 Annual Report that show cyber incidents in K-12

The definitive annual report series on cyber incidents affecting U.S. public elementary and secondary (K12) education institutions. Based on a data source that the U.S. Government Accountability Office (GAO) found to be the “most complete resource that tracks K-12 cybersecurity incidents, including student data breaches.”

U.S. Government Accountability Office (GAO)
Number of Publicly-Dislclosed K-12 Cyber Incidents by Incident Type 2016-2021. Data steadily rising for data breach, ransomware, BEC, DDOS, Invasion, and other to total about 1300 cybersecurity incidents.
K12 Six The State of K-12 Cybersecurity 2022 Annual Report

The report itself tells us what we already know: there is a growing number of cybersecurity incidents in school districts. But, it provides specific numbers, categories, and examples that drive home the problem. Note that K12 Six reports that the reporting is not what it should be. Based on anecdotal evidence, incidents occurred perhaps 10 to 20 times more often than reported.

2021 was Unique

2021 had some unique variables that may have caused the increase. With the pandemic and remote learning, a new cyber incident became evident. Dubbed “zoombombing” or class invasion, these incidents rocked the virtual classrooms of the United States. Vendors and users implemented technical and operational controls respectively to blunt this threat. Luckily, learning from mistakes and the return to the classroom should diminish this threat.

Also, 2021 became the year school districts became more aware of the need for and requirements of cyber insurance. While many school districts had insurance, they did not meet the stricter requirements of their insurer. Insurance companies got slammed over the previous years with the rise of ransomware, and now were enforcing a set of requirements on districts to keep their policies in force. With both the increased media attention to cyber incidents and the new insurance requirements, district leaders and board members, not just IT or Risk Management, began to focus on cybersecurity. So 2021 wasn’t all bad!

Ransomware – #1 Cyber Incident

Of all the cybersecurity incidents, the top incidents were ransomware, data breaches, and class meeting invasions. Ransomware, for the first time, is the top threat. In 2021 62 K-12 districts across 24 different states reported ransomware cybersecurity incidents. 2021 was the third year with over 50 incidents. Unlike a data breach, ransomware often results in class cancellations, school closures, and a breakdown of district core operations.

The Baltimore Sun headline:
Ransomware attack cripples Baltimore County Public Schools. No timeline for return to class.
The Baltimore Sun headline

The report outlines striking examples that include Baltimore County (MD) Public Schools where the cost of ongoing recovery from a Ryuk ransomware attack grew to nearly $9.7 million dollars and closed school for days and limped back for weeks.

The Buffalo News headline
The Editorial Board: Ransomware attack on Buffalo schools show again the need for strong security.
The Buffalo News headline

Similarly, the Buffalo School Board approved spending nearly $9.4 million on IT consultants to respond to a ransomware attack in March 2021.


Data Breaches

Initiator of K-12 Data Breach/Leak Cyber Incidents: 2016-2021
K-12 Vendor 55%
Other / Undisclosed 24%
Staff 14%
Students 7%
K12 Six The State of K-12 Cybersecurity 2022 Annual Report

The most significant vector for student and teacher data breaches, the loss of personally identifiable information (PII), remains school district vendors and other trusted non-profit and government partners, not the districts themselves. An exception to the Family Educational Rights and Privacy Act, or FERPA, allows districts to transfer the role of a so-called “school official” allowing a district to share educational records with third parties as part of outsourcing service that it lacks the capacity to perform itself. Although allowed, districts must vet these 3rd party vendors from the large Software as a Service (SaaS) ubiquitous in Student Information Systems (SIS) and Learning Managementment Systems (LMS) to the smallest EdTech vendors.

Another significant source of K-12 data breaches is school district staff and school board members,
who inadvertently share the PII of students and/or staff in the course of their duties. Two common examples are losing an unencrypted district device or emailing a spreadsheet of data.

