tag line

moving IT to the cloud with service not servers

Saturday, 19 December 2015

Funding SaaS in Education

You can often gain an appreciation of how mainstream an emerging technology has become by  reviewing the press release for the annual Gartner report  Top 10 Strategic Technology Trends For 2016.

In this respect, the future is looking pretty good for Software as a Service (SaaS) as it's not mentioned at all.

This is normally an indication that the technology has shifted from ‘strategic trend’ to ‘commonplace reality’ and the focus of the reviewer has now settled on more compelling subjects such as mesh computing and the internet of things.

So as we move into 2016, SaaS is no longer new and it's certainly not worth a 'rising star' award - it’s just the way software and services are delivered in a modern IT environment.


In a competitive market, faced with budgetary pressures and the frustration of maintaining complex legacy server systems, it should be no surprise that business has embraced SaaS so wholeheartedly.

It’s not like the education space has been particularly slow in this area either. Google estimates that Google Suite for Education (GSfE) currently hosts around 50 million users and the majority of new software titles are now delivered as SaaS or as mobile apps backed by cloud services.

However there are a number of constraints in the education space that are holding back the widespread adoption of SaaS, and principal amongst these is funding.

Historically, computer infrastructure in schools has been supported through a capital grant. Funds are allocated for a desktop refresh or a server upgrade with perhaps a small reserve to cover maintenance and warranty renewals. The investment normally results in a trolley full of iPads or a new storage system that the school can point to and say  “this is what we got for the money”.

In contrast, SaaS relies on a constant revenue stream.  The traditional model is very unfriendly for a subscription-based product because the funding is so uneven.

Up to now the issue has largely been avoided by the simple expediency of giving away the base service for nothing but as the SaaS market matures and education looks to take advantage of the more advanced features that are accessed through a subscription fee, this problem is going to become more apparent.

To address this issue, SaaS vendors may have to become a little more creative about exactly what constitutes a subscription and sell access licences for longer periods than the traditional monthly or annual terms. The danger is that this might stifle innovation by funneling funds into established and trusted brands so we just end up back where we started.

To access SaaS, schools will still require an element of capital expenditure to provide a robust local network, an enterprise level wireless system and a set of mobile devices, but as we move into 2016 the shift to a revenue model for IT is likely to present a challenge that may take a bit of imagination to solve.

Saturday, 21 November 2015

Why are you still driving a clunker ?

For a school or business that plans to adopt Software as a Service (SaaS) there can be a number of unexpected surprises. Fortunately, most are beneficial.

One of the benefits, examined in an earlier blog, is that SaaS can be used an agent of change.  Once the overheads of software support, deployment and maintenance are removed, innovation and experimentation can occur at a much faster pace.

The effect is like an adrenaline shot that can drive transformation, but there is an even more subtle advantage that has a longer term impact.

To illustrate the point, let's assume we purchase our IT like automobiles and look how different that would be "as a Service".




You need a car so you visit the local “on-premise” dealership. It's where your parents bought their car so it's a tried and tested approach. Why change?

It took a few months to get the money for the down-payment but the car’s finally parked on the drive.  It performs well, looks great and sparkles in the sunshine. You're going to really look after this 'baby' - after all, it’s a big investment, and you’re going to be paying it off for a while.

However, after a few years the car looks a bit tattered and worn and it's struggling to get up the hills with the kids and dog in the back. The servicing and maintenance never happened because the money was always needed somewhere else. You got caught out by some unexpected costs just after the warranty expired and the tyres needed replacing last month.

There’s a flashing red light on the dash but you’re scared to lift the hood just in case you really break something.

You can contact the dealership but you know that you're only going to pick up a bill or suffer a sales pitch about a competitive upgrade which will only replace a small problem now with an even larger problem later on.

In truth you’d just like to drive it into the lake but you still have to make the payments and you need it for work.

So you ignore the light on the dash, freshen it up with a few accessories, stick on a set of  ‘go-faster’ stripes and hope it just keeps going.

Face it, you’ve got a clunker - but there's another scenario.

You walk past the 'on-prem' dealership and happen to glance into the SaaS showroom where a car takes your eye. When you get home it’s standing on your drive.

There’s no forecourt dealer selling you the dream. You just drive the car round for a while to see if it suits and if doesn't, you can drop the keys off with no obligation.

However you really like this car and you're surprised that the payment plan has no up-front charges, just a simple scheme whereby you pay when you use it and can hand it back at any time.

Every morning the car still looks fresh and new. You never take it to the car wash but somehow it maintains that showroom look and never smells of stale pizza. You sometimes get a red light on the dash but it fixes itself straight away.

Now here’s the really weird thing, You swear the car is getting quicker and you notice new features appearing all the time. You didn’t order the model with the cup holder but now it just has one!

The version you bought a year ago was the GT option but the badge now says GTi Sport which is strange because the payments are the same and you don't remember spending any time in the garage.

You suddenly realise that you’ve been driving the car for two years but have no plans to replace it. It still looks clean, fresh and modern, and is performing really well so there’s no reason to.


OK - you can't do this with cars, but you can with your IT.

So why are you still driving a clunker ?

Saturday, 24 October 2015

BYOD and why its always two from three.

There's an old IT saying which is “faster, better, cheaper, pick any two from three”.
Another one relates to work and is something like "interesting, well paid, legal".

It's surprising how many situations can be summarised in the same way. You have three clear requirements but when you fix two the third one breaks. To employ another cliche you can never quite “square the circle” - or the triangle in this case.

The promise of using personal devices in schools (BYOD) falls into this camp at the moment.



In this case the three requirements are;

  • The ability to use a personal device as an alternative option to a school computer.
  • Provision of a secure environment.
  • Ease of management.

The idea was that students could bring their own devices into school and use them to access learning resources in a safe way with minimal cost and without a management overhead.

Sounds like a good idea but at the moment you can have two of those things and not a third.

The problem has been caused by the move away from the standard http web protocol to the more secure https standard. The user connected to a home network with a personal device will have been unaware of the change over the last few years but for schools it's a different matter.

When a web site moves to https the data stream is encrypted all the way from the personal device to the site using a set of matching certificates held by the site and the user device. This stops the bad guys making any sense out of any intercepted data traffic and ensures that you communicating with the true vendor rather than somebody pretending to be that vendor.

All of this is very desirable except when it comes to filtering and logging. Because the data stream is now encrypted a lot of the information that filtering systems relied on to catagorise the traffic is now hidden from view. Systems can still make decisions around blocking or releasing the request but the fine grained control is gone and schools are often faced with the option of all or nothing.

The immediate solution has been to reintroduce the old proxy server setup which allows the traffic to be inspected by the filter and normal service is resumed.

All is well, except for BYOD.

This is because the solution requires that you install a certificate on each device and set a configuration which tells it how to find the proxy server. For devices under centralized management this is fairly trivial task but personal devices aren’t under any control. After all that's the whole point BYOD.

Visiting each device increases the management overhead. Introducing MDM (Mobile Device Management) software to do the same job just increases the cost.

Without this configuration BYOD devices cannot operate at the same security level as the school devices.

Therefore you can have BYOD with security but only with increased management overhead. Remove the management and you lose the security.

By the time you have purchased in an MDM licence to manage each BYOD device and upgraded the content filter you might as well have invested in a set of Chromebooks.

Two from three whichever way you look at.

Sunday, 20 September 2015

A Microsoft sysadmin in a Google world.

For schools looking to take advantage of cloud services first step is often the adoption of either Google G Suite for Education or Microsoft Office365 and the integration with on premise user database which, for the UK at least normally means Microsoft Active Directory.

For this reason there are a lot of Microsoft trained network administrators who are coming across the Google Administration console for the first time and wondering how to transfer their experience and knowledge to this new environment.

