Cloud computing is taking K12 by storm with fully 90 percent of K12 institutions relying on or implementing cloud technology in 2012, according to the Consortium for School Networking (CoSN). District CIOs are under increased pressure to cut costs and keep up with the latest technological trends, and implementing the cloud is an easy fix.
According to a recent report released by Lenovo and Intel, What IT Leaders in K12 Need to Know about Cloud Computing, cloud technology can save districts up to 25 percent on IT costs within the next five years by outsourcing network maintenance and allowing schools to access low-cost or free educational software.
Like any new technology, however, the move toward the cloud carries risks, especially when it comes to privacy and security. “Whether you are a school district, Coca Cola, or the Department of Defense, you have to assess how cloud computing affects the confidentiality, integrity, and availability of your data,” says Taiye Lambo, founder of CloudeAssurance, a private cloud security consultancy.
For school district leaders who store confidential information, including students’ addresses, health records, tests scores, and photos on the cloud, ensuring that it is both secure and accessible is especially important.
Diverse cloud options
It is often difficult for CIOs to parse the security implications of cloud-computing because the cloud refers to a wide range of remote-server options, offering a vast array of services, all of which carry different levels of security risk. For districts, cloud computing options fall roughly into two categories: software-as-a-service (SaaS) and storage as a service (STaaS). Both services are becoming commonplace as districts move toward 1:1 technology-to-student ratios.
“Districts are increasingly looking toward SaaS technologies that enable collaboration so that students and teachers can access software, communicate, and collaborate,” explains Stephan Braat, general manager for cloud solutions at CDW-G, an IT products and solutions provider working with over 8,000 districts nationwide. “At the same time, there is also need for STaaS so districts can house and store that information and data.”
In addition to the SaaS/STaaS distinction, districts must choose whether to rely on district-run clouds, cloud consortiums, or private vendors. While setting up a private cloud housed on district servers allows CIOs to personally monitor the cloud and take charge of security, it misses out on the savings of outsourcing IT responsibilities. Cloud consortiums allow districts to pool resources and build a common cloud that is secured and monitored by district employees. Although increasingly popular, consortiums are not an immediate option for all districts, since they require long-term planning and coordination.
According to CDW-G, private cloud vendors, which manage cloud storage and security externally, are increasingly dominating the K12 market. Over 40 percent of districts now rely on Google Docs and Gmail for data storage and communication. At the same time, an increasingly diverse group of vendors are offering cloud services to districts, including: Amazon, Lenovo, Microsoft, Apple, and a host of smaller boutique firms.
If a district opts for an external cloud vendor, CIOs should be prepared to take on a degree of risk. “The biggest thing CIOs are struggling with is that, in reality, external cloud solutions don’t allow for any internal control. Everything is on the side of the solution providers,” says Ramiro Zuniga, an independent expert on cloud security and CIO of Port Arthur (Texas) ISD serving 10,000 students.
Since external cloud vendors house and maintain all data in the cloud, CIOs relinquish authority to change network settings or troubleshoot. According to Zuniga: “That puts CIOs in a precarious situation if data are lost or breached.” Even if CIOs rely on an external vendor, they are ultimately responsible for the integrity, availability, and safety of district data; schools boards, parents, and administrators will hold them responsible for any problems. It’s their heads that are going to roll,” he warns.
The consequences of data breaches, deletions, or leaks can be quite serious. District systems can contain student and employee SSNs, health records, pictures, home addresses, and other personal demographic information. When this information is stored by an outside party, “you cannot be 100 percent sure of its availability or security; there may be a day when one of their employees goes postal on your data, or a hacker goes into your system to mine the data,” Zuniga says. If your data is exposed to the public, worst-case scenarios include identity theft, and the modification or deletion of students’ records and grades.
To mitigate this risk, Port Arthur ISD has implemented a mix of SaaS and STaaS systems, which allow for maximum flexibility for administrators; they can choose from a variety of cloud options depending on their security needs. Students and administrators rely on Blackboard Connect for basic communication, such as community outreach and emergency alerts.
At the same time, the district manages its own private cloud network—protected by firewalls and heavy encryption—where teachers and staff can store more sensitive district files that may include student demographic information. And staff and students can use the many free or low-cost public cloud storage options—like Google Drive—for files like class notes, that contain less-sensitive information.
Emerging industry standard
Google is the emerging industry leader for these low-cost cloud services in K12 districts. Google Apps for Education provides both SaaS options for teachers and students to remotely access instructional tools and educational apps, as well as STaaS through Google Drive services, which allows districts to store up to 5GB of space per user for free. For $5 a month per user, schools can purchase an additional 100GB of storage.
Google is sometimes critiqued for its opaque security guarantees, and when Google first released the Drive in 2012, major corporations, including The New York Times, advised their employees to avoid storing information on Google’s cloud. But Google spokesperson Tim Drinan is confident that Google Apps for Education is more secure than IT services run by individual K12 districts, because of the sheer scale of Google’s operation.
“We have hundreds of engineers responsible for maintaining Google’s security apparatus,” he explains. Those engineers are constantly checking for bugs, intrusions, and data leaks. Google also never takes down its servers or schedules downtime. “We guarantee data availability 99.9 percent of the time.”
Over the past year, Google Apps for Education has made a strong case for its security and privacy. In 2012, Google Apps received a ISO 27001 security certificate, the industry gold standard, and its cloud services are certified under the Federal Information Security Management Act (FISMA), a security standard required for storing government data.
Unlike personal Google accounts, Google Apps for Education allows schools to block advertisers and manage their own security controls at an enterprise level, meaning CIOs can choose whether to allow users outside the district access to the cloud. This year, Google rolled out a free two-step login authentication service to defend against threats like password phishing, weak passwords, and password reuse.
Google Apps at Irving ISD
Irving (Texas) ISD, which has 35,000 students, employs enterprise-level Google Apps for Education to manage SaaS cloud computing. The district uses Google Apps for services like email, calendars, and educational software. But when it comes to storing sensitive data, the district relies on its own internal servers.
Our rule of thumb is that anything with names or pictures should not yet be put on the cloud. If the data identify a student, we store the information internally,” says Sam Farsaii, instructional technology director.
But over the next year, Farsaii hopes to put more sensitive district data into the cloud. Irving ISD is undertaking a full review of Google’s STaaS services to ensure they comply with federal guidelines set out in The Family Educational Rights and Privacy Act (FERPA), which requires schools to obtain student permission before disclosing educational records, and the Health Insurance Portability and Accountability Act (HIPAA), which requires that students’ health information is kept private.
For districts looking to reap the benefits of cloud computing, but wary of the security risks that come with external cloud services, public school cloud consortiums and cooperatives offer a middle ground. In Illinois, over 150 districts have teamed up to share software and technology through IlliniCloud, the state’s internal cloud consortium, which saves its member districts between 30 percent and 60 percent on IT costs.
By pooling their resources, Illinois schools are able to provide top-level security for district data. IlliniCloud employs intrusion prevention systems (IPS) from Sourcefire, which automatically block malware and monitor for intrusions. All of the districts in the consortium store their data behind multiple firewalls, which are maintained by district employees, and each school’s data are kept separate, through the use of VMware vCloud Director management software.
“We back up the data every night, and we employ staff that perform regular penetration and audit testing to continuously test the limits of the security apparatus,” explains Jim Peterson, technology director at Bloomington (Ill.) School District 87, who also works as the chief technology officer for the entire IlliniCloud consortium. “We provide multi-million-dollar levels of security that individual schools can’t afford on their own.”