Category Archives: data

You and You and You are the Weakest Links (in the information security chain)

Over the last twenty years or so as an Educational Technologist, I’ve visited literally thousands of schools. When I first started, my point of contact was the ICT (Information and Communication Technology) Network Manager. Nowadays, it’s almost always a member of senior leadership. I don’t flatter myself that I’m more important than I used to be. It’s simply that technology in most schools is now integrated in teaching, learning and operations from top to bottom. It’s strategically important.

Of course, with strategic importance comes a sharpened focus, not only on the benefits of technology, but on the issues and threats it introduces. Barely a week goes by without a story about the effects of screen time on children or the destruction wreaked by the latest malware. Where once upon a time, I could guarantee I’d find an administrator password on a sticky note in the office, initiatives such as Safeguarding and Prevent have ramped up the focus on safety and security in schools.

And yes, senior leaders are nervous. Apart from an unwelcome appearance in the media, if a school’s Safeguarding or Prevent arrangements do not meet requirements, then Ofsted is likely to place them in special measures.

As if that wasn’t enough, against a background of growing threat, hardening sanctions and shrinking budgets, the replacement of the Data Protection Act (DPA) with the EU’s General Data Protection Regulation (GDPR) is going to hit (mostly unwary) schools hard on the 25th May 2018. As of April 2017, only 43% of organisations were actively preparing for GDPR.

Whilst it’s true that the GDPR will bring more clarity and rigour to the discipline of information security, schools may well have more of a mountain to climb than most because they are Data Controllers with sensitive personal data on minors. It’s not clear from the legislation whether the appointment of a Data Protection Officer (DPO) will be mandatory for schools, but it would certainly seem to be sensible advice.

However, the main purpose of this post is not to bemoan the plight of schools but rather to point out an emergent weakness in this layered process of security hardening. It’s mandatory for schools to designate a member of senior management as a Safeguarding Lead. It’s also mandatory to appoint a Prevent Lead. With the advent of the GDPR, it seems there will be a DPO as well. To perform these roles effectively will require:

  • An understanding of the relevant regulatory environment
  • Experience of practical application in a school
  • A grasp of the technology landscape across the school and its supply chain

In the good old days (ahem), when I used to roll up to meet the Network Manager, usually I wouldn’t need to speak to anyone else. They were the Kings and Queens of their IT domains. Perhaps they lacked a strategic perspective on occasion, but at least there was one person who understood every piece of technology in the organisation and the implications of every change that was made.

I’m certainly not advocating a return to the past, but, going forwards, I think the increasing regulatory load is already leading to fragmentation in the security chain. In a world where one IoT device can become a gateway for a serious network incursion, it’s easy for knowledge to exist in silos which lead to Donald Rumsfeld’s infamous unknown unknowns.

My conclusion is that people are usually the weakest link in the security chain and, in this case, the weakness is exacerbated by an approach to safety and security in schools that is evolving in silos. I would simply advocate that domain experts with overlapping interests come together on a regular basis to educate each other and review their mutual challenges. Every school – every organisation – should have a Safety & Security Working Group that aligns and coordinates the work of all stakeholders.

Part 3: Data, analytics and learning intelligence

I’ve been using the learning cycle as a framework for a strategic approach to technology in schools. This is the third post of the series, the previous two having focused on access (mobile) and action (cloud). The next stage is that of reflection. The manifestation of this aspect in my proposed strategy is analytics.

In the basic learning cycle, reflection is the all-important point in the process when we widen our awareness, take a breath and open our senses to some objective evidence of the efficacy of our efforts. Reflections may be fluid and continuous (usually resulting in micro adjustments) or periodic (usually resulting in more macro or strategic reflections). We may self-reflect (internal validation) or we may seek out reflection in the observations of others or in data (external validation). In our journey to becoming more effective learners, an important part of the process is calibrating our self-reflections to more closely match external validation. This is a lifelong process in which external validation continues to be important but we learn to learn more effectively because our internal validations are proved to be getting more accurate.

The calibration of internal and external validation is essential to the teaching and learning process. Without it, it’s quite possible for individuals to entirely miscalculate their progress and consequently focus on the wrong things to generate improvement. I’m reminded of the contestants in singing contests on TV who are convinced they are superstars in the making but who can barely sing. This is an extreme example on the spectrum (perhaps delusional) however the underlying issue is a lack of calibration between internal and external validation of effective learning.