On the face of it there seem to be some similarity between the two systems.

Possibly not in the layout and operation of the management console but certainly in the way the organisation is logically structured. Both systems have a top level object which represents the school or district and the ability to create nested hierarchy of smaller units that you can use to make the administrative process easier.

Microsoft calls these units Organizational Units while in the Google world the correct term is Sub Organisations although the abbreviation OU seems to have been commonly adopted for both in posts and blogs so we’ll stick with that.


Microsoft and Google OU’s have a good deal in common.


  • Both systems can be used to create a tree-like structure to organise users and devices for management purposes.  
  • Management policies are linked to this tree structure, each OU inheriting settings from it’s parent object in a similar way.
  • In both systems a user or device can only be contained within a single OU and moving objects between OU’s can directly affect the policies applied to that  object.

Unfortunately the two systems also have some basic differences and this is where the confusion can set in.

In the Microsoft world policies are contained in object’s called GPO’s (Group Policy Objects).

Once defined a single GPO can be associated with a single OU, multiple OU’s or no OU’s at all. Changing the GPO in one location changes for all other linked OU’s. Therefore in the Microsoft world a policy is an independent entity which can have ‘one to many’ relationship with the underlying OU structure.

As an example if you could create a simple GPO to set the wallpaper for a client session and link it to multiple OU’s, on any branch and at any level. If you update the policy for one OU the change will apply all the other OU’s linked to the policy.

In the Google world policies and OU’s are one and the same thing. 

Unlike Microsoft GPO’s they are not independent of each other. Inheritance can appear to transfer settings up the tree but this doesn’t alter the fact that every Google OU has it’s own policy set which applies to that OU and no other.

Both approaches have the strength and weakness. The Microsoft one-to-many approach provides greater flexibility but can also lead to a level of complexity that takes an additional tool just examine the policy set for any one object ( the Resultant Set of Policy mmc snap-in).

The adaptability of the Microsoft approach allows the AD administrator to create an OU hierarchy which does not necessary reflect how the policies are set. Policies can be blocked, set across multiple branches and be retrospectively applied. A Microsoft admin can create an OU tree which reflects a geographic or administrative infrastructure and then, with some limitations layer a workable policy scheme over the top at a later stage.

In contrast the Google OU hierarchy IS the policy scheme and for this reason the two approaches are fundamentally different.

As a consequence it's rarely the case that the hierarchy created for an AD domain is a suitable model for the Google OU tree and administrators shouldn’t try and replicate it to a Google organisation without giving it some thought as to exactly what they are trying to achieve.

While we are on the subject of similarities and differences there are others that are worth mentioning.

Just like a Microsoft OU, a Google OU can contain users and devices but not other common objects such as groups, contacts and calendar resources.  These items exist but are not managed within the OU structure.

A Google OU hierarchy has direct relationship with network services such as mail, drive and the user application set. Allocating and deallocating these resources is far easier in the Google world.

Lastly because Google maintains the backend infrastructure, the management console can be presented as a simplified set of services that can be turned on and off at the OU level. For a school administrator this is a far easier concept to understand than the Microsoft model which has to expose the underlying infrastructure using objects such as networks, servers and data connectors with configurations and controls at each level.

So where does that leave the Microsoft sysadmin?

From my experience the immediate reaction of most AD administrators to the Google admin console is either dismay at its apparent simplicity or frustration at not being able to work at a ‘lower level”.

However this is misconception. The Google console still has enough subtlety to trip up the most confident Microsoft admin as well as an API powerful enough to meet the requirements of the most hard-core powershell addict.

With a bit of effort it can be made complicated, so there's still hope.

Monday, 31 August 2015

For SaaS sake Flash must go!

If I could remove the most irritating obstacle to the effective teaching and management of IT in schools I would make Adobe Flash disappear, never to return. 

But why pick on the friendly graphics environment with the free player that has given students so much fun over the years creating dancing sprites and spinning boxes and is the bedrock of many educational websites. What harm does it do ?

Where to start ?

There’s little point rehashing the many articles that detail the numerous and ever increasing number of security faults, the drain on local resources or the failure of Flash to improve in either area in its fifteen years of existence. Indeed, the Steve Jobs article Thoughts on Flash explaining why Apple would not allow Adobe Flash on the iPhone, iPod touch and iPad remains as prescient now as when it was first published in 2010.

However the recent spate of well publicised security loopholes has reached a point where content providers such as YouTube can no longer afford the risk of supporting it and most commentators are calling for it’s demise.

In fact some security experts have made the point that the only people who seem to be supporting Flash these days are the criminals who continue to use it as platform to deliver Trojans, keyloggers and other undesirables normally through a fake 'Flash Player Upgrade Required' message.

However the reality for education is that Flash will be around for some time yet.

This is because far too many educational websites are dependant on it’s capabilities even though HTML5 now provides a viable alternative platform. It will take time to convert all these sites and until Flash is removed entirely IT administrators will just have to deal with an unending stream of patches and comparability issues while managing two completely different environments, the desktop world that uses Flash and the mobile world that doesn’t.

Make schools a Flash free Zone.
In the meantime, what can you to do make things easier until Flash dies a natural death.

Move towards mobile friendly platforms.
In a classroom scenario Apple iPads, Android tablets and Google Chromebooks can help defend against the security flaws in Flash.

Chromebooks have the advantage of a secure ‘sandboxed’ operating system (Chrome OS) and a robust patching mechanism that automatically updates Chrome OS and Flash as single unit.  With Chrome OS there is nothing for the end user or administrator to configure and there are no warnings that a user can override. Since the updates are automatically managed by Google the Chrome OS is more likely to be up to date and therefore more secure.

iPads and Android tablets don’t support the Adobe Flash Player or plug-ins so the security aspect is solved. How you handle the different capabilities of the PC/Mac desktop and mobile devices in a teaching situation is another problem.

Unless the IT team is completely up to date with the weekly blizzard of security updates, Windows PCs running Flash Player are little more than network infections waiting to happen. Enjoy!

Keep the pressure up on service providers to migrate. 
Most modern SaaS services have adopted HTML5 and many well established sites have chosen to abandon Flash altogether.   In some respects Chrome OS has not helped the situation by creating an environment where Flash can be run relatively safely but it’s unlikely that this situation will be maintained for long as Google is keen migrate towards open standards.

As part of this inituative Chrome has finally removed support for Silverlight, Java, and Unity plugins now that version 45 has worked it’s way through to the stable channel within the last few weeks. Starting in September, the Google Chrome web browser will no longer automatically show Adobe Flash advertisements.

The decisions made by corporate giants are outside of the control of schools but why does education insist on shooting itself in the foot by incorporating Flash programming into the lesson plan?

Flash is a dead technology, hopefully in a few years time it will be gone. When today's students enter the job market will the world will not need thousands of programmers who understand Adobe Flash.

Why not  take the opportunity to introduce students to the open standard framework of HTML5, CSS3 and Javascript.  Even now the argument that Flash is  the  standard for industry is no longer true and the advantages in the classroom are clear.

Almost all of the development tools and training materials are available free as online SaaS resources rather than incorporated into an expensive development suite (Adobe Creative Cloud) that a requires access to high end desktop device before you can even get started.

Nobody could argue that Creative Cloud sits easily within a curriculum based around flexible learning practices. Why are students still filing onto IT suites to share a PC for an hour a week to engage with an exciting topic that will be the bedrock of application development, media delivery and many thousands of career paths for years to come ?

Cross platform open source tools can now give students an equally good understanding of the basics of image manipulation, animation and graphic design without being tied to a proprietary toolset.