The other K-12 cyber incident types disclosed during 2021 as reported by K12 Six include:

  • Business Email Compromise (BEC) where district emails are spoofed or stolen to fraudulently request gift cards, W-2s, and invoice payments;
  • Class Invasions where malicious actors gain access to classes or meetings;
  • Email invasion where the district email system is breached for spamming;
  • Website and social media access where lack of controls leads to defacement or worse by a 3rd party;
  • Denial of Service (DOS) attacks to bring down systems and testing periods.

Responsibility for Cyber Incidents

The research shows where most of the incidents are occurring. Incidents per 100,000 students, which compensates for the size of the district, show that the states of Montana, North Dakota, Connecticut, Maine, and Hawaii have more than their expected share of K-12 cybersecurity issues. Larger school districts and wealthier ones appear to be at a greater risk of cybersecurity incidents than small school districts and lower-income districts. This may be because cybercriminals are targeting districts with more money and the ability to pay a ransom.

So who is responsible and why do these incidents keep occurring? K12 Six found 4 groups.

  • Teachers, administrators, and board members who have a lack of training
  • Tech-savvy students who are not monitored
  • Suppliers and vendors who are not properly vetted
  • Cybercriminals (of course) who realize that school systems are “soft targets”

Key Finding

There is a lot of great information in the K12 Six report that is backed up by well-researched data. While they come up with several conclusions, there is one main point that comes from the data. K-12 school districts need to implement commonsense cybersecurity controls and practices. As a district leader, you do not want to risk the money, lose productivity and class time, or get on the K12 Six K-12 Cyber Incident Map. Read the full report here: The State of K-12 Cybersecurity Report Series — K12 SIX.

Next Steps

Tech Reformes is hosting a webinar, The Ransomware Hostage Rescue Checklist: Your Step-by-Step Guide to Preventing and Surviving a Ransomware Attack. In this webinar Roger A. Grimes, KnowBe4‘s Data-Driven Defense Evangelist and security expert with over 30-years of experience will take you step-by-step through best practices for preventing ransomware attacks and a post-attack response plan. Join us May 11, 2022 11:00 am PDT, 2:00pm EDT. Don’t be a victim of the #1 cybersecurity threat in K-12.

New Webinar
The Ransomware Hostage Rescue Checklist:
Your step-by-step guide to preventing and surviving a ransomware attack. Avoid cyber incidents!

The Russian invasion of Ukraine increases the risk of wiper malware spilling over to the US and our education infrastructure. You may remember NotPetya, which caused billions of dollars of downtime damage. The Wall Street Journal (WSJ) reports that Symantec observed wiper malware was put in motion just hours before Russian tanks arrived in Ukraine.

WSJ Reports

The WSJ said: “The wiper malware—this version is being called HermeticWiper by researchers—could mark an escalation in cyberattacks against various Ukrainian targets, security experts said. Websites of government agencies and banks were disrupted on Wednesday, and on Thursday, that of the Kyiv Post, an English-language newspaper.”

“On Wednesday, Slovakia-based cyber firm ESET said it also detected the wiper strain on hundreds of machines in Ukraine, adding that timestamps indicated the malware had been created nearly two months ago in preparation for deployment.”

The WSJ noted that “On Thursday morning, CISA Director Jen Easterly tweeted a Wired magazine article on the 2017 NotPetya hack, which emanated from a Ukrainian accounting firm and caused billions in lost sales and other damage to businesses including FedEx Corp. and Merck & Co. Inc.”

“While there are no specific threats to the U.S. at this time, all organizations (including school districts) must be prepared for cyberattacks, whether targeted or not,” Ms. Easterly wrote.

Recommendations

So, Tech Reformers strongly recommends to:

  • Make sure your backups work and test your restore function, not for just files but whole servers
  • Patch all known vulnerabilities and test the patches
  • Deploy strong MFA to as many employees as possible (some MFA can be easily circumvented).
  • Step all employees through at least a 15-minute security awareness training module to keep them on their toes with security top of mind.

Also, warn your staff: cybercriminals will start new, devious charity campaigns that claim to help people in Ukraine. Be prepared for the wiper malware.

