Sunday 18 January 2015

How do you Solve a Problem Like Windows?

Even with the rapid adoption of SaaS and AppStore platforms as the delivery mechanism of choice for educational software the requirement to run Windows programs will remain as these applications often have important roles within a school. For instance Windows software may be deeply embedded into the teaching practice or support the schools SiS/MIS system.

However it’s important to make one distinction. While Windows software still has some value in the serverless school, supporting the Windows desktop operating system is no more important than ChromeOS, Android, MacOS or iOS.

Courtesy of CloudTweek

In the preceding decade when the Windows GUI underwent a few cosmetic changes the experience of using a Windows desktop in the classroom had some value as those skills could be transferred directly to the workplace. However with the adoption of the Metro style and the Start Bar appearing, disappearing and then reappearing with Windows10 is there’s any point in a student gaining any formal experience in using a Windows GUI above any other interface.

In 2015 when the majority of workplace computers still run Windows 7 how much value it there in exposing a class year group, who may not be leaving education for another six years to a GUI that's already six years old?

However the main reason why the Windows GUI is irrelevant within a teaching context is because the future the look and feel of the desktop will be based on mobile and SaaS.  Students already possess those navigation skills because that how their smartphones operate. They don't need to be shown how any desktop GUI works because the vendor road-maps all show that in time they’ll be one and the same with the devices in their hand. This is as true for Microsoft as it is for everybody else.

A SaaS solution requires a method to support Windows applications but not necessarily a Windows desktop.

With the complexity of Active Directory removed perhaps Windows devices could operate in a similar manner to all other mobile devices, using local machine accounts and simply acting as stateless platforms for launching applications.

The security context and ‘state’ for each user session would be provided by cross platform software such as the Chrome Browser not the underlying Operating System (OS).

The student maintains a ‘profile’ on the device by logging into Chrome and logging back out at the end of the session. When a student signs-in to Chrome bookmarks, tabs, history and other browser preferences are saved providing a consistent experience across multiple platforms.

The future belongs to a design that is cross platform and has the ability to adapt far quicker to emerging trends.

Its a tough call to predict what the working environment will be like for students entering the jobs market six years from now. The only sure thing is -  it'll be different from what we've have now!

Saturday 10 January 2015

Active Directory: Goodbye Old Friend.

Any discussion relating to a school going “serverless” has to address the issue of Directory Services sooner or later. In many respects this is the ‘elephant in the server room’, a tricky and sometimes emotional issue that creates a stumbling block for this approach.

In the UK at least, the idea that a school could operate without Active Directory (AD) is practically unthinkable, a proposal close to IT heresy. But it can be done and there are many schools worldwide that work this way.

The problem with Active Directory is not with the directory service itself but with the tendency to expand the solution to embrace the whole suite of Microsoft services as soon as AD becomes available. Its hard to introduce AD and keep things simple. Even at a very basic level AD requires at least two servers which also need to be backed up, patched and virus protected. You can try and keep it simple but you are soon back with same complex system you had before. This the Dilemma of On-Premise Servers.

What does Active Directory provide that you actually need ?

Most importantly it creates a security context for staff and students. It identifies users through a username/password system and grants access to network resources such as email, documents and print based on membership of various security groups or organisational units. It also provides a mechanism for security and configuration policies to be applied to both users and devices as well as installing and managing software and security certificates. There is no doubt that this all essential to any network but it’s not the only way it can be done.

However important it may appear AD is never the primary user database for any school. That accolade belongs to the schools MIS/SIS system, whatever that might be. Active Directory is just the overlay that control access to network resources and it can be replaced.

Take an example of a school running Google Apps for Education (GAFE). Like Active Directory GAFE maintains a user directory protected by a username/password system that also has a simple hierarchy of groups and organisational units. Being cloud-based there is no local hardware to support and the security context provided by GAFE is available everywhere not just on the school network. Google provides a system to link the schools MIS/SIS system to GAFE so that user accounts and groups can be automatically maintained. A user account added to the schools MIS can automatically create a GAFE network account setting up mail, drive space and other services. The relationship between students and the staff is automatically maintained through additional class groups.

As well as GAFE there are other options to AD such as the Linux School Project which would be viable alternative if the school wished to maintain an onsite directory service similar to AD.

The role that Active Directory takes with respect to configuration and software deployment is an interesting one. Active Directory was designed to support Microsoft OS clients but as schools look to support a far wider range of device types how appropriate is this ?

For many schools the primary client management tool is now the MDM (Mobile Device Manager) a software tool, normally provided as SaaS that controls Apple iPads, Android Tablets, MacOS laptops. Have we reached a point where it just might just be easier to use this as the primary management tool and incorporate Windows clients as well ?

And then there’s software deployment. How many new educational titles will be published this year as Window installs to be deployed through Active Directory. The answer to that question might be close to zero.

New software is distributed through the Apple/Google app stores or delivered as SaaS services, none of which are controlled through Active Directory. That's not to deny that AD can't be bent and molded to do some of these things - but can be done simply without adding even more complexity ?

Removing Active Directory from a large school where it’s deeply embedded would be a challenge and may prove impractical but creating a school without AD is a real option.

Saturday 3 January 2015

Is Your Schools IT System Still Steam Powered?

