Today’s schools and students need tomorrow’s cybersecurity

How Boston Public Schools built an RFP for CIPA content filtering

Today’s Speaker

Geri Conley Network Security Coordinator

Boston Public Schools

• Birthplace of public education in America:

• First public school (1635); oldest school system (founded in 1647)

• 120 schools with approximately 57,000 students and 11,000 staff

• Always assessing new technologies and best practices in efforts

for continual improvement

About Boston Public Schools (BPS)

Growing issues with incumbent content filtering vendor

• Product hadn’t kept up with the market or BPS’s needs

• Controlling social media use (e.g. YouTube) and P2P file sharing

(e.g. BitTorrent on SSL) was a problem

• Equipment upgrade was needed, but testing revealed issues:

• Using WCCP & BPS network, could not meet need for

authentication to AD

• Complicated & difficult to create custom block pages

• Hard to streamline handling of teachers’ content review requests

• System management issues exacerbated by poor quality

tech support

BPS’ Situation

Incumbent vendor had become ‘fatigued’

• Multiple ownership changes

• Revolving door w/ account managers

• Tech support guidelines changed and moved to area with inexperienced

technical support

• Shifted focus away from K-12 market

BPS’ Situation (con’t)

• When content filtering solution contract came up for renewal, IT staff

decided it was time for full assessment & review

• Started process by doing its homework, researched vendors & solutions:

• Checked their websites, online reviews, customer ratings, etc.

• Reviewed reports from analysts & market researchers

• Reached out for input from peers & contacts in other systems

A Fresh Look at Vendors & Solutions

BPS staff routinely monitors tech developments in areas relevant

to its operations.

The IT & Networking team led the development

of the RFP using a methodical, detailed process

• Developed very detailed RFP with strict criteria

• To qualify for consideration, vendors had to:

• Adhere to all of the City’s contractual requirements

• Meet BPS’ set of mandatory functional &

support requirements

Designing the RFP and Evaluation Process

Designing the RFP and Evaluation Process

Assembled an evaluation team of 6 senior staff

• All members would review & score qualified RFP responses

• Features, technology & support were the most critical elements

• Cost was also an important factor, but secondary

• Split RFP into 2 sections: technology/support and costs

For starters, solutions had to:

• Meet all CIPA requirements

• Include satisfactory monitoring and reporting capabilities

• Integrate with the BPS's current data network infrastructure

• Block Page minimum requirements

Products also had to meet 11 mandatory requirements covering:

• Content filtering and network security features

• Technology (interoperability, flexibility, and scalability)

• Implementation assistance & ongoing technical support

RFP Details – the “Must-Have’s”

Job #1 – Provide a complete, best-in-class Web content filtering system that:

Automatically blocks and filters certain types of Web traffic, including:

• CIPA-prohibited types (obscene and other harmful content)

• Coverage for all ports & protocols

• URLs, images, HTIP, SSL, web proxy streaming video and audio

• Internet radio, and peer-to-peer file sharing

Detect and mitigate Web-based malware

• Wide range of attacks types & prevention approaches

Provide a customizable block page, including:

• User name and IP address

• Listing of blocked URL and rationale

• Link to page for submitting content/page review requests

• Log-in link for users who want an authenticated policy

Main Requirement – Content Filtering

Additional, non-negotiable requirements:

1. First-rate reporting capabilities

• Solution needed to provide robust but easy-to-use reporting capabilities;

• Unified, system-wide reporting

• Fast, easy & thorough CIPA compliance report production

• Automated production of scheduled reports

• Easy ad hoc and custom report production

1st

Mandatory Requirement Details

2. Provide dependable, high-quality technical support, including:

• Direct support with 24/7/365 availability

• Ability to troubleshoot and resolve issues with:

• System problem or operational disruption

• Running during upgrades, patches and bug fixes

• DB retention, back-ups & system maintenance

3. Transparently monitor, manage, and report on traffic and bandwidth to

and from the organization

4. Vendors needed proven track record in content filtering:

• In operation for more than 5 years

• Success with similar customer(s):

• Infrastructure with 68K+ users and 210K+ devices

5. Capacity and Scalability -- Solution had to support:

• Minimum of 40K IP addresses accessing the internet daily

• Multiple IP subnets w/varied policies & permissions applied to each

Mandatory Requirement Details

6. Using pass-through technologies -- Solution could be:

• An inline, standalone appliance, or

• Integrated with Cisco Firewall and security systems appliance

7. Interoperability -- Solution had to be compatible with:

• Cisco firewalls

• All Cisco switching equipment

8. Implementation assistance -- Vendor had to provide upfront & ongoing support

• Send experienced installation specialists on-site to:

• Set up communication lines, services, and test all functions

• Fully support BPS migration from existing solution, including changing routes

• Provide adequate knowledge transfer, support, and training to BPS' IT staff

• Be available to consult on/help with any deployment issues or questions

Mandatory Requirement Details

9. Authentication support required for the following:

• Windows 7 and 8, and Active Directory

• Macintosh OSX clients

• Chromebooks

• Other mobile devices

• iPads, iPhones, Android tablets & phones, etc.

