+ Post New Thread
Results 1 to 15 of 15
Windows Server 2012 Thread, DropBox for the teaching staff safe or not. in Technical; Hi I've been asked by few staff to install DropBox in their Laptops in our school where staff use it ...
  1. #1

    Join Date
    Sep 2012
    Location
    UK
    Posts
    42
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    DropBox for the teaching staff safe or not.

    Hi

    I've been asked by few staff to install DropBox in their Laptops in our school where staff use it as a means of having access to certain files.
    Please let me know how safe to use this.


    Is anyone else using DropBox for the staff?

    Thanks

  2. #2

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,584
    Thank Post
    59
    Thanked 371 Times in 287 Posts
    Blog Entries
    7
    Rep Power
    134
    I suppose it depends what they want to store on there. Any confidential student data would obviously be a no-no but their general work would be OK.

    Are you using Office 365? OneDrive for Business may be a better option than DropBox in this instance?

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    All our staff have remote access so they can get files from home computers etc. Also use offline files for the small number of laptops we have. Because of that we don't need it. The only people that tend to request it are student teachers.

  4. #4

    Joanne's Avatar
    Join Date
    Nov 2007
    Location
    Lancashire
    Posts
    2,159
    Thank Post
    234
    Thanked 276 Times in 217 Posts
    Blog Entries
    17
    Rep Power
    122
    I use dropbox for use on ipads... but I don't know if I would be comfortable using it as a means for staff to access work... although it is more secure than a pen drive!

  5. #5

    unixman_again's Avatar
    Join Date
    Nov 2011
    Posts
    933
    Thank Post
    35
    Thanked 173 Times in 133 Posts
    Rep Power
    142
    We allow the use of DropBox for staff and students, but we don't install it on the PCs or MACs. If they want to use it, they have to use the web interface. We introduced this policy after it was installed on the MACs and kept falling off the desktop. The teacher who uses the MACs wasn't happy but we said "That's the way it is going to be". Students also have Office365. So what don't they use that? Said teacher instructs them to use DropBox but we discourage it by the aforementioned policy. Most students use the Office365 or usb stick.

  6. #6

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by genesis View Post
    Please let me know how safe to use this.
    If people have the sync client on their home PCs and they're copying files to their DropBox area you have potentially confidential files wandering off onto individual's laptops, which isn't ideal if someone else then gains access to that laptop. As others have suggested above, you can have people just use the web interface, but that doesn't stop them installing the client at home. If you require staff to have home access to files, a remote access solution of some kind is probably better. If you do decide you need a Dropbox-like solution, you can install your own OwnCloud server, which includes a web interface and various sync clients, with the data stored on your own server. If you need to specifically access Dropbox (some exam boards now seem to be distributing files with it), you can set up your own file server in school, install the Dropbox client and have everyone's account sync with that central server, making their Dropbox home folder available as a network share - that should centralise the whole thing and stop so much file transfer traffic being scattered all over the network, plus you don't have to install the client anywhere. OwnCloud actually has similar functionality built in (users can add their own DropBox accounts to be synced with their OwnCloud account), so OwnCloud might be a good option for that, too.

  7. #7

    Join Date
    Jul 2012
    Posts
    58
    Thank Post
    2
    Thanked 2 Times in 2 Posts
    Rep Power
    5
    I have blocked dropbox on our firewall ever since the day i found 7gb of teachers work on a pc, this contained stuff that shouldn't have been there.

    I do however allow the use of google drive since its in with out google apps and i can at least control it

  8. #8

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,348
    Thank Post
    13
    Thanked 241 Times in 229 Posts
    Rep Power
    70
    Although none education I don't promote it, us Techies have one we use for drivers and firmwares, I use a account between my laptop, PC at home and mobile devices for manuals etc. If staff want to use it its via the web page but its mainly to retireve documents sent to them.

  9. #9

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,223
    Thank Post
    1,925
    Thanked 2,425 Times in 1,775 Posts
    Rep Power
    842
    Summoning the gospel according to @GrumbleDook

  10. #10

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,889 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    lol, thanks for that @elsiegee40.

    Here is a short guide to cloud storage and the use of it by schools.

    When considering the use of cloud storage there are a number of areas to consider.

