Open Source addresses key risks of public cloud in school

Schools hosting their sensitive data in public clouds, especially ones controlled by US tech giants, may not be a good choice. Not only can the technology be lax in terms of security and privacy, it is also crippling innovation in the European market as students only learn how to use provided tools instead of how they operate.

Therefore schools that are running their IT services in public clouds are denying their own students the opportunity to learn how the systems are built and how they operate, compromising tech careers, as well as exposing them to security risks.

Privacy concerns

Back in 2015, the BBC reported of the early signs of this very issue and four years later the messages are strengthened across various European nations.

In July 2019, the data protection officer of the German federal state of Hessen concluded that the cloud-based Office 365 solution is not a compliant solution for use in schools when student information is being stored on it and Sweden recommends that public services should not use foreign cloud providers for confidential information.

It is understandable perhaps, given the current lack of funding in schools, for them to move towards these solutions, especially since most are backed by aggressive marketing, but they need to consider alternatives.

GDPR implications

The use of these service may violate the General Data Protection Regulations (GDPR) which carries with it significant sanctions and fines. Cloud systems such as Office and Windows are storing content for their own use and Google and Facebook regularly harvest a high volume of user’s data from their public cloud services. The US regulators have little or no oversight to prevent this from happening.

Outages to Google’s systems in June 2019 show reliance on one provider in the US for everything is far from ideal. If you are the network or information manager at a school in the UK and are using public cloud based systems, how many of the ICO directives can you say for certain you are complying with?

UK schools must seriously consider taking digital systems back into their own control. Leaving data in public clouds and hoping the US firms will look after it, as the governments in other European nations have discovered, is much like the proverbial Ostrich putting it’s head in the sand to avoid a hungry Lion.

Alternatives

There are cost-effective alternatives available now which can relieve pressure on the public purse as well as reduce risk in terms of availability, security and compliance.

Most schools have their own server rooms and reliable internet connections, so could host their own cloud based systems on Open Source applications or they could employ organisations to host their own instances of solutions like Nextcloud and therefore support the development of these vendor-neutral solutions.

Their students can gain experience in these systems due to their open nature and in the medium to long-term this would boost the UK’s digital skills shortage and offer skilled employment in various roles in these UK based cloud hosting services.

Leave it to the students!

A pioneering example of a school empowering pupils to operate the school IT services is Penn Manor School. Lead by Charlie Reisinger, Penn Manor are a global leader when it comes to Open Source in education and this is delivered by the pupils themselves. In Charlie’s book, he explains how they are able to deliver reliable technology to teachers and pupils on a fraction of the budget most schools spend whilst developing technology leaders who can inspire others and go on to use their skills throughout their careers. This is only possible with Open Source.

Many European governments and cities have already made moves to host their own cloud based systems based on Open Source Solutions such as Nextcloud. This software offers a far more robust and manageable storage solution that is granular and does not allow your student data to be co-hosted on offshore servers with other businesses and therefore secretly harvested.

How TLM address the issues

Here at TLM we have used Nextcloud to support our 300+ UK schools for the past 2 years. Schools submit their coursework to a secure login space and can then share it with our internal staff for moderation and feedback.

Once the process is complete, our staff can un-share and the data no longer resides on our system. All of this is hosted on a server in a UK data centre giving jobs to people in the UK and sustaining innovation that is maintained here for our benefit.

Behind all cloud providers are people, selecting a provider who can be talked to on the phone or met in person enables a customer to make a choice based on the values of the provider. With this approach, the customer has someone to hold accountable when issues occur – this cannot be said for ‘warehouse’ cloud providers.

You can’t abdicate responsibility

In summary, abdicating responsibility for data privacy, security and service availability to a ‘warehouse’ cloud provider is not appropriate and there are options which are likely to be more cost-effective, offer better value and do not have the associated risks.

About the author

Paul Taylor is the Chief Regulatory Officer at TLM and has been involved in the education sector since 1986. He has taught from primary level through to undergraduate. He has been involved in OS in education since 2000 when he hosted the first Open Source IT in Education conference at a school in Salisbury.

Paul works for TLM who are an Ofqual regulated Awarding Organisation offering STEM based qualifications using Open Source technologies.