Of course, this is (in part) precisely the purpose of the teacher. The challenge is that, being human, we’re not only capable of a little self-delusion at times but we can also project our delusions. In other words, the teacher as an instrument of reflection for learners also needs to be calibrated. Teacher calibration might come through the formative assessment process, summative assessment, experience and professional development. The challenge is to effectively and objectively benchmark our internal assessments.

This is the point at which I introduce the concept of data, analytics and learning intelligence (equate with business intelligence). Before you start telling me about the shortcomings of data in the learning and teaching process, hear me out. I know that human relationships underpin learning. What I also know is that human nature is such that we are simply not objective in our evaluations nor are we calculating machines. It is possible for us to miss patterns, to be ‘mis-calibrated’ or simply to be overwhelmed by too much data. We’re fallible.

‘Big Data’ and analytics are 21st Century phenomena emerging from the already enormous, and still rapidly increasing, speed and scale that technology affords us in capturing, aggregating, storing and analysing data. There is more data available about human behaviour than ever before and a great deal of value is locked up in that data. The promise of analytics is that new insights can be gained from analysis of the data trails left by individuals in their interactions with each other and the world, most particularly when they’re using technology.

The rapid evolution of big data methodologies and tools has, to date, been driven by the business world which recognises in them the potential for unlocking value for their customers and shareholders. In this context the term ‘business intelligence’ is often used to describe the intersection of data and insight. When applied to education, analytics may be sub-divided into two categories: learning and academic. The following table describes that categorisation:

Academic analytics are the improvement of organisational processes, workflows, resource allocation and measurement through the use of learner, academic, and organisational data. Academic analytics, akin to business analytics, are concerned with improving organisational effectiveness.

We can define learning analytics as the measurement, collection, analysis and reporting of data about learners and their contexts for the purposes of understanding and optimising learning and the environments in which it occurs. In the same way that ‘business intelligence’ informs business decisions in order to drive success, so learning analytics is the basis of ‘learning intelligence’ that is focused on improving learner success.

Learning analytics are not the goal in themselves. Learning intelligence is the goal. Learning intelligence is the actionable information arising from learning analytics that has the potential to deliver improved learner success. The evidence from analytics in business is that there is deep value to be mined in the data. The objectivity and rigour that is represented by learning analytics provides an empirical basis for everything from learner-level interventions to national policy making.The Society for Learning Analytics Research (SoLAR) is an inter-disciplinary network of leading international researchers who are exploring the role and impact of analytics on teaching, learning, training and development. Their mission as an organisation is to:

  1. Pursue research opportunities in learning analytics and educational data mining,
  2. Increase the profile of learning analytics in educational contexts, and
  3. Serve as an advocate for learning analytics to policy makers

Significant potential exists for analytics to guide learners, educators, administrators, and funders in making learning-related decisions. Learning analytics represents the application of “big data” and analytics in education. SoLAR is an organisation that is focused on a building a planned and integrated approach to developing insightful and easy-to-use learning analytics tools. Three key beliefs underpin their proposal:

  1. Openness of process, algorithms, and technologies is important for innovation and meeting the varying contexts of implementation.
  2. Modularised integration: core analytic tools (or engines) include adaptation, learning, interventions and dashboards. The learning analytics platform is an open architecture, enabling researchers to develop their own tools and methods to be integrated with the platform.
  3. Reduction of inevitable fragmentation by providing an integrated, expandable, open technology that researchers and content producers can use in data mining, analytics, and adaptive content development.

From my experience talking to educators, it’s clear they usually know that there is data available and they know how to act on learning intelligence when they have it, but they’re much less sure about the analytics phase. Whilst working on a national procurement for a learning management system last year I realised we really knew very little about the utilisation of key technology assets in the schools we were trying to build systems for. As it turned out this data was sitting, untouched, in log files in servers within these schools. I approached three of the schools and asked their permission to copy this data for the purposes of analysis. They knew it existed and were happy for me to analyse the anonymised data.

I was able to analyse the utilisation of technology assets (software and hardware) across these schools over a period of months in order to understand exactly how technology was used. This enabled me to show where the investment in technology was being dramatically underused and how it could be re-shaped to maximise utilisation of the investment in order to improve the chances of learning gains. I didn’t have time to, but could have mapped this data against the timetable and assessment data to explore how technology mapped against attainment. This would have allowed me to correlate technology utilisation by different teachers, departments and schools against the performance of their pupils.

