Friday, February 4, 2011

Security in the Classroom

  “Classroom security” used to mean locking your filing cabinet and office door at the end of the day. In the last 30 years, the meaning of this phrase has expanded astronomically. Internal school information has been moving steadily from paper stacks to networked databases, and layer after layer of firewalls, filters, proxies, and permission control systems have become a regular part of every school network. This is necessary to an extent for the same reason that a daycare near a highway needs a fence around the playground. But does the fence really need guard towers, barbed wire, and trenches on both sides?
  There are a number of arguments supporting both sides of this particular debate. From the student side, security can be major pain. Students are used to being able to use their computers for almost anything, and having artificial restrictions put in place in a learning environment can be frustrating (Waters, 2007, p. 36). Teachers usually understand the restrictions that are in place but end up running up against the brick wall at some point themselves. System administrators, meanwhile, are often left with a myriad of labyrinths to maintain and ideally want control to be as tight as possible so abuse can’t become a problem (Waters, 2007, p. 34).
  What kind of abuse might a school computer system suffer? There’s a few obvious answers to this, such as virus and malware attacks, email scamming, physical damage, and access to inappropriate material. How should the system filter content such as this on the fly? These filters are in place to protect users and equipment, presumably. Often, overzealous interpretation of the term “abuse” leads to security actually hindering the productive use of technology in the classroom. Waters sums this up nicely in Data Security (Waters, 2007, p. 34):
“Firewalls can thwart hackers, but they can also prevent staff and students from accessing online tools or information. Desktop lockdown measures can keep virus-laden applications off the network, but they can also keep teachers from trying out new software. And forget the serendipitous "teachable moment," when a teacher might need immediate access to a website, or the ability to load some software or adjust a student's desktop.”   
    The Threat of Security (Robinson, Brown, & Green, 2007) addresses some of these hindrances from a teacher’s perspective, including:
  • Email policies forbidding anything not directly related to the school
  • Tight, constant traffic surveillance
  • Account login policies and restrictions
  • Blocked access to collected resources (web hosting, video services, personal sites, etc.)
    The Threat of Security has quotes throughout from a number of frustrated teachers. One complained that he was essentially put on probation after ordering flowers from his school address during the summer. Another was frustrated over the school’s security policy that required automatic logout after 15 minutes, which was causing some students in his class to lose work when collaborating with groups. On web filters, this was the comment (p. 23):
“... our school has a filter and I tried to get on my Freewebs site... It wouldn’t let me through.... probably the word “free.”  …my district forbids teachers from posting Web pages outside sites that relate to their classroom. All pages must reside on the county server.”
  These types of restrictions make up the locked side of this security spectrum. IT administrators are happiest on this end because they don’t have to worry about breaches in security and everything stays neat and tidy. The problem with this is that, as stated earlier, this can severely inhibit the educational utility of these computer systems. If non-standard software is needed, it must first go through many levels of approval (O'Hanlon, 2009, p. 32), and by the time this process is done, it may be too late to effectively use these programs anyways.
  If you go to the other extreme, where students and teachers have total freedom with their individual computers,  you end up with the situation as described in Safe at Home’s first scenario (O'Hanlon, 2009). Students were all given laptops for a take-home program and security was not considered; “Kids being kids, they loaded anything they could on them” (p. 32) and the computers were so full of malware and system problems that within 2 months, every machine needed reformatting and reimaging – this time with filters in place to prevent this kind of damage from happening again. Control disappears entirely, problems become impossible to track, and teachers have no guarantee that student actions or malware infections aren’t wreaking havoc with other school systems.
  Neither of these extremes is conducive to a productive environment. What, then, are the base requirements for computer security in a school setting that avoids these problems? First of all, the integrity of the operating system must be maintained. This means malware filtering and firewalls at the very least, as these are considered to be the number one threat to networked systems (Young, 2008). User actions should not have the ability to impede the operation of a machine at a hardware or software level, and individual machines must have enough isolation that a security breach cannot move past the originating hardware. This is especially important in schools where things like student grades are not kept on an isolated network.
  Secondly, users and computers must be identifiable so that any major problems can be tracked back to the source (Waters, 2007, p. 36). This can be as simple as network login passwords and as complex as ID cards and biometrics, but it needs to be part of the system if troubleshooting is to be efficient (Bolch, 2009). For the same reason, internet traffic needs to be logged; this doesn’t mean that administrators can constantly spy on student activity, but it does mean that any major issues have backing documentation. 
  Thirdly, content filters must be implemented – but as unobtrusively as possible. Just as an airport security terminal exists to divert threats, so too a content filter should be weeding out threats instead of simply allowing “approved” material through. Does iTunes pose a threat? What about YouTube? If not, is there any reason aside from bureaucracy that doesn’t allow it to be used on school computers? If usefulness outweighs risk, why are some things still blocked?
  These are the same basic rules that any business starts with when constructing an initial IT framework. Site-based networks need management. The trick is finding the right balance of restrictions and freedoms (Waters, 2007, p. 36). Implementation details can vary widely, but the medium can’t overwhelm the message it is trying to convey.

Bolch, M. (2009). An Ounce of Prevention: Technologists Use Network Access Control to Protect System Resources, Students. Technology & Learning , 29 (8), 38.
O'Hanlon, C. (2009). Safe at Home. T.H.E. Journal , 36 (9), 32-33.
Robinson, L., Brown, A., & Green, T. (2007). The Threat of Security: Hindering Technology Integration in the Classroom. Learning & Leading with Technology , 35 (2), 18-23.
Waters, J. (2007). Data Security: Locked Down, Not Out. T.H.E. Journal , 34 (2), 34-39.
Young, J. (2008). Top 10 Threats to Computer Systems Include Professors and Students. Chronicle of Higher Education , 55 (17), A9.


    A bit of background on why I chose this topic. We've all been students on the locked-down end, but I've also worked as an IT admin on the opposite end of the spectrum. I know what it's like to have users that won't respect the boundaries you put in place. I also know that users don't like being told what they can't do, so we made it our policy to not get in the way of what they needed to work *comfortably*. This may not have quite been standard fare, but we made it clear that we would take care of anything that was company related. If employees put personal software on their machines that was giving them trouble, it was their own problem. That doesn't necessarily work with students, but it's something to think of.
    On a different but related note, I have here two TED talks by Kevin Kelly that discuss the nature of technological evolution. While these don't directly discuss security, they do raise an interesting point. Technology and the internet are growing at an incredible rate and, as McLaren cautioned, we need to be aware of the changes that are going on and the rate at which they are developing. This is especially relevant if we want to keep up to date with our students in terms of computer security.

How Technology Evolves

The Next 5000 Days of the Web