Of course the argument you often hear is that that once a student has mastered the basics on a non-standard platform they'll will be a disadvantage when they encounter Adobe Creative Cloud in the workplace. But honestly, does anybody still still hold to this outdated idea in a world where students move seamlessly between dozens of combinations of UI styles and platforms in a single day without even blinking.

To be fair Adobe understands these limitations within education and has made effort to move towards a streamed delivery method but this is still limited to only offering Photoshop to North America based schools with a current Creative Cloud membership and since it's  a device licence it doesn't seriously address the issues of accessibility or cost.

It’s clear the landscape is changing really quickly at the moment and a lot of people are struggling to keep up but education really has to make an effort.

Don’t wait about, try some of the open source/SaaS based alternatives and plan for the future because in the end Flash must go.



Wednesday, 29 July 2015

Improving App Management with Google


One of the more troublesome areas of mobile device management is application distribution. This particular task has been a long standing challenge rather than a particular issue with mobile devices.

The distribution of locally installed Windows applications is seen by many as a 'black art', employing technologies such as installation packaging, application virtualization, sandboxing and any number of software suites that all claim to make the task easier. The issues surrounding app deployment in an Apple environment are equally well documented and mainly involve trying to adapt what is essentially a consumer system into something an enterprise or school can use effectively.

SaaS promises to deliver some benefits in this area. The deployment of these ‘apps’ is an easier task since most services are simply links to external websites which have few dependencies with the local platform.

Although the Apple, MS Windows and SaaS distribution models are dissimilar they all attempt to reduce the management overhead by using user groups hosted by software suites such as MS Active Directory or an MDM (Mobile Device Manager) to assign apps, rather than trying to handle multiple associations with individual user accounts.

Google G Suite for Education (GSfE) and GPfE (Google Play for Education ) provide the same group management function for schools handling a Chrome/Chromebook/Android rollout and although I've attempted to use these tools to develop a similar methodology I always seem to hit a fundamental limitation of the platform.

This is a bit worrying since thousands of schools use GSfE to deploy apps, so I can only assume they know something I don’t (which is entirely possible) or school admins are just working within these limitations. Either way it's not a good situation.



As far as I'm aware the current situation can be summarised as follows;

Within GSfE the rules that control applications are linked to units known as sub-organisations and these have two functions.

  • As a container for users and/or managed devices.
  • As an object that an administrator can set policies against.

This is all very well except for the one feature of sub-organisations that make them completely unsuitable for app management, namely that a user or device can only ever be in one sub-organisation.

This type of grouping works well in a simple scenario where all the pupils in a lower year require the same app but it falls apart rapidly when you consider subject sets rather than year groups.

It’s a fact of nature that a child will only ever be in one year group but he/she will be in many classes sets and GAfE does not support a one-to-many relationship with respect to sub-organisations.

What this means is you can’t create subject classes using sub-organisations in GSfE because a deployment of the type below is impossible.

Sara       History sub-organisation
Philip      History sub-organisation

Philip      French sub-organisation
Jill          French sub-organisation

Jill          Maths sub-organisation
Sara       Maths sub-organisation

Unfortunately the most useful object for application deployment is the subject class set.

The year group is has a role but you need to be able to deploy against the subject/class area especially for the older pupils. The problem is eased by free apps that you can throw about like rice at a wedding but if you purchase an expensive Chemistry app you need to be able to deploy it directly to that class  - but you can't create a Chemistry class as a sub-organisation.

A Google Group can support a one to many relationship but groups have no role in app management. Even in GPfE (Google Play for Education ) where groups make a cameo appearance it’s only as a shortcut to populate a user list. Within GPfE groups are not persistent objects for the purposes of app management.

So let’s imagine we live in an ideal world where all things are possible.  How would it work?

Well, not with a sub-organisation because it doesn't currently meet the requirement. Google Groups are better but they’re far too clunky in the way they are exposed through GSfE,

Fortunately there’s another candidate which is far better suited.

What if you could assign apps directly to a Google Classroom through GPfE or GSfE.

Behind the scenes the User -> App relationship would still be maintained but this would be hidden by a higher level Classroom -> App relationship. Even better you should be able to create an “Apps Set” a grouping of applications that you could also manage as a unit.

Open GPfE, assign an AppSet to a Google Classroom - job done till next year.

This maybe a bit fanciful but the reality is that the sub-organisation is unsuitable as a unit of management and the User-> App relationship in GPfE is unworkable at scale.

Google must know this and probably have the 'smarts' locked in a room munching jelly beans sorting it out at the moment.

If they could build on the success of Classroom and integrate the two features the result could be a show stopper.

UPDATE: 
In February 2016 Google announced that it was dropping the Google Play for Education Program.  It would be nice to think that there is an alternative strategy in the pipeline based on Classroom or at least similar to that described above. Here's hoping.

UPDATE: 
In Google I/O 2016 Google announced that the Google Play store will be accessible on a Chromebook and more importantly it would be able to be managed through GSfE. The upshot of all this is that Google Play for Education Program has re-emerged fully incorporated in GSfE with Android apps running on ChromeOS. Great move, but lets wait and see what that implementation look like.

Android Apps in EDU could create Angry Admins.


Monday, 13 July 2015

End of year report for BYOD.


Was Bring Your Own Device (BYOD) in schools ever a good idea?  Lets take a step back.

The year was 2010 and the web was already full of engaging educational content. The move towards anytime, anywhere learning had the potential to bring  substantial benefits to education but only if students had access to an internet friendly mobile device.

Faced with an aging estate of netbooks and laptops, a dusty old IT suite running Microsoft XP and budgetary constraints it seemed logical to address this issue by allowing students to use their personal smart phone, iPad, or tablet in the classroom. The devices were coming through the school gates anyway so why not turn a problem into an opportunity.

Schools assumed that this would lead to a proliferation of device types but believed that by creating a multi-device classroom students could work collaboratively, choosing to work with the most appropriate device and in the end it would all be well.

Although BYOD addressed the immediate problem it also served to create whole a new set of challenges mainly around the areas of compatibility, security and management and so it might be a good time to see were we are with this initiative.


The BYOD Report Card.

In all truth BYOD never had a hope of meeting the high expectations of education once the realities of the classroom set in.

I have no empirical evidence for this but most BYOD programs that I have come across simply provide the student with a school funded data plan for their smartphone and while BYOD made it to school, it never quite got into the classroom.

In the end it proved to difficult to incorporate a of set devices that supported different application sets,  screen resolutions, graphics plugins, data transfer models and wireless capabilities into a lesson plan that attempted to use the best features of each platform

There was too much temptation to work to the lowest common denominator which helped nobody.

“Could you turn on your device and those of you who have managed to get a wireless connection please go to the ‘flash free’ mobile friendly URL I’ve written on the board. Those of you with a Blackberry and a Kindle…”

A common reaction was to employ variations of the BYO-SAD model (Bring Your Own School Approved Device) which was often viewed as backdoor approach to parental contribution and ran into problems with inclusion since the 'school approved list' normally only ever contained one item - an iPad.

Even with some standardisation the problems were only just starting to emerge.

Schools often found that introducing BYOD impacted the performance their nascent wireless network. From supporting a class-set of laptops the admin suddenly had three hundred disparate devices on the network.

A software management suite became essential and what looked like a quick fix now required a wireless upgrade and the onboarding tools necessary to control access to the network in a secure manner.

But these were personal devices outside the authority of the school. How do you place them under policy control in an acceptable way without incurring a MDM licence that was never budgeted for?

In many cases the management overhead became impractical or too costly and so the grand scheme was reduced to a glorified guest network for students who, to their credit used it as a real learning resource as well as catching up with friends on Snapchat, Wikr and WhatsApp during the recess.

Unfortunately after the first e-safety concerns were raised it was found the edge security solution couldn't filter the traffic and had no way of blocking applications from devices without incurring a another management licence and the displeasure of the student body.

