Moving to the Cloud? What should you consider?

This year our school has adopted Google Apps for Education. Sounds simple, huh?

Not so. Decisions to move your staff and students into Cloud Computing solutions are complex and in my view, require thoughtful planning and consideration. When I became Director of ICT and eLearning at the start of 2013, my first job was to implement a new Learning Management System. That was pretty big and was the main focus for much of 2013, but the early stages of that project coincided with planning starting around the possibility of a move into the Google Apps space.

Why Google Apps? Plenty of reasons, but here are just a few.

The collaborative nature of the docs – the way students can work together and co-create. The visibility of works in progress when shared with teachers. The ability to provide feedback and formative assessment easily at point of need, when students are in the process of writing. The cloud storage provided to users – 30GB for each user when you’re a Google Apps for Education school. Providing staff with a cloud storage option that sits within your domain, instead of having staff opening their own cloud storage accounts eg: Dropbox, and sharing school docs outside of a school domain. I’ll elaborate further on my reasoning in another post (and I promise I’ll get to it!!).

But before any decisions could be made, I needed to familiarise myself with issues surrounding Cloud Computing so that I could evaluate whether or not a move in this direction was right for my school. What did this involve? Reading, and plenty of it. I looked at Gartner and Forrester research and followed links shared on Twitter to business blogs like Harvard Business Review and Forbes. I needed to see where business was heading and explore speculation about the future of work and what might be required. I read countless articles about cloud storage and privacy concerns. And through all this, I was linking what I was reading to the education system and analysing how what applies in business translates to school environments.

Coming across Data Sovereignty and the Cloud: A Board and Executive Officer’s Guide , published by the Cyberspace Law and Policy Centre, UNSW Faculty of Law was fortuitous. The report was sponsored by  NEXTDCBaker & McKenzie and Aon. NEXTDC is a data centre company, looking to become the biggest cloud data centre storage service in Australia. I have visited their Port Melbourne location, taking a tour through what is an impressive facility. Baker and McKenzie are a law firm and Aon is a global provider of risk management services. When you look at recent changes to Australian Privacy Laws you can see why organisations like this are interested in supporting research and policy reports of this nature. Australian Privacy Principle 8 deals with cross border disclosure of personal information – an area affecting schools and businesses if you use a cloud computing solution where the data is stored in overseas data centres.

The report raised many questions for me, and led to a 90 minute phone conversation with David Vaile, one of the authors of the report. Even at the end of that, I was no closer to firm resolve around the issues surrounding cloud computing and privacy. Within the report is reference to the Australian Signals Directorate’s (Defence Force) Cloud Computing considerations. Their discussion paper provides the following:

“…assists agencies to perform a risk assessment and make an informed decision as to whether cloud computing is currently suitable to meet their business goals with an acceptable level of risk.”

Contained within it is an overview of Cloud Computing considerations you can apply to whatever platform you are looking at implementing. In my case, this was Google Apps for Education. What I did was take this list (as follows) and then read Google Security Whitepapers and information about GAFE and found the information that addressed the following considerations.

