rayfleming (6th December 2010)
New here and maybe in a minority as a Parent - but this site seemed to be a good place to start outside of the vendor!
My kids Primary school are using Uniservity cLc and pushing the kids hard to use the platform. Now as a self proclaimed geek (been in IT probably too long) and working on both private sector and government contracts I though I would check out this "Amazing portal that the children can use at school and at home!".
I was first a bit startled to find the link on the schools homepage took us to an external site - but thought hey it will be secure as it is outside access right! WRONG!
I was shocked to see as my son logged in that firstly he had been given a highly insecure password, then that the security certificate fails (due to their use of front end load balancers) and then once he is logged in all actions and access is not secured - only during logon do you go via https and port 443 - then default takes you back to port 80 and http! So all further interaction with the site, including any messages sent etc are all via a non secure connection.
Is this the standard configuration? Is there a setting the school should be changing to force use of https (if I force use of https via browser then all connections go via this route)?
When a member of staff/School Admin login are they forced to use secure passwords and/or have token authentication in addition to username/password and inline with BECTA guidance for teacher access to VLE portals?
Has anyone here had a conversation with Uniservity on data security and the BECTA guidance on il2/il3 data and how the data is stored in the backed Database? Is the different schools data held in a federated way to provide data security?
Any and all comments would be gratefully received - of course I will also be taking this up with the school but this appeared to be a good forum with which to hopefully get some background information.
Many thanks in advance
Hi Richard, welcome to the world of EduGeek and welcome to the world of data in schools.
Remembering that a lot of the data protection / information security guidance out there is just that ... guidance ... and usually around risk management too ... is very important.
You will get different interpretations depending on which LA you talk to, which region you are in, which provider you use and what day of the week it is. Some of the best interpretations can be found over at Ray Fleming's blog (now available on the home page of EduGeek or via the following link Microsoft UK Schools blog - Site Home - MSDN Blogs )
I few things to remember though ...
Passwords are often kept simple for younger users to allow them to remember them easily, both at home and in school. Reseting passwords all the time is an interruption to learning so you will find that some priorities need adapting for this. Most systems out there (not 100% sure with UniServity) will allow you to change you password anyway so that is not an issue. Remember that just because you, you son/daughter and a good number of others have no problem remembering something more complex that dog, cat, etc ... not every is in this position ... and whilst many of us prefer a 'lock it down, then relax things, approach, this is not always possible ... so with things like passwords it is sometimes a 'be relaxed for the young users and then educate them' that works best.
Not all activities that go on within a learning platform hold any data of relevance at all. In fact the majority of activities shouldn't. Once you have logged in then when you are doing learning activities or accessing worksheets (yes ... worksheets .. after al, learning platforms are often the place where worksheets go to die ... to paraphrase quite a number of people!) then we are talking negligible impact if the data gets out.
Not everything needs to be dealt with by technology. If you have a cast iron policy for accessing data on learning platforms or MIS with staff, that says you only do it in specified places, that you don't download, etc ... then perhaps two-factor authentication is over the top. It is about risk mitigation at this point ...
Personally ... having sat down and talked with people about the Becta Guidance ... I have come to accept that a platform operating completely over https is like to be best, but two-factor auth is possibly too much (especially when you have some schools now working on AD integration so you log into your desktop and have direct access to a learning platform, the MIS, sensitive personnel data, etc) and so you have to educate people instead. I also accept that some filtering solutions hate having https passed through them and so I prefer to have either proxy exceptions in place to allow access directly passed proxies and tunnelled via any provided firewall ... but also quite like that some filters will do contextual filtering (ie world level filtering) and it is a handy way to log and catch bullying and so on ... but you could opt for other tools to do that instead (eg Securus ... other keylogging tools are also available).
All the selected Learning platform providers had lengthy conversations with Becta about data protection and some did start to change, but some needed to do a fair bit of work, and needed more dev time to cope with the required changes. Some have come out well ... others don't seem to have done much, but some of it is also down to how any local contract was signed as well. If the Learning Platform is part of an LA or regional purchase then there might not be a big push to change the data protection operation until the LA stipulates it needs to ... this is usually associated with a cost to do the work and since no-one is flush with funds right now it will only be done when the provider gets round to it.
It might be worth asking if UniServity are doing anything new at BETT which may rectify some of your concerns ... and then you can start asking the school when these changes will be put in place.
I hope this gives you a bit more of a background as to how we are in the position we are with many providers ...
rayfleming (6th December 2010)
There are currently 1 users browsing this thread. (0 members and 1 guests)