The cheap and easy solution suddenly wasn’t looking so cheap or so easy.

So where does that leave BYOD in 2015, pass or fail.  I think there are two ways of looking at this.

One grade card has an FAIL F-  and proposes replacing BYOD with a properly managed 1:1 programme to solve these issues. The principal driver for BYOD was cost and this has been massively reduced by the introduction of commodity devices such as Chromebooks and cheaper tablet options. We may have reached a point where the amount of time and money used to manage BYOD is fast approaching what it would take to implement a proper 1:1 Chromebook/tablet programme on a unified platform.

Other marker says PASS B- but don't try and manage it because without spending serious money on MDM licences you’re wasting your time.

If you want a ‘managed’ environment you have to control the end user device. The move towards secure encrypted communication in the last few years now means that peeking at the traffic to find out what’s going on is not going to tell you what you want to know.

Students are smart and without complete control of the user device they’ll get around any mechanism put in their way. So if you want BYOD you'll have to open it out and trust your students.

After all it's their device and they are the new masters of the digital world.

Tuesday, 30 June 2015

Web Filtering for the SaaS School - Part 2

In a previous blog we saw how functionality required from a modern web filtering service has now expanded beyond the simple on-premise server installation that fulfilled this role a decade ago and proposed that SaaS is now in a position now deliver a better solution than an on-premise server.

Instead of just looking at the current options and then tabulating up the pro’s and cons (other sites do this so much better) let’s play a mind game and list all the things we’d like from a filtering solution in a perfect world and see where that leaves us.

  • The system must be able to interpret encrypted traffic. Ideally this would be without the overhead of deploying local certificates or any local configuration but if this isn’t possible the device management should be simple and non-invasive.

  • The service should not have any hard limits and should be capable of scaling up and down on-demand.  The solution should operate the same way for a 10 user installation as a 10,000 seat install and the migration between the two should be seamless without any hardware or licensing breakpoints.

  • The solution must be fault tolerant across the whole product range and be backed up with SLA which guarantees at least 99.9% uptime.

  • The solution must be simple to install and provide a trial option.

  • The service must have the option for ‘remote’ operation to protect 1:1 devices outside of the schools network.

  • The filtering policies and reporting tools must be accessible from any location or device without VPN assistance and have a multi-site capability that comes as standard.

  • Policies must be driven from an existing student/group database without any data re-entry.

  • All software, firmware and product updates must be applied automatically without any local user intervention. A configuration backup will also be made automatically and held off site as part of the service.

  • Licensing is simple, based on user or device with no up-front installation costs and with the option of short term contracts.

  • There should be no requirement to provide third party hardware, software or licensing to support the service.

  • The service should not increase the quarterly power bill but if does it must display an exciting set of flashing lights and be finished in a bright primary color to give the impression of modernity and general funkiness.



Now the question is - how many of these requirements are likely to be fulfilled by an on-premise filter?

Of course the requirements are skewed in favour of SaaS and they could have been summarised in a much simpler list;

  • easy administration through a web console.
  • automatic updates and patch management
  • elasticity on-demand
  • subscription licensing model with no barrier to entry.
  • remotely hosted with built-in fault tolerance.
  • SLA implicit with service.
but that doesn’t make them any less more desirable with respect to content filtering.

The final takeaway is that the move toward secure communication has fundamentally changed the playing field.

What used to be a simple function of running a lookup on a web address has now become a processor intensive operation that will only ever increase with time and the most efficient way of doing this is in the cloud were the unit cost of those processor cycles is far cheaper than the on-premise fixed capacity server. 


SaaS Options.

There are a number of companies that can offer web protection as a true SaaS service with no on-site component.

GoGuardian has developed a service that focuses specifically on the education Chromebook space.

Securly offers a comprehensive package specifically for education that covers a range of clients types. Interestingly they recently announced the possibility of SSL decryption without configuration files which would provide a clean sweep of the “wish list”.

At same time the standard players such as McAfee and Symantec have caught the trend and are now offering a SaaS option as part if the product line.

And of course there's always the option of the brightly coloured box if you like that 'retro' feel.





Thursday, 18 June 2015

Web Filtering for the SaaS School - Part 1.


It used to be so simple, where did it all go wrong ?

In the past managing student web activity usually involved installing an in-house proxy server, commonly Microsoft Threat Management Gateway (TMG) or even further back Microsoft ISA server. Client web traffic was forwarded directly to the proxy server which queried the web in the users behalf but only after passing the request through a series of filters that denied access to sites displaying inappropriate material. All of this was neatly integrated into Microsoft AD security for ease of management.

Alternatively the school could rely on a ‘clean’ feed provided by an educational authority, district  or ISP, so long as you were happy with a ‘one-size-fits-all’ approach.

All was well with the world….. and then it went horribly wrong.

It difficult to say exactly when this happened but Microsoft’s formal announcement of the end-of-life for TMG in 2012 without providing a direct replacement for outbound URL filtering was probably the start although things were not well in the ‘walled garden’ before then. The idea that you could effective ‘whitelist’ the internet had long gone and the expansion of platforms such as YouTube to include educational content meant that IT services were under pressure to unblock access to sites previously viewed as undesirable.

However there are other suspects in this crime.


The growth of interest in BYOD and 1:1 tablet programs meant that configuring proxy settings on each device added a new layer of administration outside of Active Directory group policy.

In addition student using iPads and Android tablets were no longer authenticating against Active Directory before browsing the web. A work round required the student to provide a username and password using a captive web portal before proceeding. This worked pretty well for simple web access but proved a challenge for tablet apps that were not expecting a “call home” to return the captive portal page.

Things were getting difficult.

For a while the solution seemed to be to install the filtering service in-line with the firewall (transparent mode), silently ‘snooping’ on the packets as they pass between the user device and the internet. This certainly made device configuration easier (there wasn’t any) which fixed the BYOD and app issue although user identification remained a challenge.

All was well for a while until Google made an announcement that as of 23rd June 2015 the Google search services will move all search results behind SSL encryption.

This means that in the future the session from the device to internet will be encrypted end-to-end and although a transparent proxy could still access the data packets it could not decipher the information to make any sensible decisions with regards filtering. So as Google and other content providers made the switch to secure communication the transparent proxy, which had solved so many problems, effectively became ‘blind’.

As a quick fix schools simply blocked sites that used a secure connection or bypassed the proxy entirely but this quickly became impractical as more external sites adopted the secure standard.

The transparent proxy approach has survived, employing the latest encryption standard  (TLS) which was slightly more cooperative with regards to filtering. Using TLS the gateway knows that a device had accessed YouTube but would have no further details as to what resource the student was requesting from that site.

A number of workarounds quickly emerged but most fell back on a variation of the “relay’ model whereby the client held a secure connection with the gateway and the gateway maintained the secure connection to the external service. Unfortunately this simply reintroduced all the historical issues with client configuration (with the addition of certificate deployment) as well as loading the proxy with a significant amounts of additional processing as it encrypts and decrypts the packets.

Which is pretty much where we are today. Frankly it's a bit of a mess.

So in the future what's likely to happen and how can SaaS help.

There’s little doubt that sites will continue to adopt secure protocols until it’s the de-facto standard for web traffic. Traditional on-premise systems will just have to come to terms with the fact that the data stream from client to host will be encrypted.

Protocols like TLS provide some visibility of the stream but not enough to support a comprehensive filtering service. Filtering support is a by-product of using TLS and is not its prime purpose so we can’t expect improvements in this area to deliver the solution.

Currently on-premise proxy servers can intercept the secure channel by acting as an intermediary and decrypting and encrypting the packets as they pass through but this activity is processor intensive and to achieve this on any scale without affecting latency is not going to be easy especially as the proportion of encrypted traffic rapidly increases.