  1. Cloud computing security considerations include:
    • My data or functionality to be moved to the cloud is not business critical (19a).
    • I have reviewed the vendor’s business continuity and disaster recovery plan (19b).
    • I will maintain an up to date backup copy of my data (19c).
    • My data or business functionality will be replicated with a second vendor (19d).
    • The network connection between me and the vendor’s network is adequate (19e).
    • The Service Level Agreement (SLA) guarantees adequate system availability (19f).
    • Scheduled outages are acceptable both in duration and time of day (19g).
    • Scheduled outages affect the guaranteed percentage of system availability (19h).
    • I would receive adequate compensation for a breach of the SLA or contract (19i).
    • Redundancy mechanisms and offsite backups prevent data corruption or loss (19j).
    • If I accidentally delete a file or other data, the vendor can quickly restore it (19k).
    • I can increase my use of the vendor’s computing resources at short notice (19l).
    • I can easily move my data to another vendor or in-house (19m).
    • I can easily move my standardised application to another vendor or in-house (19m).
    • My choice of cloud sharing model aligns with my risk tolerance (20a).
    • My data is not too sensitive to store or process in the cloud (20b).
    • I can meet the legislative obligations to protect and manage my data (20c).
    • I know and accept the privacy laws of countries that have access to my data (20d).
    • Strong encryption approved by DSD protects my sensitive data at all times (20e).
    • The vendor suitably sanitises storage media storing my data at its end of life (20f).
    • The vendor securely monitors the computers that store or process my data (20g).
    • I can use my existing tools to monitor my use of the vendor’s services (20h).
    • I retain legal ownership of my data (20i).
    • The vendor has a secure gateway environment (20j).
    • The vendor’s gateway is certified by an authoritative third party (20k).
    • The vendor provides a suitable email content filtering capability (20l).
    • The vendor’s security posture is supported by policies and processes (20m).
    • The vendor’s security posture is supported by direct technical controls (20n).
    • I can audit the vendor’s security or access reputable third-party audit reports (20o).
    • The vendor supports the identity and access management system that I use (20p).
    • Users access and store sensitive data only via trusted operating environments (20q).
    • The vendor uses endorsed physical security products and devices (20r).
    • The vendor’s procurement process for software and hardware is trustworthy (20s).
    • The vendor adequately separates me and my data from other customers (21a).
    • Using the vendor’s cloud does not weaken my network security posture (21b).
    • I have the option of using computers that are dedicated to my exclusive use (21c).
    • When I delete my data, the storage media is sanitised before being reused (21d).
    • The vendor does not know the password or key used to decrypt my data (22a).
    • The vendor performs appropriate personnel vetting and employment checks (22b).
    • Actions performed by the vendor’s employees are logged and reviewed (22c).
    • Visitors to the vendor’s data centres are positively identified and escorted (22d).
    • Vendor data centres have cable management practices to identify tampering (22e).
    • Vendor security considerations apply equally to the vendor’s subcontractors (22f).
    • The vendor is contactable and provides timely responses and support (23a).
    • I have reviewed the vendor’s security incident response plan (23b).
    • The vendor’s employees are trained to detect and handle security incidents (23c).
    • The vendor will notify me of security incidents (23d).
    • The vendor will assist me with security investigations and legal discovery (23e).
    • I can access audit logs and other evidence to perform a forensic investigation (23f).
    • I receive adequate compensation for a security breach caused by the vendor (23g).
    • Storage media storing sensitive data can be adequately sanitised (23h).
    • ( Cloud Computing Security Considerations )

This took some time. There were weeks out of my life in 2013 where I was living and breathing information regarding privacy, security and cloud computing. Believe you me, if you encountered me during this time, my conversation topics were limited and suitable only for a specific audience!

But, it was worth it. I had a document I could present to my Executive that helped us come to the decision that Google Apps for Education was suitable for our school environment. What I gained from this exercise was a thorough understanding of issues surrounding Cloud Computing and the information I needed to be able to speak confidently with my school community about the move we were making.

If you’re a school looking to move into the Cloud Computing space, then measures like this are necessary. If you’re an Australian school looking for links to assist you with the process, then take a look at the following.

Defence Signals Directorate – Cloud Computing Considerations

http://www.dsd.gov.au/publications/csocprotect/cloud_computing_security_considerations.htm

Data Sovereignty and the Cloud  – a Board and Executive Officer’s Guide

http://cyberlawcentre.org/data_sovereignty/CLOUD_DataSovReport_Full.pdf

And if you’re looking to go Google, the following will help.

Google’s approach to IT Security – A Google Whitepaper

https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf

Google Apps Service Level Agreement

http://www.google.com/apps/intl/en/terms/sla.html

Google Apps Documentation and Support – Security and Privacy Overview

http://support.google.com/a/bin/answer.py?hl=en&answer=60762

Google Apps for Education

http://www.google.com/enterprise/apps/education/benefits.html

Security Whitepaper: Google Apps Messaging and Collaboration Products

http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/a/help/intl/en-GB/admins/pdf/ds_gsa_apps_whitepaper_0207.pdf

It’s not over for me. The next thing to consider is replication of data to cloud storage. Off I am to the Amazon Web Summit next week in Sydney to explore that one a little further. 😉

 

Freedom vs Control – important lessons to be learned

Cyber crime expect Mikko Hypponen delivered a talk at the TEDxBrussels event that has made it this week onto the TED site. If you’re at all interested in conversations surrounding privacy in this digital age, then it’s 10 minutes well invested.

As teachers, we need to understand the implications of our use of the Internet and we should be helping our students understand it too. Mikko makes the comment in this talk that he believes you are more likely to become a victim of crime in the online world than in the real world. How many of us think about whether or not trojan viruses have infected our computers after visiting a site? Do we ever think that our keystrokes may be being monitored by a criminal hoping to gain password or credit card details?