This example is the tip of the iceberg in terms of analytics and big data in education. In terms of my technology strategy, identifying and analysing key data in your school to produce learning intelligence will maximise the learning bang for your technology buck in an objective manner. It is a critical part of your strategy because without the analysis, you may well be making unnecessary or ineffective investments in technology. Don’t be driven by technology; be driven by learning outcomes.

Personal Data Protection in the Cloud

A few weeks ago I was contacted by a student asking me to complete a questionnaire on cloud security issues as part of a dissertation for her degree. At the time I thought I should probably post my answers here but I was overtaken by events (or in plain speak, I plain forgot).

However, I was reminded this morning by an article published yesterday on the very same topic. The article is built around a joint statement issued by European Commission Vice-President Viviane Reding and US Secretary of Commerce John Bryson on the 19th March. The statement frames a high level conference on Privacy and Protection of Personal Data, held simultaneously in Washington and Brussels and, in their words, “represents an important opportunity to deepen our transatlantic dialogue on commercial data privacy issues.” This is an excerpt from the statement:

“The European Union is following new privacy developments in the United States closely. Both parties are committed to working together and with other international partners to create mutual recognition frameworks that protect privacy. Both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders. Both parties recognize that while regulatory regimes may differ between the U.S. and Europe, the common principles at the heart of both systems, now re-affirmed by the developments in the U.S., provide a basis for advancing their dialog to resolve shared privacy challenges. This mutual interest shows there is added value for the enhanced E.U.-U.S. dialogue launched with today’s data protection conference.”

The thrust of the student’s questioning was that the uptake of cloud technology was being slowed by businesses’ concerns about data security and privacy. I’m not so sure that’s at the heart of the issue as you can probably tell from my answers:

Question: Despite its promises very few businesses have actually moved their operations to the Cloud. Why has the real application of Cloud computing not yet reached momentum among businesses?

Answer: I think the premise of the question is wrong, i.e. that very few businesses have moved operations to the cloud. To explain what I mean, we need to agree terms first. Cloud just means stuff hosted off premises. Web is cloud. Virtualisation is cloud. Streaming is cloud. If cloud means stuff hosted off premises, then a critical limiting factor is the pipe between the client and the host. Even with diversely routed connectivity, this is a business risk in terms of resilience and performance. Business risks need to be balanced against costs and benefits. The second issue for cloud services is that it is more difficult to integrate disparate systems – potentially from different vendors – to meet business specific requirements. There are not yet standards that facilitate this type of integration between cloud vendors (although discussions are in progress). The combination of issues I describe means that cloud services are not suitable for all business functions, business types and business sizes. For example, some businesses may be willing to sacrifice performance and resilience to achieve lower price or greater agility. A business whose main channel is the Web may already have the internal processes and culture to embrace more cloud services. When I said the premise of the question was wrong, I meant that I think most companies do take cloud services, albeit in a limited way. It’s true that most businesses haven’t embraced cloud for the full scope of their technology requirement but I’m not sure this is possible for most businesses given the present limitations of the technology. So really what we’re talking about is a hybrid scenario with a progressive shift to cloud services as bandwidth costs reduce, standards for integration emerge and the business case, taking account of the risks, gradually shifts in favour of cloud. This is part of the picture. There are also cultural and practical issues in terms of change management. On premises IT departments have traditionally kept a tight control over their networks and data. Releasing control is difficult for them. It’s only when competition becomes extreme that the old paradigms become unsettled and eventually unseated. I’ve deliberately left the wider data security issue out of this response because there are lots more questions about it later!

Question: A study by LSE has revealed that the top two issues on the way to adopting the Cloud are fears of data security and privacy and -data being offshored. In your opinion have these two issues been the main concern for your users/clients?

Answer: I have some sympathy with this view although when issues are complex, respondents often migrate to shrink-wrapped answers. My view is that the issues of data security and privacy are the go-to issues for cloud ditherers. They’re a form of displacement behaviour. In my experience, it’s rare that data security and privacy are truly critical factors in the decision to use (or not) a cloud service. They are of course critically important issues, but as a technology, ‘cloud’ usually has reasonable answers, at least relative to the security and privacy challenges that already exist due to human and system frailty. My experience is that the objection regarding data security and privacy is often the first provided objection but that a little digging usually reveals a more complex set of concerns, some technical, some practical and some cultural.