So when the renewal of the proxy support contract comes around do you invest a tin-box that can can handle your schools current data load or the projection for the next three years?  Are you going to be forced to purchase an expensive device that can handle the peak loads prior to the exam season only to remain idle for four months of the year?

Remember you still have the problem of client proxy management, certificate deployment and user authentication on top of this.

Or maybe we should just throw away all the historical baggage and a design a system for the world of mobility and SaaS.

And if we did this, what would it look like and what advantages do you gain?

Web Filtering for the SaaS School  - Part 2.

Further Reading.
Adams blog gives an excellent technical summary of this issue.
http://adamwelch.com/2014/11/google-ssl-search/



Sunday, 24 May 2015

"New Skool" Wireless Security

We all know about wireless security. It’s written on stone.

First, you need some form of management software to create a security profile which includes a wireless key or a certificate to identify the user or computer on the network.  If you have a BYOD policy you may well have a second process that enrolls personal devices through an on-boarding mechanism that make use of a second security profile. Lastly the customary guest network is thrown in, possibly using some form of token system to drop guests into a third profile.

There are variations of this with various licence requirements and dependencies on local services such as certificate authorities, radius servers and captive web portals.

There’s no point in questioning this because you need a wireless security layer to safeguard… well what exactly.

In a traditional network you have all sorts of physical resources that you need to protect, the console ports of storage devices, servers and UPS systems.  Ideally administrative and personal data shares should not be visible from the guest network and you may want to protect the servers that host the core applications such as SIS/MIS from student access and the BYOD network.

Traditional installations can't be both secure and simple, so we’re all are stuck with this complexity for a few years yet.  Enjoy the experience.


But what if you don't have any servers, local data or applications, do you need the same level of network security?

Once you are outside the school gates SaaS systems are unprotected by any mechanism that controls access to the network - so why is the requirement imposed when you’re inside the school ?

There are two reasons why you might want some level of access control. The first is to force the user to present at set of credentials so network activity can be linked to a user account and the second is to safeguard the one important resource that SaaS depends on, the bandwidth of the internet connection.

To take the last point first.

Protecting bandwidth only becomes a requirement when you don't have lot of it. In some parts of the world (particularly the Far East) institutions and governments have made investments in fiber infrastructure which means gigabit connections for larger schools is not uncommon. While this is very much the exception and will remain so for a while there is only one trend and that's for higher bandwidth at cheaper rates. There'll come a point when the effort to maintain the barriers to this ubiquitous resource just won't be worth the time or the cost.

After all, do we meter water usage and electricity on a per student basis or recharge visitors to use the rest-room or recharge their mobile phones. A flippant example perhaps but you get the point. In time broadband, will be just like any other unity resources and the layers of protection will be replaced with monitoring and basic management.

In the meantime if we assume that access to the network for the guest/BYOD devices will be through the wireless AP’s a basic safeguarding process could be put in place by using the  ‘bandwidth throttling’ mechanism supported almost all enterprise wireless vendors systems.

The user identification issue has some validity but the protection cannot be placed at the wireless access level because every student has a smart phone with personal data plan. In a SaaS school this will work in exactly the same way as devices provided and managed by the school and since the school has no control of this connection the game is over.

In a SaaS school the security boundary has to move back to surround the SaaS suite itself which includes content filtering. Authentication in the future will use a cloud based user database such as Google or Windows Azure Active Directory (WAAD) rather than in-house servers with an 'easy to use' single sign-on wrapper provided as part of the service. SaaS providers such a Securly and GoGuardian have recognized this and have rushed to fill the gap in the security market with offerings that have proved very attractive for education.

Having said all that it would be really nice if wireless vendors could wake up to the inevitable demise of in-house radius and certificate servers and provide a simple, easy to use service that can utilize a cloud based user directory such as Google.

Ahhhh... network level protection, there you go.   I'm guess I'm "Old Skool" at heart.

Update:  Meraki now offers authentication with Google.



Saturday, 2 May 2015

Building blocks for the Serverless School.


A serverless school is likely to built around a core service provider such as Microsoft Office365 or Google G Suite for Education, or even a combination of the two.

However the range of services demanded by even the smallest school requires multiple SaaS offerings to be brought together in order to provide a complete solution. This includes both the software to support the curriculum and the basic facilities you need to operate a modern school.

These could include the school information system (SIS/MIS), a finance system, a learning management platform, content filtering and classroom management, digital signage control, catering systems, print management, mobile device management and telephony.

These SaaS services are the 'building blocks' of a serverless school.


Up until a few years ago it would have been difficult to deliver these essential elements using SaaS alone but the rapid migration of established utilities into the cloud, matched with a number of innovative new start-ups means that schools not only have the option of SaaS but a wealth of choice and competition in some areas.

This is clearly seen with respect to school SIS systems, a business area previous dominated by a few large players which is now being challenged by multiple SaaS providers. A similar movement can be seen in the LME/VLE space which is now almost exclusively SaaS based.

SaaS changes the dynamic between the consumer and provider.

No longer is the consumer tied into long term contracts with expensive software maintenance options. The SaaS provider is measured solely on the quality of the service and if they don't meet expectations the consumer has the option to migrate.

For this reason SaaS offers almost continuous improvement since providers must remain responsive to customer demands to remain competitive. Updates are more frequent and new features are immediately available.

Software suppliers can't fall back on the old "you need to upgrade your hardware"  or “it’s in the next release” excuses.

The customer base moves forward on the same software version and providers are no longer hampered by an expanding matrix of versions/OS platforms which inevitably slows down the release cycle to a single major update a year.

There are some negatives. The data integration between SaaS providers is still problematic and the customer has the responsibility of understanding how the schools data is protected and how it can be recovered, but generally the situation is far superior to the old model of local server based applications which is best summed up as "install and forget".

There is one aspect of SaaS which is often overlooked when it comes to education, namely that it provides a level playing field for all schools regardless of size and location.

A SaaS service accessed by the largest university in a metropolitan area will contain the same core set of services available to a small primary school in a rural village.

The fixed capacity of on-site servers no longer creates a barrier to advanced services.

That's a big change and worth the price of the ticket alone.


Saturday, 25 April 2015

If VDI is the answer for education, maybe it's the wrong question.

The idea behind Virtual Desktop Infrastructure (VDI)  is quite compelling.  Instead of running the Windows operating system on a local machine you run it as a remote instance in a server room and the client connects using a network protocol such as RDP or PCoIP from a 'thin client' which can be supplied at a lower cost than a fully featured PC.

On the face of it this is quite an attractive proposition for education because it addresses some of the core problems that plague ICT teams in larger schools.

Windows Management and Application deployment: All the desktops can be deployed from single 'golden' image and applications layered into the image would be immediately available to the users providing a unified and consistent experience for every user.

Desktop Refresh Cycle.  Since the local clients are no longer running the operating system these can be provided as 'thin clients',  allowing ICT suites to be replaced at a fraction of the cost of fitting out the same area with Windows PC's and giving low end devices to be a new lease of life.

Cross Platform capabilities and Remote Access. VDI offers the possibility of running a Windows desktop across a range of devices including tablets and low specification netbooks allowing the desktop to be accessed anywhere - ideal for the new bold BYOD strategy.

So there you have it  - Microsoft Windows finally brought under control as a unified desktop delivered across a range of cheap end user devices to any location, using a solution that has a proven track record in business.

What could go wrong? As it turns out, quite a lot.



The reason why VDI projects often fail in schools can form a pretty long list but here are the main culprits.