Delivering IT using a local server infrastructure is not ideal - but that's the way we do it, so it must be right!

With hindsight there was never any serious discussion about whether a local server infrastructure was the ‘best’ way to provide an IT service to schools. It was just the only way it could be done at the time  - so that's what happened.

Its the same reasoning that provided steam-powered motor cars in the late 19C. Like computer technology in schools, personal powered transport was a good idea and it was implemented with the technology available at the time.

Fortunately for both the travelling public and for education, technology tends to improve and become far more efficient you wait long enough.  Cars got the internal combustion engine and schools got Software as a Service (SaaS).

A typical on-premise IT installation
There are only two reasons for maintaining a system on-site unless you really like messing with the valves and whistles.

  • Speed and ease of access to data. 
  • Physical control of the data. 
On reflection how real are those advantages?

There can little no doubt that accessing a file from a networked drive is quicker than accessing it from cloud storage although there are some assumptions in this statement.

In many cases the data referenced in SaaS is simply being accessing as part of the integrated application storage (WeVideo) or passed directly between cloud providers (WeVideo -> Google Drive) using channels larger the schools LAN.

Also the SaaS file access method is completely different to traditional LAN protocols and is optimised for low bandwidth (Google Drive). Local caching can deliver local speeds for larger media files from providers such as YouTube and Vimeo as well as software updates from both Google and Apple. Most cloud storage (Google Drive, OneDrive) support caching to local storage.

The time taken to access a file should also be see as part of the whole user experience which includes logging on, loading a user profile, opening the file , saving the file, logging off and writing the profile back. With this as the benchmark its unlikely that the experience of using a Chromebook/iPad/Android tablet with a SaaS service would exceed local file access to such a degree as to make it impractical.

Ultimately the speed of access is going to be controlled by the bandwidth of the ISP connection. At the moment the speed that's affordable for a small schools in the UK is 50-100Mbs. However its conceivable that the money saved from decommissioning or cancelling the upgrade of a server farm could offset the cost of faster internet link.

As far as ease of access is concerned this is only true for students who are onsite and using Microsoft Windows clients. For those wishing to access files remotely a local store is a massive disadvantage.

As the move to mobility and flexibility in learning gains momentum the local data store presented as a Windows share looks increasingly out of place, demanding multiple layers of software (VPN, RDS, WebDav) to support a wider range of devices.

The point is, whatever objections can be leveled at SaaS based storage these will be solved by time as bandwidth costs reduce.  Technology is only moving in one direction and that's away from locally hosted services.

Complexity and 'steam power' is natures way of telling you there is an better solution !

So if SaaS is the solution, whats the problem?

Thursday 1 January 2015

Designing a Network for SaaS - Part 3

The design objectives for a local network that supports SaaS are quite simple.
  • Resolve DNS as fast as possible. 
  • Get the data packet to the edge firewall as efficiently as possible.
 The requirements for DNS are covered in Part Two of this blog.

Network Design.
The speed of the data traffic to the firewall is maximized by employing fast enterprise switches and reducing the number of hops that a packets makes, which means keeping the network design as flat as possible.

The traditional core/distribution/access switch model was designed to provide an efficient method of moving data between peer segments without going through the core. A SaaS network cannot benefit from a tiered mode because there is no peer to peer traffic. Every packet takes the same path - from the client to the default gateway. There are some exceptions - the Wireless Access Points (WAP), peer-peer management traffic and internal media streaming are examples. Ideally a smaller school would employ dual redundant switches on a stacked configuration to serve as both the core and distribution layer.

In a SaaS network the role of the edge switch is taken by the Wireless Access Point, each controlling a number of mobile devices in the same way access switch connected to desktop devices. If possible all WAP’s should ‘star’ back to the core which also provides PoE. Resiliency can be provided in two ways. In a stacked configuration the core will survive the loss of one switch but 50% of the wireless coverage will be lost. A staggered deployment for the AP’s would allow the wireless network to function but with reduced coverage and throughput.

The passive infrastructure required to support SaaS is far simpler than the traditional approach which ‘flood’ patches whole areas with RJ45 outlets in order to allow for future expansion,contingency and resiliency. This leads to the number of access switches being over estimated which in turn requires core switches being specified with 10Gbs interfaces to allow for the concentration of traffic, all of which is unnecessary.

In the future network expansion will be through wireless clients. Most of the RJ45 outlets and access switches installed in the last decade years in schools, academies and colleges will never be used.

For a school that is attempting to upgrade an aging passive infrastructure to support modern teaching methods the SaaS approach has a number of advantages.

The school simply overlays the existing cable network with a new passive infrastructure designed to support wireless. The cost is reduced by the fact that there is no ‘server room’ so the core switch can be located close to the optimum location for cabling and not the other way round. Existing cabling can be reused but only where appropriate.

In most cases schools are upgrading because they require wireless - not because they have run out of RJ45 outlets or they are installing more ICT suites. In this situation there is no value in investing capital maintaining live RJ45 network points unless there is a clear requirement at that location. Active areas are likely to be administration, reception and possibly a reprographics room.

As schools move to 1:1 deployments the future of the fixed ICT suites is debatable although there will always be specialized teaching requirements that benefit from a fixed desktops.