Digital Learning Environment Blogs

Get the RSS feed

It's Always Time to Rethink Your Security
by Mark Payton

One of the things I have enjoyed about my first year in Jordan has been experiencing all the differences between life in Madaba and life back in New Hampshire. Some of these differences are cultural. Some are in practical areas such as the electrical current or driving laws.  Some are in geography and climate, and so forth. Not all have been easy to adjust to. (Don't even get me started about the motorcycle laws in Jordan.)

One of my friends last year had recurring bouts of what she termed "Jordan rage" when the frustrations with these differences would occasionally build to a  boiling point and then erupt over a relatively small matter. I can understand. Overall, though, the differences have been more cause for self-evaluation and examination of what things matter and what really don't. They have provided many opportunities to look at different ways of doing the same thing with an eye toward finding the "best" way of doing them for me in a given context.

In the same way, I am in a position to re-examine some IT practices that I have long done one way, but when I arrived here were done differently. As with most things, there isn't necessarily a single "right" way to do them, but the strengths and weaknesses of the various options need to be weighed and within the given context a choice has to be made. I want to run through a laundry list of these in this post--issues that I am currently reevaluating myself--and encourage others to look anew at the answers as well. If there is one constant in the technical world today it is change, and last year's decisions may not be the right ones for the future. None of these are new issues, but all of them are worth regular reconsideration. And the summer break is a great time for doing just that.

The overarching context for all of these items is the point of tension that always exists between ease of use and security, or information, workstation and network safety to put it more plainly.

Do your users run as administrators on their computers? There are essentially three choices here: yes, no, and sometimes. Giving a user admin rights means that updates (such as flash, Acrobat reader, etc.) can happen very easily and installation of new software and ActiveX controls is (relatively) painless. On the other hand, drive by downloads also happen easily and they can be anything but painless. Users can install so many apps that their systems become creakier and creakier and eventually collapse under the weight. (And this is a platform agnostic statement.) 

I've done all three at some point and for some users. I tend to prefer that students (on school owned computers) NOT have admin rights at all but that a program be in place to assist them with installations. For faculty, I prefer to give them a non-admin account for day-to-day usage, and a separate admin account that they can use for installation of software. I also show them the Windows Run As command to make this even easier. Still, some insist on having their primary account be an administrator account and I've gone both ways on this one.

What about passwords? Do you expire the passwords after a certain period of time? We have been, but we--or more properly our faculty and students--have also been bitten many times by an expired password during a break, meaning that email suddenly becomes unavailable. Non-expiring passwords are far, far easier on the users. But then again, they are far, far easier to abuse since once a bad guy gets it he has it for life. If you do expire them, how often? Six weeks? Six months? Annually?

What about password complexity? Here the tradeoff is between a secure, not-easily-guessed password that likely will end up written down somewhere and one that is easy to remember and thus easily guessed AND is quite likely used in a number of other places meaning that once it is discovered lots of different accounts may be at risk. (This is the main issue I have with single sign-on systems and having browsers remember your passwords as well. Get one password and you get the keys to the kingdom.) I tend to favor complexity with user education about symbol substitution, but I'm not convinced by far that this is the best answer .

What about allowing unmanaged computers onto your network? Talk about opening the castle gates to the barbarians! Even putting the machines into a VLAN that has no internal access has its risks and downsides. Next year, we generally aren't putting private student machines onto the network for a number of reasons. Good solution? Wait until the students start complaining about that, then we'll see.

If you do allow private machines onto your network--even in a separate VLAN--what is the policy regarding antivirus on those systems and how do you enforce it? We will be allowing private faculty machines on, but I want to require active, updated anti-virus on all of them, Macs included. Verifiable enforcement won't be terribly easy, though.

What about workstation backups? In spite of all the precautions, things happen. We are an ultraportable environment (Tablet PCs and notebooks for now, Tablet PCs alone in the future) and when computers are carried, they are dropped. Users running with admin rights WILL get attacked at some point and will quite possibly lose their data. Are all of your users' local files backed up? Do they do it manually or do you do it automatically? And by the way, do you actually test those backups to ensure that they are working and available when something does happen?

Lastly, how do you handle patches and updates? Do you have centralized control over it? For applications as well as the operating system? Do you have your machines set to automatically check for updates? How do you know if that hasn't been changed by that user with administrator rights? On the other hand, do you take any precautions to be sure that the latest patch won't cause its own set of problems for some or all of your users? Some years ago my school got hit this way when our antivirus vendor released a patch, which we automatically downloaded and applied, that started causing crashes all over the place.

These aren't just issues for the technical guys to consider, either. If you are a faculty member or administrator, it is YOUR computer and YOUR information that is at risk. You should be at least as concerned as your technical staff is. The number of bots and Trojans in the wild is only increasing and, frankly, schools are too often low hanging fruit for the bad guys. Think about these issues and find the answers that work best for you. Then think about them again. And again. And don't ever stop. The situation tomorrow will be different from the situation today and the problems and solutions will change. If we become complacent about how we deal with them, all we've done is dealt with last year's problems, not today's.