Question: Steve Ballmer, CEO of Microsoft believes that security is a personal responsibility of everyone in the chain (– employees, managers, end users). How important is human factor in ensuring security on all levels? 

Answer: Steve Ballmer’s comment highlights the absurdity of the data protection and privacy issue in the context of most businesses. That is to say, people are most commonly the weakest link in the security chain, closely followed by the systems and processes they devise. For example, in schools across the land you’ll still find passwords and user names written on post-it notes attached to the monitors of administrators with access to sensitive data about pupils. In the next breath, they will resist a cloud technology solution because they’re not sure where the data is located. There’s a significant lack of perspective about the relative significance of the human factor in most security breaches.

Question: Do you believe security is a two way responsibility for both users and providers?

Answer: In order to create a secure technology chain, people, processes and technology need to work together in a seamless way. This means reciprocal responsibilities between users and providers.

Question: Cloud providers are increasingly trying to convince users that because of their heavy investments in hardware, software and staff, security in the Cloud may be better? Would you say that security on average is better in the Cloud comparing to the in-house security?

Answer: For small and medium sized businesses in particular I’d say that this is true as long as you believe the cloud provider have robust and resilient systems themselves. The reality of most SMEs is that pressure to compete and grow creates budgetary pressure and that privacy and security are easy victims of this pressure. We still see many businesses which do not store and control data effectively and where staff are inadequately trained in the security systems. Aggregating demand through cloud removes part of this problem from the premises and frees up resources to focus on the ‘edge’ issues, i.e. people (and their systems).

Question: What legislation are you currently guided by in the Cloud industry? Do you believe it is sufficient enough for users’ security?

Answer: The UK’s Data Protection Act 1998, the US Patriot Act and the European Union’s Data Privacy Directive all have something to say on this issue. In truth they’re all out of date in the context of cloud and there are various reviews of the legislation happening at present in order to stimulate the cloud industry. One of the issues is at what point permission is required from the data subject. At the moment, the legal view is that the data subject may need to provide permission even if a non-EU company stores data temporarily on an EU device, e.g. through a cookie as part of a social networking service. Moving personal data outside the EU therefore presents potential issues. Currently some cloud companies have circumvented this problem by basing data centres in the EU, e.g. Microsoft. Others have resisted making absolute statements about data location (such as Google) because their data is so widely replicated (data sharding) around their system for the very purposes of resilience, redundancy and security. So the legal landscape is somewhat at odds with the technical landscape.

Question: Some scholars have suggested we create an auditing board/authority to monitor activities of the providers. Do you think it is a good idea?

Answer: Issues of data security and privacy are very important issues. It may not seem so until something goes wrong and you are directly affected. Luckily most of us never experience the effects of a meaningful breach of our personal data. We may be irritated by it, for example if our credit card information is hijacked. However, there is a system of restitution in place and so it’s usually an irritation rather than a catastrophe. However identity theft (as another example) is potentially a very significant issue and one that is growing. So, in order to build confidence in the cloud, there inevitably needs to be some regulation and control. In the same way as integration standards between cloud providers will enhance take-up of cloud technologies, so regulation and legal harmonisation will enhance confidence and take-up.

Question: What are your predictions for Cloud computing security in the future?

Answer: As I said earlier, I think the shift to cloud is underway for most businesses. Whether it is as simple as web-based email or a web store front, or as complex as an entire company built on cloud computing, businesses are on the journey. To paraphrase Anais Nin, cloud adoption progresses when the risk it takes to remain tight in the bud is more painful than the risk it takes to blossom. Cloud leverages scale to deliver more for less. If it really does this well, then the business ecosystem will naturally select it. In my view, security and privacy are real issues that need to be tackled. The cloud providers are the guardians of valuable personal assets: our personal data. They are the data ‘banks’. Data is a valuable asset and therefore as vulnerable to abuse as the banking and financial systems. I would argue therefore that we need consistent and robust regulation and legislation in order to protect our interests. It is clear from the banking crisis that the trust and best intentions rarely work out well for the individual. My prediction would be that ‘big data’ and the ‘cloud’ will be a very important trend over the coming decades and that a robust legal and regulatory framework will emerge, along with standards for multi-vendor cloud integration.

So that’s my take. What would your answers have been?