• Any major OS’s released during life of contract

10. Remote management – Had to have browser-based management with:

• Access password-protected

• Concurrent users enabled

• Configuration settings that could be backed up

• Manually and automatically

Mandatory Requirement Details

All Committee members had full vote & equal say

• Members represented their constituents’ perspectives

• District admin., teachers, IT, Legal/Compliance, etc.

• Produced RFP scoring system that all agreed to

• Held series of review meetings, and all vendors’ responses were discussed at length

• Voting (on features, technology & support) resulted in 3 vendors selected as finalists

• Driver at this stage was thoroughness of the RFP responses

• All three finalists conducted demos and Q&A sessions

• Separate, secondary consideration of costs pared it down to 2 finalists

Gaining Buy-in and Finalizing Selection

The quality of the solution and the people!

• Final choice came down to:

• The quality & capabilities of the iboss solution

• The iboss people who stood behind it

• In addition to answering every RFP question thoroughly, iboss representatives:

• Provided transparency during the demo

• Gave honest & frank answers to tough questions instead of attempting to mask

or gloss-over things

• Customer references were:

• Accessible for calls – BPS didn’t have to move mountains to contact them

• Actual users – Staff members in other districts who actually use are familiar

with the product and its features

Why iboss Won

A smooth migration from legacy SWG and phased implementation

of the iboss Distributed Gateway Platform

• BPS received great support from iboss all through the process

• Terrific content filtering implementation

• Easy policy creation & automated enforcement

• New custom block pages much easier for all involved

• Especially teachers looking for reviews & explanation

• Administrators dealing with all the blocked content alerts

• Better filtering and controls stopped unauthorized downloads and P2P file sharing

• Eliminated related problem of handling copyright violation notices

Results Since Making the Switch

• Implemented a better, stronger authentication regimen

• Stronger identity check, more permission layers

• Successful roll-out of iPad support and Chromebook support w/Google Apps

• Key for offsite device monitoring

• Easy creation of local user accounts is very helpful

• After-school programs

• Temporarily enabling access for parents and other non-BPS users

• CIPA audit – iboss reporting made the exercise fast, painless & successful

• Operationalizing other features on an ongoing basis

Results Since Making the Switch

Here are some of BPS’ guiding principles going into this process:

• Make the process inclusive

• Ensure all stakeholders’ interests are represented

• Have internal experts drive development of the RFP

• Staff people closest to system & district’s needs

• Include both mandatories and ideal-to-have

• Disqualify any vendor that can’t meet all mandatories

• Focus on capabilities first, pricing secondary

Lessons Learned in the RFP Process

Some other advice and tips from BPS

• Beware of RFP answers that have a generic or cut ‘n paste feel

• Beware or vendor references who are difficult to reach

• Or who don’t actually use the solution’s relevant features

• Insist on a demo so you have a chance to interact directly with the vendors’

people.

• Do they seem open and honest? Or something less than that? Are they giving you

frank and unguarded answers? Or not? Trust your instincts here.

• Ask about tenure of support people

• You’ll be working most closely with them

• Short stints and high turn-over is a major red flag

Lessons Learned in the RFP Process

About iboss

The first and only Distributed Gateway Platform with:

• Built-for-the-cloud elastic, node architecture that uniquely solves the

challenge of securing distributed organizations

• Cloud gateways to secure remote offices and mobile workers without

data backhaul

• Optional local gateways that can be used as drop-in replacements to

secure data at HQ without restructuring the network

• 100% SaaS subscription pricing model – no appliances to buy or

manage

About iboss

Redefines the way cybersecurity is delivered

and managed in the cloud and on-premise

• Revolutionary architecture

• Immediate return on investment

• Deeper security

The iboss Distributed Gateway Platform

Over 5 Million

Students Secured

Across the Most

State Contracts

Unsurpassed Scalability

and Innovation

Secure more large

schools than any other

EDU focused solution

Proven deployments

with over 1 million

devices and 40+ Gbps

More integration

flexibility than any

other solution

Backed by more

patents than any other

EDU focused solution

The Most Trusted Name in EDU Cybersecurity

VALUED CUSTOMERS

Founded in 2003

Product Launched in 2009

200+ Employees Across 7

Global Offices

107% 5 Year Compound Annual

Growth Rate (CAGR)

#3 Cybersecurity company on

Deloitte Technology Fast 500

100+ Patents & Patents Pending

INDUSTRY RECOGNIZED

COMPANY OVERVIEW

FINANCIAL BACKING

A Goldman Sachs portfolio company

Questions?

Redefining the way Cybersecurity

is delivered and managed.

Please visit www.iboss.com for more information