Schools normally underestimate the processing requirements for the backend server farm.
Those desktops in the ICT suite maybe old but if you total up all the processing and memory in those dusty grey boxes it still adds up to quite a bit. This has to be matched in the backend server farm because, contrary to the common perception VDI does not give you something for nothing. If the backend is not specified correctly you end up with something that's slower than the original system not faster.  The hardware and licencing for a server farm to support VDI is an expensive investment. Fixing a VDI solution that has been under specified is doubly expensive.

Schools use a lot of multimedia.
VDI is brilliant at a number of things but extremely bad at a number of others and one of those multimedia. There's a simple reason for this. All the desktops are running on a server - a piece of hardware that has been finely tuned over time to provide a fast response for most things but not console graphics. As the students fire up a browser and drop onto YouTube every single one of those desktop images is sharing the same graphic card . Ever since VDI was introduced numerous attempts have be made to work round this limitation (offloading to the client, protocol improvements, specialized graphics hardware) each one adding cost and complexity and reducing the levels of compatibility for the client.  Could there be a more inefficient way of delivering  a simple browser session - I doubt it.

The cheap thin clients were never cheap or thin.
To make VDI work 'thin clients' have ended up being quite sophisticated machines in their own right with prices that are close to low end PC's.  As new form-factors emerge that can provide a fully featured Windows 8 desktop for $170 it's clear that the savings were never really there, especially when the management licence was also taken into account.

VDI is inefficient.
Its important that the VDI server farm is available at all times. Unlike a PC, when a VDI system is down a thin client is just a desktop paperweight. This means building resiliency into the system and there's no way of doing this without providing spare capacity that you end up paying for for - but not using.

Schools use a lot of peripherals.
Over the years VDI has become better at supporting a wider range of peripherals but it's never going to rise to the challenge that education throws at it.  As a result VDI rarely replaces every device in school and generally struggles in  areas such as media, music and technology. Unlike the business world VDI in education will always be a specialized use-case, normally the covering the ICT and LRC suites. By the time you have excluded all the areas where VDI doesn't apply is it really worth it?

VDI is really just a 'band-aid for Windows apps.
Lets be honest the reason why VDI is being introduced in your school is for one of two reasons.
  • A last desperate attempt to move Windows apps into the age of mobile computing.
  • Trying to extend the life of an aging Windows based ICT suite.
The first one doesn't work. Have you every tried using a five year old Windows application on a tablet through VDI? The user experience is horrendous. Wouldn't it just be easier to find find some modern SaaS services to met the requirement.

I'm not sure that any cost analysis would show that adopting VDI long term would be cheaper than adopting SaaS (or a tablet app based solution) and re-equiping the ICT suite with devices like Chromebases.  The cost of the VDI will go a long way towards providing multiple class-sets of modern mobile devices running SaaS applications.

VDI is not a 'hobby' skill.
Managing VDI is not rocket science but it's still a specialist skill that's very unforgiving for somebody learning on the job. Messing up an image for one PC can be overlooked but hosing the gold image for your VDI farm is far less amusing to the teaching team. How many schools can justify the investing in the training required to manage VDI effectively and what happens when that skill walks out the door to a much better paid job in business?

Schools use a lot of software.
In business the average desktop might support a dozen titles on top of Windows Office and most of these are well understood when it comes to integrating into VDI.  In contrast schools use hundreds of software titles, many of them completely unsuited to VDI. After the investment in training the biggest hidden cost for VDI is the time spent packaging software.


The strange thing is that local processing was never a bad idea in the first place.

The best experience of a windows package is gained through a local installation running on a suitably configured machine placed in the hands of the end user.

A class group running local applications will be resilient, scalable, adaptable and remain responsive under load. After all that's how an iPad works and they've been fairly successful in schools.

If you still need to keep those PC's running, SaaS is the solution - not VDI.

VDI doesn't solve an application problem, it solves a management problem but in doing so only creates a raft other issues. So maybe its time to look at the question again and see it there is a better way of doing it, perhaps not using on-premise servers at all.

Tuesday, 7 April 2015

SaaS Cost Shock for Schools.


Here's a shock announcement for all schools considering replacing on-premise servers with Software as a Service (SaaS).

A subscription based SaaS service can always be proven to be more expensive than the traditional on-site solution it replaces.

It's not really a shock, more like simple math. If you sign up for a service that costs $1 a year for an infinite amount of time it's going to cost you an infinite amount of money.  OK - that's a trick but you get the idea.

The point is that evaluating the financial implications of adopting a SaaS service requires a different perspective to purchasing an on-site server to run a VLE.

The most obvious point is that, with SaaS the school only pays for the service and nothing else.

With the on-premise approach the consumer must first invest in hardware to host the service along with a covering warranty, a service level agreement (SLA) for the software and an ill defined, fuzzy grey area around backup, configuration, support  and quality of service.

With SaaS the investment covers the service itself, a proposition that's far easier to understand and plan for.

When you subscribe to a SaaS service a service level agreement is implicit in the offering, the two cannot be separated. As an example Google Apps for Education is backed up with 24X7 phone support, 99.9% uptime and ISO27001 certification.  Microsoft Office365 has something similar. For most paid subscription services a failure to meet the SLA may result in an automatic service credit or an extended licence period.

When an on-premise solution is proposed how often are the additional costs factored in? These include utility bills for power (heating up the server) and air conditioning (cooling down the server that you've just paid to heat up).

There are also charges around providing security, backup as well as as the inevitable upgrade cycle.

These are the obvious culprits but the hidden costs are even more insidious. These include software upgrades and the investment in local expertise to manage the whole complex environment.

How many school (and small businesses) have been thrown into a spin when Dev or Sue decides to leave, taking their knowledge of the IT system with them?  Maybe you can fall back on the documentation but pressures on time and the constant upgrade cycles mean that documentation is rarely maintained or kept up to date.

Is it important that the blue box in the corner has a flashing red light, who knows?

A SaaS solution is simpler due to the fact that the customer only has to manage the service and not the supporting platform. It has no flashing red lights. Well it does, but you don't see them and more importantly its not your problem. When upgrades are scheduled they are handled automatically which means the upgrade cycle for SaaS is significantly faster than on-premise software.

Given any requirement with a fixed budget, a SaaS solution will be cheaper in the short term because so many of the services are free and initial barrier to entry is so low. In the long term SaaS needs to be viewed as part of revenue (like water and electricity) which can be turned on and off, not a capital investment project.

At time when schools looking to build a sustainable, long term IT strategy surely answer can’t be to commission more on-premise servers.

That shouldn't be a shock.

Sunday, 29 March 2015

DaaS in schools - solution or 'band-aid' ?


A SaaS school that has a requirement to support legacy Windows applications for established lesson plans or external assessment could solve this problem, at least at a technical level by using Desktop as a Service (DaaS).

DaaS is a cloud service in which the Windows desktop is hosted by a cloud service provider. The DaaS marketplace is still very new but already contains offerings from Amazon, VMware and a DaaS type service from Microsoft.

The delivery model for DaaS is still being developed but its creates some interesting scenarios.

For instance if a school needs fifty Windows desktops for a lab environment it simply ‘leases’ them from a DaaS provider without any capital investment. Once the requirement is no longer required the lease is dropped.

The school could have multiple images - each specific to a curriculum area. The ICT lab could use cheap commodity devices such as Chromebases and the student simply selects the correct image for the lesson plan. Once the session is launched in full screen the lab will appear to be running full Windows desktops. User state and file management would still be through Google Apps allowing the OS updates to be discarded on shutdown. Maintenance of the Windows environment is the responsibility of the provider not the school.

Costs for a DaaS service are starting to emerge. At the moment standard business rates apply and this places it out of reach of most schools. However with strong competition between VMware/Google and Amazon this situation is not likely to last for long and there may be space in the market for a DaaS provider to address the EDU market directly perhaps by balancing lower prices with a reduced service levels and smaller images.

