This year our school has adopted Google Apps for Education. Sounds simple, huh?
Not so. Decisions to move your staff and students into Cloud Computing solutions are complex and in my view, require thoughtful planning and consideration. When I became Director of ICT and eLearning at the start of 2013, my first job was to implement a new Learning Management System. That was pretty big and was the main focus for much of 2013, but the early stages of that project coincided with planning starting around the possibility of a move into the Google Apps space.
Why Google Apps? Plenty of reasons, but here are just a few.
The collaborative nature of the docs – the way students can work together and co-create. The visibility of works in progress when shared with teachers. The ability to provide feedback and formative assessment easily at point of need, when students are in the process of writing. The cloud storage provided to users – 30GB for each user when you’re a Google Apps for Education school. Providing staff with a cloud storage option that sits within your domain, instead of having staff opening their own cloud storage accounts eg: Dropbox, and sharing school docs outside of a school domain. I’ll elaborate further on my reasoning in another post (and I promise I’ll get to it!!).
But before any decisions could be made, I needed to familiarise myself with issues surrounding Cloud Computing so that I could evaluate whether or not a move in this direction was right for my school. What did this involve? Reading, and plenty of it. I looked at Gartner and Forrester research and followed links shared on Twitter to business blogs like Harvard Business Review and Forbes. I needed to see where business was heading and explore speculation about the future of work and what might be required. I read countless articles about cloud storage and privacy concerns. And through all this, I was linking what I was reading to the education system and analysing how what applies in business translates to school environments.
Coming across Data Sovereignty and the Cloud: A Board and Executive Officer’s Guide , published by the Cyberspace Law and Policy Centre, UNSW Faculty of Law was fortuitous. The report was sponsored by NEXTDC, Baker & McKenzie and Aon. NEXTDC is a data centre company, looking to become the biggest cloud data centre storage service in Australia. I have visited their Port Melbourne location, taking a tour through what is an impressive facility. Baker and McKenzie are a law firm and Aon is a global provider of risk management services. When you look at recent changes to Australian Privacy Laws you can see why organisations like this are interested in supporting research and policy reports of this nature. Australian Privacy Principle 8 deals with cross border disclosure of personal information – an area affecting schools and businesses if you use a cloud computing solution where the data is stored in overseas data centres.
The report raised many questions for me, and led to a 90 minute phone conversation with David Vaile, one of the authors of the report. Even at the end of that, I was no closer to firm resolve around the issues surrounding cloud computing and privacy. Within the report is reference to the Australian Signals Directorate’s (Defence Force) Cloud Computing considerations. Their discussion paper provides the following:
“…assists agencies to perform a risk assessment and make an informed decision as to whether cloud computing is currently suitable to meet their business goals with an acceptable level of risk.”
Contained within it is an overview of Cloud Computing considerations you can apply to whatever platform you are looking at implementing. In my case, this was Google Apps for Education. What I did was take this list (as follows) and then read Google Security Whitepapers and information about GAFE and found the information that addressed the following considerations.
- Cloud computing security considerations include:
- My data or functionality to be moved to the cloud is not business critical (19a).
- I have reviewed the vendor’s business continuity and disaster recovery plan (19b).
- I will maintain an up to date backup copy of my data (19c).
- My data or business functionality will be replicated with a second vendor (19d).
- The network connection between me and the vendor’s network is adequate (19e).
- The Service Level Agreement (SLA) guarantees adequate system availability (19f).
- Scheduled outages are acceptable both in duration and time of day (19g).
- Scheduled outages affect the guaranteed percentage of system availability (19h).
- I would receive adequate compensation for a breach of the SLA or contract (19i).
- Redundancy mechanisms and offsite backups prevent data corruption or loss (19j).
- If I accidentally delete a file or other data, the vendor can quickly restore it (19k).
- I can increase my use of the vendor’s computing resources at short notice (19l).
- I can easily move my data to another vendor or in-house (19m).
- I can easily move my standardised application to another vendor or in-house (19m).
- My choice of cloud sharing model aligns with my risk tolerance (20a).
- My data is not too sensitive to store or process in the cloud (20b).
- I can meet the legislative obligations to protect and manage my data (20c).
- I know and accept the privacy laws of countries that have access to my data (20d).
- Strong encryption approved by DSD protects my sensitive data at all times (20e).
- The vendor suitably sanitises storage media storing my data at its end of life (20f).
- The vendor securely monitors the computers that store or process my data (20g).
- I can use my existing tools to monitor my use of the vendor’s services (20h).
- I retain legal ownership of my data (20i).
- The vendor has a secure gateway environment (20j).
- The vendor’s gateway is certified by an authoritative third party (20k).
- The vendor provides a suitable email content filtering capability (20l).
- The vendor’s security posture is supported by policies and processes (20m).
- The vendor’s security posture is supported by direct technical controls (20n).
- I can audit the vendor’s security or access reputable third-party audit reports (20o).
- The vendor supports the identity and access management system that I use (20p).
- Users access and store sensitive data only via trusted operating environments (20q).
- The vendor uses endorsed physical security products and devices (20r).
- The vendor’s procurement process for software and hardware is trustworthy (20s).
- The vendor adequately separates me and my data from other customers (21a).
- Using the vendor’s cloud does not weaken my network security posture (21b).
- I have the option of using computers that are dedicated to my exclusive use (21c).
- When I delete my data, the storage media is sanitised before being reused (21d).
- The vendor does not know the password or key used to decrypt my data (22a).
- The vendor performs appropriate personnel vetting and employment checks (22b).
- Actions performed by the vendor’s employees are logged and reviewed (22c).
- Visitors to the vendor’s data centres are positively identified and escorted (22d).
- Vendor data centres have cable management practices to identify tampering (22e).
- Vendor security considerations apply equally to the vendor’s subcontractors (22f).
- The vendor is contactable and provides timely responses and support (23a).
- I have reviewed the vendor’s security incident response plan (23b).
- The vendor’s employees are trained to detect and handle security incidents (23c).
- The vendor will notify me of security incidents (23d).
- The vendor will assist me with security investigations and legal discovery (23e).
- I can access audit logs and other evidence to perform a forensic investigation (23f).
- I receive adequate compensation for a security breach caused by the vendor (23g).
- Storage media storing sensitive data can be adequately sanitised (23h).
- ( Cloud Computing Security Considerations )
This took some time. There were weeks out of my life in 2013 where I was living and breathing information regarding privacy, security and cloud computing. Believe you me, if you encountered me during this time, my conversation topics were limited and suitable only for a specific audience!
But, it was worth it. I had a document I could present to my Executive that helped us come to the decision that Google Apps for Education was suitable for our school environment. What I gained from this exercise was a thorough understanding of issues surrounding Cloud Computing and the information I needed to be able to speak confidently with my school community about the move we were making.
If you’re a school looking to move into the Cloud Computing space, then measures like this are necessary. If you’re an Australian school looking for links to assist you with the process, then take a look at the following.
Defence Signals Directorate – Cloud Computing Considerations
Data Sovereignty and the Cloud – a Board and Executive Officer’s Guide
And if you’re looking to go Google, the following will help.
Google’s approach to IT Security – A Google Whitepaper
Google Apps Service Level Agreement
Google Apps Documentation and Support – Security and Privacy Overview
Google Apps for Education
Security Whitepaper: Google Apps Messaging and Collaboration Products
It’s not over for me. The next thing to consider is replication of data to cloud storage. Off I am to the Amazon Web Summit next week in Sydney to explore that one a little further. ;)