Cybercrime has become an arms race where cybercriminals constantly evolve their attacks. You, the vigilant school district IT pro, must diligently expand your knowledge to prevent intrusions. This includes protecting the district network and your cloud (your SaaS and Infrastructure providers). Staying a step ahead may even involve becoming your own cybersecurity investigator. Learn to forensically examine actual phishing emails. Determine the who, the where, and the how to adjust your defenses.

In an on-demand webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, hosts. He shows you how to become a digital investigator to fight cybercrime.

Roger Grimes, Cybersecurity and cybercrime expert at KnowBe4

You will learn:

  • How to forensically examine phishing emails and identify other types of social engineering
  • What forensic tools and techniques you can use right now
  • How to investigate rogue smishing, vishing, and social media phishes
  • How to enable your users to spot suspicious emails sent to your organization

Register for an on-demand webinar sponsored by Tech Reformers. No waiting. So, get inside the mind of the cybercriminal. Learn their techniques, and how to spot phishing attempts and improve district cybersecurity.

project tomorrow logo

Late in 2021, Project Tomorrow released a report, 2021 Project Tomorrow – iboss National K-12 Education Cybersecurity Research Study. Project Tomorrow is a nonprofit whose mission is to support the effective implementation of research-based learning experiences for K-12. This research points to how security and the cloud can shape student learning.

Researchers interviewed nearly 600 district administrators and technology leaders from a cross-section of school districts across the country. The results call for a national response for greater awareness and actions in K-12 cybersecurity. Most importantly, research showed that security is not the job of just the technology department. We need greater awareness. And, particularly, all district personnel, students, and families must act.

There has indeed been negative press on the effects of remote learning. Nevertheless, the pandemic looks like it cemented districts’ commitment to devices, digital resources, and internet connectivity. With this increased usage, the vulnerabilities of school districts have increased. We all hear the reports of ransomware, hacking, data breaches, and other cybersecurity incidents. They have hit school districts with increasing regularity.

The report findings do not reveal technical specifics for protection. Results offer areas of misalignment that need to change. Three key areas surfaced.

  • An effective cybersecurity plan must have shared responsibility across the district.
  • District leaders must reassess the approach to the management of technology.
  • Funding must increase for cybersecurity for both readiness and mitigation efforts.

Share Responsibility for Cybersecurity

The readiness of District Leadership to implement effective methods for protection or response to a ransomware attack or hack to district systems depends first upon the Superintendent. And his or her cabinet must have an understanding of their district’s vulnerabilities and response planning. Unfortunately, the study shows that there is a mismatch in the commitment across leadership.

Chart of Cloud adoption
Perceived use of Cloud

The pandemic showed that district staff needed to adjust their jobs to meet the needs of the moment. This change, or transformation, must continue. Tech staff may need to learn more about cybersecurity and the cloud and less about servers and copy machines. Teachers may need to address digital citizenship and online safety more actively.

Reassess Needs to Focus on the Cloud

Software as a Service (SaaS) and cloud are widespread even before the pandemic. That’s only increasing. But Leaders need to ensure training on new technologies. Staff now should spend less time running a data center rather than running cloud applications. Staff to focus on this new landscape. Time is needed for practices and procedures to evolve. Vet SaaS and cloud providers to hone skills. Spend less time spent on, say, testing shrink-wrapped software.

Increase Funding for Cybersecurity and Cloud

Finally, the Project Tomorrow research points to the need for more funding for cybersecurity. These investments should go to awareness training, locking down vulnerabilities, updating security and student safety software, cloud adoption, and having a robust business continuity and disaster recovery plan.

Download the full report.