As an alternative to DaaS a new type of “video streamed” application is also starting to emerge with the new version of Adobe Photoshop. Currently this is only available for US for education accounts with a paid Creative Cloud membership but does allow Photoshop to run on a Chromebook or an Android tablet.

A streamed version of Photoshop runs straight from the cloud to the students mobile device . It’s always up-to-date and integrates with a cloud storage provider such as Google Drive, so there’s no need to download files over the internet connection. Data are moved directly between the two SaaS providers, removing any limitation on the schools internet bandwidth connection for large editing jobs. The reported bandwidth required for streaming the app is 250Kbs which puts multiple sessions well within the capabilities of a 100Mbs connection.

Adobe has shown that in the long term its likely that many of the major graphics and media packages will be re-written for SaaS and move over to a subscription model. Currently there is still a dependency on Adobe Flash to provide a functional interface which prevents a true cross-platform solution. The widespead adoption of HTML5 is starting to reduce this dependency and companies such as Polarr are showing what can be done.
Polarr Version 2
In reality the issue of maintaining and supporting traditional windows applications is being addressed in two ways. SaaS is starting to provide the rich experience that users have enjoyed with local applications and mobile apps are replacing the large monolithic software suites that have dominated the desktop for years.

Perhaps the role of DaaS is to act as a 'band aid' for a limited period of time until the authorities that set curriculum and assessment standards finally understand that the workplace of 2020 will be nothing like that of 2010.

So maybe the question is  - by the time DaaS becomes affordable for education will be be relevant?



Sunday, 1 March 2015

SaaS and the Technical Refresh

For a school undergoing a technical refresh a SaaS approach has a number of advantages over the traditional model. This becomes clear when you examine some of the common problems encountered delivering a traditional solution and how SaaS solves these issues.

Definition.

Traditional: The traditional approach relies on a standard cycle of meetings, telephone conversations and emails between internal groups and vendors to capture define the requirements and translate them into a formal quote. There is very little structure or continuity to the process and detail is lost in the translation between the the teaching staff, on-site ICT team and the vendor.

In the early stages there is rarely any transparency in the costs and customer often ends up specifying a solution which they subsequently find to be outside their budget and the cycle has to be repeated. There is almost no chance to ‘try before you buy’ and items are ordered in blind faith or on a recommendation from third party that doesn't fully understand the local requirement.


Lastly the service has to be signed off against an final cost which may include a combination of hardware, software and professional services (support/installation/maintenance) all of which makes budget projection going forward very different.  Because of hardware constraints some vendors have break points in the pricing which can make moving between 500 and 501 users an expensive operation. Software sold in licences blocks has a similar effect.

If on-premise hardware is required you can guarantee that at some point this will be out of support, incurring an additional cost which is rarely factored in at the start of the project.

To recover the investment made by the vendor in this inefficient process, traditional services often come with a fixed term contract  - the shortest term commonly being one year locking in the customer in without options for change.

 SaaS: Delivery of a SaaS solution works in an entirely different manner. In a fully developed SaaS model the customer experience will be almost entirely self-service. Costs will be presented as a subscription items with many vendors offering a "freemium" service to trial the service. In addition SaaS services do not require a long term commitment and work with a shorter billing period of one month.

Services are normally itemized as a per unit cost with additional features built into a premium offering.  The ideal metric for a school would be per-pupil costs to allow them to easy estimate costs against a revenue model. The base costs is often kept as low as possible (preferably zero or hidden) to reduce the barrier to entry.

With SaaS the customer should be able to identify the majority of the solution with a with a good idea of ongoing costs before any engagement at a formal level. Everything is organised to encourage trial and experimentation which leads to a completely different management model.



Delivery and Management.

Traditional: The standard management approach to software in schools is to support a fixed set of titles classified as a "software catalogue".  The catalogue defines the all the titles that are either pre-installed into the base image or deployed across the network through supporting systems such as Active Directory.

Because of the high value of the many of the packages and the fact that the licences are non-returnable the teaching team are not encouraged to experiment and may not even have the rights to install software locally. Deployment is normally managed through the ICT team whose principle responsibility of maintain a secure robust environment for teaching - a requirement that runs counter to an the type of exploratory approach which is likely to drive innovation.


SaaS: The ‘software on demand’ model does not require a rigid software catalogue in the same way that a traditional model does. Once the majority of end user devices are using Chromebooks, Android tablets or iPads, local applications can be provided through a ‘store’ mechanism rather than packaged through Active Directory or baked into a base image. Depending on the individual workflow adopted by the school, teacher and student will be able to install and uninstall software on demand from a very much larger menu of titles under overall control of an Mobile Device Manager (MDM).

In addition to locally installed apps SaaS now contributes directly to the range and nature of curriculum software and in many cases there is no barrier to adoption to these titles They they are often free or provide trial periods and have little dependency on the local hardware. The combination of the two factors means that the whole concept of a software catalogue is largely outdated as there is nothing preventing the staff or admin team simply selecting the tool which is best suited to the task either from the vendor ‘store’ or from a SaaS provider. In many cases the new facility is merged with their profile as part of the cloud service, to be accessed as required. Swapping out one device for another delivers exactly the same service profile completely negating the need for a ‘device image’.


SaaS as an Enabler.

Its clear that there is move away from locally installed monolithic software suites. In the future tasks will be achieved using a combination of smaller applets, sometimes web based - others installed local. This software set will be very fluid with applets and SaaS being merged and reformed to meet personal tastes and fashions.

SaaS may have even have an impact on how subject are taught.

Consider the following scenario. Is it worth investing in non-refundable licences for software suites that are currently undergoing radically change as they move to SaaS delivery model?

Which has more value, teaching a student how to do graphics layering in a specific product such as Photoshop or a general approach to the concept of layering that can be applied to a range of applications? In this period of rapid change is it  likely that a student will even recognize a software product in the workplace they were introduced to three years ago in school?

In conclusion the model of software being distributed by a local ICT team through a base image or a tool such as Active Directory Group Policy has been superseded by the concept of a vendor ‘store’ and SaaS managed by an MDM. Users have realized that by using SaaS they don't actually needed an ICT team to distribute and install software and unless their requirements are fulfilled by a more flexible system the standard delivery model will be simply bypassed.

Wednesday, 4 February 2015

The Role of the SaaS Appliance


A serverless school would benefit from on-premise appliance that is designed solely to support SaaS.

This wouldn't detract from the serverless approach so long as a few basic principles are maintained.

From a physical standpoint some things need to avoided at all costs such as the requirement for specialist power, racked storage and dedicated cooling.

A fundamental principle of the design is that any data held locally is either disposable or is replicated or saved to cloud storage. So technically the SaaS appliance does not require redundancy for the local drives but since this such a basic function of server hardware it would negligent not to make use of it.

An ideal form factor would be the ‘micro-server’ hardware variant which would allow for a range of configurations and a protected storage array.

So what would be the core functions of a SaaS appliance?

Certainly one candidate would be to host DHCP - a service that allocates IP addresses to client devices on the local network. Loss of DHCP for any of time would prevent new clients joining the network but would not cause the network to fail. Since a SaaS network can operate without a complex VLAN structure the DHCP configuration would be far easier to document and recover.

A second function would be to run a DNS service in a configuration that is unique to a SaaS school. This allows the SaaS appliance to partner with an external DNS service to provide resilience if the local appliance is taken offline. Another key function would be a service such as OpenLDAP or Active Directory to provide a user accounts database and security context for the users.


This is where is gets interesting.

It wouldn't be wise to store the user account database on the SaaS appliance without at least replicating the data to a second location, its too risky having all that data in one place. A distributed Active Directory (AD) with multiple servers solves this problem but it’s difficult to use AD and keep the solution simple.