    1. Under the Data Protection Act the most relevant of the 8 principles is principle 7.
      Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
      In previous years the ICO has talked about reasonable steps, but they now make it clearer that it is 'appropriate' measures, and consideration of this has to be based on the type of data being stored / processes and the likely impact / damage should it be compromised.

      Translation? Before you decide where you can store things you have to consider what you are storing.

    2. When looking at cloud based storage you need to complete a risk assessment of what is being stored, where it is being stored (location of actually servers, company history, T&Cs, etc), what measures are being taken (technical and organisational) to protect it and what are the alternatives?

      In the past there has been lengthy discussion about the suitability of certain services. Google Apps, Microsoft's Office365, Dropbox and so on. The principles above stay the same. The ICO talks about data being processed outside of the EEA, companies that have signed up the Safe Harbor agreement between US and EU, advice on cloud computing in general and so on. The important differences between private cloud, community cloud and public cloud (and the resulting hybrid model that is possible with some use of all 3) should be considered here.

      Translation? Putting things in the cloud is fine, but you have to plan what you are doing and take care to make sure about the partner / service you are working with.


    Previous conversations about the use of dropbox can be summarised in the following points
    • Do we know where the data is? Yes, we now know they use Amazon storage based in the US.
    • If the Data is outside of EEA can we still use them? DropBox have now signed Safe Harbor so there is nothing there stopping you anymore.
    • Is it safe? Yes, for a given value of 'safe' ... the data when stored it is not so much how the data is transferred, or how it is stored when it gets there ... more a case of how is access controlled. Thhis takes us back to the 'appropriate technical and organisational measures' part of the DPA.


    Now let's look at what considerations should be taken for *any* cloud based service. This is not a definitive check list, but it is a darned good place to start from chatting with most folk.

    Check where and how the data is stored. Consider if it is within EEA or in US and with Safe Harbor signed. If it is with a US company who has signed Safe Harbor but there is no guarantee the data is held in EEA or US then you have to consider the locations where it is stored and the impact any local laws there may have (e.g is it stored in Australia, Brazil, Thailand, etc and do any local laws mean data could be seized differently to if UK / EU / US laws were applied?) and how this affects you.
    What are the guarantees around the company? Anyone can set up a service but do you trust the company? Have they passed any security audits? If they are a specific education company do you need to consider DRS checks?
    Now the data is stored outside of the school what are the restrictions on access / processing? Technical? Organisational? What are your audit trails for this?

    Bringing it back to DropBox again ... the main concern here is how the data is accessed and cached on local drives. Is the account a 'personal' account that is being used? What guarantee that you can control the data should that personal account no longer have the right to access the data?

    • Scenario 1 - HoD needs data to be shared with teachers in her department. She has a DropBox account, as do others. She uploads a coursework logging spreadsheet into a shared folder and others access / complete it. A member of staff leaves so that access needs to be removed. Who removes it? As the service used is personal then it has to be the HoD? Is she aware of this?
    • Scenario 2 - HoD needs data to be shared with HoDs for other departments to target intervention children. The spreadsheet will contain reasons for intervention, including details of personal circumstances (which can include Sensitive, Personal Data). A member of staff is suspended due to allegations ... how is that data then secured? The school has no oversight of the methods used to share the data and is reliant on all staff taking ownership of controlling data. The audit trail for this is horrendous!
    • Scenario 3 - The same data is being shared between HoDs. One HoD installs the client on their home computer which is used by all family members. At this point the school has not control over how the data is controlled. Guidance is needed to be provided (using organisational measures rather than technical measures) but again, the audit trail on this is horrendous.
    • Scenarion 4 - The same data is being shared between HoDs. One HoD installs the client on a personal mobile device. The device is then stolen. Is this a data breach? How was the device encrypted? Can it be remotely wiped?


    The above scenarios would make most people shy away from using *any* cloud service ... but actually, the ways of dealing and mitigating the risk is pretty much the same as if you are using school hosted services.

