Sunday 24 May 2015

"New Skool" Wireless Security

We all know about wireless security. It’s written on stone.

First, you need some form of management software to create a security profile which includes a wireless key or a certificate to identify the user or computer on the network.  If you have a BYOD policy you may well have a second process that enrolls personal devices through an on-boarding mechanism that make use of a second security profile. Lastly the customary guest network is thrown in, possibly using some form of token system to drop guests into a third profile.

There are variations of this with various licence requirements and dependencies on local services such as certificate authorities, radius servers and captive web portals.

There’s no point in questioning this because you need a wireless security layer to safeguard… well what exactly.

In a traditional network you have all sorts of physical resources that you need to protect, the console ports of storage devices, servers and UPS systems.  Ideally administrative and personal data shares should not be visible from the guest network and you may want to protect the servers that host the core applications such as SIS/MIS from student access and the BYOD network.

Traditional installations can't be both secure and simple, so we’re all are stuck with this complexity for a few years yet.  Enjoy the experience.





But what if you don't have any servers, local data or applications, do you need the same level of network security?

Once you are outside the school gates SaaS systems are unprotected by any mechanism that controls access to the network - so why is the requirement imposed when you’re inside the school ?

There are two reasons why you might want some level of access control. The first is to force the user to present a set of credentials so network activity can be linked to a user account and the second is to safeguard the one important resource that SaaS depends on, the bandwidth of the internet connection.

To take the last point first.

Protecting bandwidth only becomes a requirement when you don't have lot of it. In some parts of the world (particularly the Far East) institutions and governments have made investments in fiber infrastructure which means gigabit connections for larger schools is not uncommon. While this is very much the exception and will remain so for a while there is only one trend and that's for higher bandwidth at cheaper rates. There'll come a point when the effort to maintain the barriers to this ubiquitous resource just won't be worth the time or the cost.

After all, do we meter water usage and electricity on a per student basis or recharge visitors to use the rest-room or recharge their mobile phones. A flippant example perhaps but you get the point. In time broadband, will be just like any other unity resources and the layers of protection will be replaced with monitoring and basic management.

In the meantime if we assume that access to the network for the guest/BYOD devices will be through the wireless AP’s a basic safeguarding process could be put in place by using the  ‘bandwidth throttling’ mechanism supported almost all enterprise wireless vendors systems.

The user identification issue has some validity but the protection cannot be placed at the wireless access level because every student has a smart phone with personal data plan. In a SaaS school this will work in exactly the same way as devices provided and managed by the school and since the school has no control of this connection the game is over.

In a SaaS school the security boundary has to move back to surround the SaaS suite itself which includes content filtering. Authentication in the future will use a cloud based user database such as Google or Windows Azure Active Directory (WAAD) rather than in-house servers with an 'easy to use' single sign-on wrapper provided as part of the service. SaaS providers such a Securly and GoGuardian have recognized this and have rushed to fill the gap in the security market with offerings that have proved very attractive for education.

Having said all that it would be really nice if wireless vendors could wake up to the inevitable demise of in-house radius and certificate servers and provide a simple, easy to use service that can utilize a cloud based user directory such as Google.

Ahhhh... network level protection, there you go.   I'm guess I'm "Old Skool" at heart.

Update:  Meraki now offers authentication with Google.



Saturday 2 May 2015

Building blocks for the Serverless School.


A serverless school is likely to built around a core service provider such as Microsoft Office365 or Google G Suite for Education, or even a combination of the two.

However the range of services demanded by even the smallest school requires multiple SaaS offerings to be brought together in order to provide a complete solution. This includes both the software to support the curriculum and the basic facilities you need to operate a modern school.

These could include the school information system (SIS/MIS), a finance system, a learning management platform, content filtering and classroom management, digital signage control, catering systems, print management, mobile device management and telephony.

These SaaS services are the 'building blocks' of a serverless school.


Up until a few years ago it would have been difficult to deliver these essential elements using SaaS alone but the rapid migration of established utilities into the cloud, matched with a number of innovative new start-ups means that schools not only have the option of SaaS but a wealth of choice and competition in some areas.

This is clearly seen with respect to school SIS systems, a business area previous dominated by a few large players which is now being challenged by multiple SaaS providers. A similar movement can be seen in the LME/VLE space which is now almost exclusively SaaS based.

SaaS changes the dynamic between the consumer and provider.

No longer is the consumer tied into long term contracts with expensive software maintenance options. The SaaS provider is measured solely on the quality of the service and if they don't meet expectations the consumer has the option to migrate.

For this reason SaaS offers almost continuous improvement since providers must remain responsive to customer demands to remain competitive. Updates are more frequent and new features are immediately available.

Software suppliers can't fall back on the old "you need to upgrade your hardware"  or “it’s in the next release” excuses.

The customer base moves forward on the same software version and providers are no longer hampered by an expanding matrix of versions/OS platforms which inevitably slows down the release cycle to a single major update a year.

There are some negatives. The data integration between SaaS providers is still problematic and the customer has the responsibility of understanding how the schools data is protected and how it can be recovered, but generally the situation is far superior to the old model of local server based applications which is best summed up as "install and forget".

There is one aspect of SaaS which is often overlooked when it comes to education, namely that it provides a level playing field for all schools regardless of size and location.

A SaaS service accessed by the largest university in a metropolitan area will contain the same core set of services available to a small primary school in a rural village.

The fixed capacity of on-site servers no longer creates a barrier to advanced services.

That's a big change and worth the price of the ticket alone.