FETC Conference, January 25 - 28, 2022 Orange County Convention Center Orlando, FL
See Tech Reformers in Booth 4211 in the Startup Pavilion

At FETC, the Future of Education Technology Conference, Tech Reformers, a leader in K-12 Cloud,
is releasing TR | AppStream, a managed AWS AppStream 2.0 service. So, K-12 school districts can now offer virtually any application to students on Chromebooks and any device even with low bandwidth. Enabling all students to access high-end applications, TR | AppStream gives any time, anywhere access to, for example, Adobe Creative Cloud, Autodesk Inventor & Revit, and engineering and computer science applications from Project Lead the Way (PLTW). In sum, virtually any application that schools need students to access at home or in school, TR | AppStream makes it possible on any device. As a managed service, it’s no extra work for IT.

Target equity, the digital divide, and homework gap

While some think that Chromebooks and hotspots have solved the digital divide and homework gap, nevertheless students with only a Chromebook or just a hotspot don’t have equitable access compared to students who can use a full-featured multimedia computer and high-speed broadband at home. With the cloud, Infrastructure as a Service – IaaS, that opportunity gap disappears. A Chromebook or any home computer with an internet connection can tap into all the powerful applications. They stream from servers in the AWS cloud, all managed by Tech Reformers.

Heretofore, creating district platforms to allow virtual desktops or streaming apps have been too expensive and too difficult to manage for most school districts. Building out the virtual desktop infrastructure (VDI) has been a huge capital expense. The cloud offers a solution, but district IT staff may not have the time or the expertise to deploy and manage what is needed. But, there are success stories. The cloud billing model may seem fraught with risk so TR | AppStream has per student, flat-rate cost.

TR | AppStream is a fully managed service

AppStream combines AWS AppStream 2.0 with fully managed services focused on the needs of K-12. School Districts who just determine the applications and use cases they want for their students and how many students they have to access it. Therefore, no configuration or VDI environment. So districts pay a per-student price with no need to worry about infrastructure, IT workload, or streaming rates.

TR Appstream Banner

Tech Reformers has created a demo for you to see and test yourself right away. The demo contains free applications for demonstration purposes only. But, when trying, imagine offering licensed software to your students in a fast, easy-to-access portal. For example, you can leverage your Adobe licensing or PTLW commitment to extend usage beyond school to the homes of all students. Tech Reformers will customize to your needs. TR | AppStream can even enable districts to eliminate computer lab desktop computers. Allow students to access productivity, creative, computer science, and technical applications on their laptops.

Try for yourself

Sign up for immediate access to the self-paced demo, and, during FETC, we will be raffling off Tech Reformers Yeti mugs to registered users.

Also available to request are demos for Adobe Creative Cloud, 3D, gaming, or your request. You will get your environments after a setup period and be offered a walk-through.

And, we are looking for districts who want to expand access to all students to be customers this school year at a great discount to try the service. We welcome districts that want to pilot the solution. For equity, bring AWS AppStream 2.0 to your students.

For inquires, reach out to info@techreformers.com, or, if you are in Orlando at FETC, stop by booth 4221.

Tech Reformers is an AWS Partner. If you want help doing it yourself, our AWS Certified Architects help you get started.

—-

Tech Reformers booth at CIT
Booth 704

We are highlighting our partnership with OpenText. About 200 school districts use OpenText. OpenText was named a “Leader” in content management by both Gartner and Forrester.

OpenText Key Capabilities include:

  • Information management (records retention, document management, archiving, etc.)
  • Electronic forms & workflow
  • Business process automation
  • Document capture (OCR), and
  • Integration with M365

Better yet, Tech Reformers offers the only fully hosted and managed OpenText solution designed for K-12. Furthermore, OpenText can integrate with your existing productivity suite.

At CITE, Tech Reformers will be also featuring our K-12 Cloud services not only for information management. We will share our managed services, hosting, and Infrastructure as a Service (IaaS). Tech Reformers has proprietary AWS-hosted solutions for OpenText and App Stream 2.0. We have best-in-breed partner solutions for cybersecurity and disaster recovery.

So, please stop by our CITE booth at #704.


Finally, we are having a special get-together. Please join us at our November 18th, 6-8 pm Happy Hour at Dive Bar.

Follow Tech Reformers on Linkedin and Twitter and Facebook.