How many people have any understanding of what a https site is in the first place and how you know if a site has an extended validation certificate? If you’re unclear, head over to “20 Things I Learned about Browsers and the Web“, a really helpful guide written in easy to understand language that won’t befuddle you. It was published by the Google Chrome team in 2010, and is a very handy reference point for anyone wanting to know more about the code, browsers, security risks, and a myriad of other eye opening details about how the Web works. I teach a Yr 7 Information Technology class and I’ve found it very helpful to support my understanding, and the understanding of the students I teach.

Mikko identifies three types of online attacks threatening our privacy and data. Criminals, looking for avenues to steal our money, hacktivists, (groups like Anonymous) who hack as means of protesting, and Nation States, who are apparently willingly infecting suspected citizens computers in order to collect information about them. Worrying, huh? I think so, and I believe it’s important that we as teachers impart this kind of information to our students. We need informed citizens who are capable of making decisions and defending their rights.

Mikko ends his talk stating the issue at hand is ‘Freedom vs Control’, and speculates whether we will spend the next 50 years wondering if we are able to trust our Governments. He’s got me thinking, I can tell you. I bet your students would find it fascinating too. We need to find avenues in our curriculums today to teach these important understandings that have implications for all of us.

Explaining Evernote

Image representing Evernote as depicted in Cru...
Image via CrunchBase

I’ve had an Evernote account for some time now, and really think it is one of the best organisational tools available. I love that it exists as an account I can access from any computer, anywhere. I love the desktop version that sits on my Mac. I love the web clipper add on that I use with my Firefox browser. I especially love the Evernote apps I have downloaded to my iPhone and iPad that enable me to get access to what is stored on Evernote and also enable me to add to the account easily. I love that everything syncs so quickly, and that I can use it without an internet connection knowing that it will sync once an internet connection has been established.

I created this screencast recently about Evernote and thought some of you who know nothing about it might benefit from watching it. It is by no means an exhaustive account of what it can do, because truly, I know I haven’t explored everything it is capable of doing. I ran a Staff PD about Evernote and Dropbox after school last week, and people who came were very impressed with the potential it has for education, and their own personal management of data. I would love to see us introduce Evernote to all of our students, and start them really thinking about how they can use it to manage class projects, or save data from whiteboards or even their handwritten notes. It is part of my plan to try and get this happening at my school, and staff members who attended tonight’s session seemed to be in agreement that this would be a positive thing.

One thing that people are wary of is storing their data in the cloud (on an organisation’s servers). There has to be a certain comfort level you have with releasing your data to someone else to store it for you, and people do get concerned that other people (hackers) might be able to access their documents or notes. Dropbox has been under fire in the past week, for a bug in their system that caused a security glitch that allowed people to log into any Dropbox account by typing in any password at all for a period of four hours. Even prior to this unfortunate ‘glitch’ Dropbox have been criticised about their levels of data security.

I think we all have to be mindful that when you host your data elsewhere, and for free, you have to accept that with convenience comes some cost. That cost may be that companies hosting your data could give some of it to Government agencies if it’s requested. It may be that you leave yourself open to hackers who seem intent of late to usurp the claims made by cloud storage companies that data is safe. I certainly love the convenience of being able to access data across multiple devices, but I’m certainly not going to be storing any sensitive documentation there that I wouldn’t want anyone else accessing.

This is part of the game that is the World Wide Web now. Know the rules before you start playing is as good advice as any I’m guessing.

Revisiting the Digital Footprint message

Today, I delivered a presentation to our Year 11 students about how they conduct themselves in online spaces, to ensure their safety and to cultivate a positive digital footprint. I delivered a similar presentation to this same cohort in May last year, and I thought I might be flogging a dead horse. I was wrong.

They listened intently, asked serious and thoughtful questions, and even provided examples themselves of people who had had reputations damaged due to poor understanding of the magnification of information shared in social networks today. I thought I’d fall short with information and have to fill time, but I was struggling to get through what I wanted to cover.

One of the things I wanted to cover was Facebook’s places feature. My guess would be that the majority of them weren’t using it, and had no idea that their friends could check them into locations unless they disabled the feature in their privacy settings. I used the following lifehacker video to demonstrate what they needed to do in Facebook to opt out of the feature. It helped me too. I lead a very transparent life, but I don’t want to use the places feature and I don’t want to be checked into places by friends in my network. It’s not a straightforward process. You have to find the customise button and find the page where the settings need changing. The lifehacker video explained it very clearly and I followed those instructions to meet my requirements. The students watched it intently, and it’s my guess a number of them will be looking at their privacy settings tonight.

It was nice to receive words of thanks and a round of applause at the end of the session. It’s made it very clear to me that these messages need repeating and reinforcement in our teaching practices.