K-12 schools face tremendous challenges securing their WiFi networks from unauthorized devices. In many environments, the WiFi network is using a pre-shared key (PSK) to authenticate users on the K-12 network. This PSK is a single password handed out to teachers and students for their wireless devices.
Oftentimes those PSKs make their way to unauthorized devices. Imagine changing the PSK on hundreds of devices because of a single security incident. Systems administrators are tasked with changing the PSK regularly, but it would require significant effort to change it across all authorized devices. Either it's too difficult for admins to reach all devices to change the password or they face push back from staff members. Altogether, it’s a management nightmare.
802.1X, a standards-based method of providing authentication to the network, is significantly more secure than passwords. Each device connecting to the network requests a digital certificate from a certificate authority (CA). This certificate verifies the identity of the device. In this enrollment process, a key pair, public and private, is generated.
However, this method comes at a price. There is a steep learning curve for systems administrators as they have to set up infrastructure to support the use of digital certificates. In-house expertise may not be there to maintain the back-end certificate-based infrastructure. Occasionally, the costs even outweigh the simplicity of a PSK. There are expenses in procuring hardware, licensing, configuration, and maintenance.
If K-12 schools utilize Google for Education, a suite of productivity applications designed for teachers and students, then this involves creating separate infrastructure outside of Google for Education, including another directory service such as Active Directory. An additional directory service would be a replica of the one in Google for Education, which adds extra management. Systems administrators must add users in both locations.
A way to ease the management burden, whether it's with Google for Education or any other wireless environment, is to integrate the process with mobile device management (MDM). With MDM, systems administrators can centrally manage multiple devices and across different providers.
Using MDM, digital certificates can be pushed to each device. Mobile devices can use Simple Certificate Enrollment Protocol (SCEP) to request their digital certificate. Using SCEP benefits an organization with a large-scale user base.
In today’s market, there are many MDM solutions, including Cisco Meraki, Microsoft Intune, and VMware AirWatch. The advantages of MDM are clear, including multi-platform device management, policy enforcement, and device classification. Unfortunately, the ease of management and scale comes at a high cost for many schools.
The simplicity of configuring PSK will usually win some situations because of limiting factors such as small budgets, lack of in-house expertise, and the lack of support to maintain the infrastructure.
In environments where security is a concern, but PSK required, it's possible to further authenticate devices after inputting the WiFi password by checking the device against a database of registered known devices. A successful match allows the device to access resources on the WiFi network. Mojo Enforce, recently released by WiFi supplier Mojo Networks, is an example of authentication integrated with PSK. Mojo Enforce uses APIs to tie into a school's Google for Education account to query authorized devices.
We will continue to see PSKs as the main WiFi authentication method for many environments. Without the budgets and expertise to upgrade security measures, K-12 schools are left to use the best last option - PSK.