 The truth is that putting the user authentication service on-site just creates problems.

It has to be replicated. It has to be backed up and it has to exposed securely to support remote access and Single Sign on (SSO). It might sound counter-intuitive but the local user accounts database should also be a SaaS service just like everything else.

The obvious response would be “what if the Internet goes down” - nobody can login. Most client platforms give you the ability to use locally cached credentials and if the school is designed for SaaS there must be resiliency on the external connection.

Anyway, think about it - in a SaaS school with no internet at all what would you be logging in to do !

Currently the obvious candidate for a SaaS based accounts service would be Google Apps for Education which also has a built-in capability for SSO.

A similar configuration could also be created with MS Window Server using the Azure platform to host the off site controller but not as easily and not without incurring ongoing charges.

There are also a number of emerging companies that are offering cloud based LDAP services but for education cost is always going to be the determining factor.

Sunday, 1 February 2015

When is Server not a Server?


Every serverless school will have at least one server.

This sounds like a contraction - but it's not really. This is because every school using SaaS has a internet connection and this requires a device that links the schools internal network to all those important external services.

This is the internet router and it's a server.

Sitting in a data cabinet or on top of a cupboard it may not look like a server but it will be running an operating system and it will be providing a service to the school in much the same way as a file or print server does. In this case it will be routing packets between two networks in a controlled and secure manner and maybe doing some protocol conversion along the way.

The big difference between this this device and the dusty 'out-of-warranty' pedestal server under the desk is the fact that it only does one thing. The router comes with a predetermined feature set which can be adjusted and tweaked but not extended in any general manner.  Its a one trick pony.

Has your desk got one of these ?

Extending the analogy further the site may have other 'servers' - some acting as firewalls and others as content filters. So a serverless school can have many servers without creating a contradiction, so long as they fulfill a single function and they are called appliances.

Another key characteristic that all appliances share is that any configuration is either replicated, easily backed up or considered disposable. This allows them to make use of low cost local drives rather than more expensive protected storage.

Even in a SaaS school it makes sense to deliver certain services locally. In the case of DHCP this is a technical requirement. In other cases, such a print spooling it might be a design consideration based on simple efficiency.

An on-premise appliance that is designed solely to support SaaS is an interesting concept and does not detract from the serverless approach so long as some basic principals are maintained.
  • The device has a well defined role and is not considered extendable.
  • Any data held locally is disposable or is replicated/saved to cloud storage.
So the answer to the the question is quite obvious..

       When is a server not a server ?
       When its appliance.

Apologies for that.

Sunday, 18 January 2015

How do you Solve a Problem Like Windows?


Even with the rapid adoption of SaaS and AppStore platforms as the delivery mechanism of choice for educational software the requirement to run Windows programs will remain as these applications often have important roles within a school. For instance Windows software may be deeply embedded into the teaching practice or support the schools SiS/MIS system.

However it’s important to make one distinction. While Windows software still has some value in the serverless school, supporting the Windows desktop operating system is no more important than ChromeOS, Android, MacOS or iOS.

Courtesy of CloudTweek

In the preceding decade when the Windows GUI underwent a few cosmetic changes the experience of using a Windows desktop in the classroom had some value as those skills could be transferred directly to the workplace. However with the adoption of the Metro style and the Start Bar appearing, disappearing and then reappearing with Windows10 is there’s any point in a student gaining any formal experience in using a Windows GUI above any other interface.

In 2015 when the majority of workplace computers still run Windows 7 how much value it there in exposing a class year group, who may not be leaving education for another six years to a GUI that's already six years old?

However the main reason why the Windows GUI is irrelevant within a teaching context is because the future the look and feel of the desktop will be based on mobile and SaaS.  Students already possess those navigation skills because that how their smartphones operate. They don't need to be shown how any desktop GUI works because the vendor road-maps all show that in time they’ll be one and the same with the devices in their hand. This is as true for Microsoft as it is for everybody else.

A SaaS solution requires a method to support Windows applications but not necessarily a Windows desktop.

With the complexity of Active Directory removed perhaps Windows devices could operate in a similar manner to all other mobile devices, using local machine accounts and simply acting as stateless platforms for launching applications.

The security context and ‘state’ for each user session would be provided by cross platform software such as the Chrome Browser not the underlying Operating System (OS).

The student maintains a ‘profile’ on the device by logging into Chrome and logging back out at the end of the session. When a student signs-in to Chrome bookmarks, tabs, history and other browser preferences are saved providing a consistent experience across multiple platforms.

The future belongs to a design that is cross platform and has the ability to adapt far quicker to emerging trends.

Its a tough call to predict what the working environment will be like for students entering the jobs market six years from now. The only sure thing is -  it'll be different from what we've have now!


Saturday, 10 January 2015

Active Directory: Goodbye Old Friend.


Any discussion relating to a school going “serverless” has to address the issue of Directory Services sooner or later. In many respects this is the ‘elephant in the server room’, a tricky and sometimes emotional issue that creates a stumbling block for this approach.

In the UK at least, the idea that a school could operate without Active Directory (AD) is practically unthinkable, a proposal close to IT heresy. But it can be done and there are many schools worldwide that work this way.

The problem with Active Directory is not with the directory service itself but with the tendency to expand the solution to embrace the whole suite of Microsoft services as soon as AD becomes available. Its hard to introduce AD and keep things simple. Even at a very basic level AD requires at least two servers which also need to be backed up, patched and virus protected. You can try and keep it simple but you are soon back with same complex system you had before. This the Dilemma of On-Premise Servers.



What does Active Directory provide that you actually need ?

Most importantly it creates a security context for staff and students. It identifies users through a username/password system and grants access to network resources such as email, documents and print based on membership of various security groups or organisational units. It also provides a mechanism for security and configuration policies to be applied to both users and devices as well as installing and managing software and security certificates. There is no doubt that this all essential to any network but it’s not the only way it can be done.

However important it may appear AD is never the primary user database for any school. That accolade belongs to the schools MIS/SIS system, whatever that might be. Active Directory is just the overlay that control access to network resources and it can be replaced.

Take an example of a school running Google Apps for Education (GAFE). Like Active Directory GAFE maintains a user directory protected by a username/password system that also has a simple hierarchy of groups and organisational units. Being cloud-based there is no local hardware to support and the security context provided by GAFE is available everywhere not just on the school network. Google provides a system to link the schools MIS/SIS system to GAFE so that user accounts and groups can be automatically maintained. A user account added to the schools MIS can automatically create a GAFE network account setting up mail, drive space and other services. The relationship between students and the staff is automatically maintained through additional class groups.

As well as GAFE there are other options to AD such as the Linux School Project which would be viable alternative if the school wished to maintain an onsite directory service similar to AD.

The role that Active Directory takes with respect to configuration and software deployment is an interesting one. Active Directory was designed to support Microsoft OS clients but as schools look to support a far wider range of device types how appropriate is this ?

For many schools the primary client management tool is now the MDM (Mobile Device Manager) a software tool, normally provided as SaaS that controls Apple iPads, Android Tablets, MacOS laptops. Have we reached a point where it just might just be easier to use this as the primary management tool and incorporate Windows clients as well ?

And then there’s software deployment. How many new educational titles will be published this year as Window installs to be deployed through Active Directory. The answer to that question might be close to zero.

New software is distributed through the Apple/Google app stores or delivered as SaaS services, none of which are controlled through Active Directory. That's not to deny that AD can't be bent and molded to do some of these things - but can be done simply without adding even more complexity ?

Removing Active Directory from a large school where it’s deeply embedded would be a challenge and may prove impractical but creating a school without AD is a real option.