Don't Cloud the Issue


Moving services into the cloud, which have traditionally been handled internally, is increasingly popular for schools. It is a very attractive proposition: schools can reduce the amount of space dedicated to computer hardware and save administration costs.

For services such as email, this is often a no-brainer. Using a cloud based email system means you don't need a technician to spend their time applying security updates to the email server. You don't need to operate a hardware replacement cycle for the server or allow for premature hardware failures.

It isn't all plain sailing though - one frequently overlooked problem is the increased demand that cloud services place on a school's internet connection. Usually for a service such as email the requirements are fairly small, although in some cases users may find it noticeably slower than a local system. For more bandwidth-heavy services such as file storage, this is an important consideration though. Upgrading a school's internet connection in order to cope with a move to the cloud would often eradicate any savings that the school was hoping to achieve.

Internet filtering and online safety is another area where cloud services are becoming increasingly common for schools. However, the advantages of cloud based filtering are much less clear cut than for other services.

Many filtering systems are bundled with management contracts, which means the school isn't responsible for applying updates and security patches. So cloud based filtering doesn't offer the same time savings that are gained for unmanaged services.

As well as the option for schools to host filtering servers on their own premises, there are a couple of different options for cloud based systems.

The traditional option is for schools to buy their internet connection from a service provider that also provides filtering. This works in a very similar way to the school operating their own system, in that the school's network traffic has to go through the filter in order to reach the internet.

A newer approach is for the filtering servers to not be tied to the internet provider at all. They are instead located elsewhere on the internet. This usually requires an app to be installed on each device in order to direct the traffic through the filter. It may therefore be possible for the user to disable that app and gain unfiltered and unmonitored access to the internet.

This latter type of system may be useful in providing some protection for school owned devices while they are outside of the school's network. However, the UK Safer Internet Centre's guidelines make it clear that these systems are not robust enough to use on the school's own internet connection - "filtering should be applied at ‘network level’ ie, not reliant on any software on user devices"

With all cloud systems, data protection is also an important consideration. A school who migrates to systems in the cloud is choosing to store their data on a server that they do not directly control and transmit that data over the public internet.

In a recent example, systems sold by a major cloud based filtering vendor were found to be transmitting extremely sensitive data across the internet in an unencrypted form.

Steve Hill, technical director of online safety company Opendium, which discovered the vulnerability explains. "The system was sending data, that would usually be encrypted, to servers in the cloud over unencrypted channels. The unencrypted transmissions were noticed while we were diagnosing unrelated problems with a customer's network and we immediately analysed the traffic and informed the vendor."

The vulnerability that was discovered by Opendium could allow attackers to snoop on bank details, passwords and other personal data. The cloud filtering vendor sent their thanks for their bug report and four months later announced that they had resolved the security flaw.

With stronger data protection legislation coming into force this summer, all organisations are having to become much more vigilant when it comes to protecting personal data. Web filtering systems must have access to extremely sensitive personal data, but some schools are now questioning the safety of using cloud based systems. For many, it is preferable to keep the data, which must be collected for safeguarding purposes, on the school premises.