    1. Make sure that your AUP for staff covers the use of cloud services and the personal responsibility that each member of staff has to ensure that they only share data by controllable means. The school needs to assess whether their staff have a good understanding of Data Protection and Information Management, and then they can chose appropriate training as well.
    2. Make sure staff understand what levels of data are being processed. DPA talks about two levels, Personal Data and Sensitive Personal Data. Becta also worked on the use of Business Impact Levels and the UK Govt still gives advice around this too. CESG has the specific information if needed.
    3. When using email make staff understand what sort of data can be shared on that service. Good practice is to store the data in a controlled location and email the link to it, rather than emailing the file around. This is also good practice for managing mailbox size too. win-win!
    4. Where cloud storage and email are accessed on a device then make sure it is encrypted, secure and wipeable. If desktops the physical security is taken into account, for laptops the device encryption, but for mobile devices (phone / tablets) there is a strong level of importance on device encryption, strong passphrase for access and the ability to remotely wipe. It might be that tablet devices need to have 3G access purely to allow them to be remotely wiped. The company position on how this is dealt with on personal devices (and the audit trail for verification too).


    So, back to the question. Can you use DropBox?
    Yes ... but make sure you consider the above 4 points, factor in the cost (both technical and organisational) for implementing it (and yes, that includes training, checking staff personal devices, etc), the politics involved (not usually dealt with by NMs but by SLT ...) and the timescales involved.

    Make sure that SLT know and understand that this is to do with the application of a Law within the school ... and that you are not being negative or trying to stop people doing things ...

    Look at alternatives. Remote access to school systems so that the data never leaves your walled garden are very good but can get very expensive.
    Instead of using personal tool have a look at verified cloud based services. Some have not licence costs (O365) but you then get limitations on it being a free service, shared with others ... and you have to factor in school staff time on it, and other have a cost but you then know that the service is backed up by SLAs, etc (declaration of interest ... I do work for such a cloud-based service!).

    I hope this covers off most of the areas you needed to look at, answered some of the questions that might arise within the school too.

  11. 7 Thanks to GrumbleDook:

    Alis_Klar (19th June 2014), bossman (19th June 2014), Chockster (19th June 2014), elsiegee40 (19th June 2014), ivantalboys (24th June 2014), PaulCooper (24th June 2014), TheScarfedOne (20th August 2014)

  12. #11

    Sylv3r's Avatar
    Join Date
    Jul 2005
    Location
    Co. Durham
    Posts
    3,268
    Thank Post
    380
    Thanked 388 Times in 343 Posts
    Rep Power
    150
    We allow it for staff via the website not the client although we are considering setting up an onsite own cloud server.

  13. Thanks to Sylv3r from:

    GrumbleDook (19th June 2014)

  14. #12

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,889 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    Quote Originally Posted by Sylv3r View Post
    We allow it for staff via the website not the client although we are considering setting up an onsite own cloud server.
    Do you have guidance for staff that if they use the website they are not to then use the client at home / on mobile devices? Do you have guidance on the type of data that it can be used with? Any snippets from AUPs around this would probably be helpful to others.

  15. #13

    Join Date
    Jun 2014
    Posts
    9
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    We have just got round to implementing SharePoint quite recently in the school I work at. This allows our staff and students to access their folders remotely so we don't really need dropbox although some staff do still use it as well as One Drive. As long as they aren't storing confidential student information or anything sensitive then I don't see any huge problem with it.

  16. #14

    Join Date
    Jul 2014
    Posts
    20
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Our staff can access their shares from home along with virtual desktop sessions, but sometimes you get someone who will look at something like dropbox and go "oooh, shiny!" and just use it regardless of reason, advice and policy

  17. #15
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,605
    Thank Post
    544
    Thanked 301 Times in 277 Posts
    Rep Power
    85
    why not use https://owncloud.org/

    You control it.



SHARE:
+ Post New Thread

Similar Threads

  1. Windows Azure - For Schools - way to go or not?
    By speckytecky in forum Cloud Services
    Replies: 1
    Last Post: 26th December 2013, 05:53 PM
  2. Replies: 1
    Last Post: 7th January 2011, 08:52 AM
  3. Replies: 5
    Last Post: 5th August 2010, 01:26 AM
  4. Replies: 0
    Last Post: 6th February 2010, 02:21 PM
  5. Which desktops for the IT staff? Dell?
    By sidewinder in forum Hardware
    Replies: 22
    Last Post: 11th September 2006, 10:30 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •