School Security

Securing Google Apps Education Edition

A major initiative for schools in the United Kingdom is a theme called "Assessment for Learning (AFL)," which calls for the use of evidence and dialog to identify where students are in their learning. According to the Qualifications and Curriculum Authority, which develops curriculum and assessments for England's education system, concepts of AFL include providing feedback to students, getting students engaged in their own learning, adjusting teaching to encompass the results of assessment, and providing mechanisms for students to be able to assess themselves and understand how to improve.

In the classroom AFL translates to the ability to continuously capture, "like a snapshot," how a child is doing on schoolwork, according to Damien Kelly. That feedback loop enables the teacher to make informed adjustments to the teaching throughout the process of a project or lesson, should the student go off track.

At St. Michael's Roman Catholic School near Billingham in Northern England, where Kelly is the head of e-learning, the traditional method of having a student work on Microsoft Office applications and then printing the results off at the conclusion of the lessons for checking by a teacher wasn't sufficient. "The student may have been doing something wrong for four lessons," Kelly explained. "And then they'd have to put that right."

The school, which has slightly more than 800 students from ages 11 to 16, chose to implement Google Apps Education Edition about a year and a half ago, at about the same time it began its AFL journey. Because Google Apps provides for shared documents, students could share work, and teachers could comment on work through the collaboration features of the suite of programs.

Likewise, Google Apps would allow for collaboration among students. "In the traditional mode, where the Office applications run on each PC, the only way to do that might be via chat or using something on the Internet to let students talk with each other," Kelly explained. "We tried that, and it wasn't successful."

Now, students can share a single file and work collaboratively on it. "Students love it. They police each other: 'Let's talk to Henry. You must do [your part of the presentation] tonight.' We've seen that working," Kelly said. Plus, he added, teachers can add their comments as the work progresses as well.

The next step in adoption of collaboration was to allow teachers to share confidential information about students in their classes, "so they'd know things about them that were important in their learning," Kelly explained. "We wanted to make sure that information was up to date. The issue with having it printed on paper is that if it went astray, others could see that information. So we thought we could use Google Apps."

Although the school was confident about the security of the Google data infrastructure itself, it had concerns about the user security scheme, which is tied to a single user name and password. Anybody who has those two pieces of information can access a user's accounts and files. In fact, that has happened at the school among students. One student would guess another's login information and use it to gain access to the other person's files.

"You'd see things that maybe you shouldn't be able to see," said Kelly. Before enabling teachers to share confidential student information, the school decided it wanted to add another layer of security to that.

Kelly was given the job of researching implementations. His criteria: The solution had to be simple to implement; it shouldn't require buying another server to set up to act as a front-end to Google; and it shouldn't require the creation of complex scripts to make it work.

He came across information about myOneLogin. This service was developed by TriCipher, a company that sells authentication services for companies, including electronic payment networks used in online banking.

myOneLogin provides a mechanism that allows a user to prove his or her identity through multiple layers in order to gain access to Web-based applications and services. myOneLogin and Google Apps communicate using SAML, Security Assertion Markup Language, an XML standard for exchanging authentication data between security domains. The company also works with VeriSign Identity Protection (VIP) Access for Mobile, which allows a user to generate a one-time password that acts as a second token for logging in.

As Kelly recalled, "I read what the school has to do to set it up, but I didn't believe it: Type in the domain name for Google and click a button, and it works. That's not's possible. But it did!" Even better, it was free with the use of Google Apps Education Edition, which is also free. (TriCipher prices the service for business users at $30 per user per year.)

According to Vatsal Sonecha, the company's vice president of product management and business development, a new customer, such as a school or school district, can set up a portal that's branded to resemble the district's own Web site. The administrator picks a vanity URL specific to the school site and adds users. If the district has an Active Directory or other LDAP-based directory set up, the service will tap into that to bind itself to Google Apps. Or myOneLogin can act as a directory to which an administrator can batch upload all user login data. Once that's done, the administrator designates what Web-based applications the user has access to and specifies the level of authentication desired.

Kelly chose to use a testing mode, by designating a set of students and staff that had to log in using the extra layer of security. After the trial proved successful, the school rolled it out to everybody with a Google Apps account.

Users will continue using the same Google Apps login information but with additional steps. The teachers at St. Michael's went in groups of eight to a room where they were asked to log into their Google accounts. myOneLogin took them through a registration process that asked them to designate the answers to three questions of their choosing, including the specification of a picture. "There's a massive choice of pictures," Kelly said. The advantage of the picture, he added, was that it would clue the user in that he or she wasn't at a spoofed Web site. "You put your user name in, and it brings up picture. Then you know it's your account." Following that initial registration, teachers were told to log out. When they returned to Google Apps, they would enter the user name and password again, but this time they'd also be given two of the three questions specified during the registration process to confirm identity.

Some users--including Kelly--chose not to use the question approach. They use the VeriSign VIP Access for Mobile system to generate a unique number for that session's login. In Kelly's case, he generates the token on his HTC HD2 mobile phone, running Android. "I like that because then I'm not worried about anybody looking over my shoulder. I just type that number in along with user name and password," he said. "I deliberately let students see it, because I know that it'll terminate in 30 seconds, and it's gone."

Students were taken through myOneLogin registration by class. The school distributed "crib sheets" and used team captains--students who are computer-savvy--to help each class with the process, which was typically done in 10 to 15 minutes, Kelly said.

Although the school is using myOneLogin specifically for granting secure access to Google Apps, the service also acts as a means for whitelisting applications. The portal used for registration can list all Web-based applications that a user has access to. In the case of St. Michael's that includes programs for booking rooms at the school or reporting technology-related service requests.

Currently, myOneLogin has about 2,400 applications in its service, according to Sonecha. Once an administrator has added a new Web service for a specific set of users at one organization, the site is confirmed by staff at myOneLogin, and it's added to the roster available to all customers of the service. That prevents a user from entering a wayward URL that could lead to a phishing site, a Web site that resembles a legitimate site but actually collects data--such as login information--for fraudulent purposes.

On the administrative side, myOneLogin offers a quick means for keeping users out of programs while still maintaining the data itself in the case where a person has left the staff or a student has graduated. As Sonecha explained, the administrator simply removes the user from the directory store. This is especially useful where multiple Web services are in use at the school. Rather than removing the user from each Web service, it can be done from one place.

Although myOneLogin addresses Web-based applications, it doesn't address client/server applications the school hosts on its own servers. For those, the school continues using network logs to monitor usage.

St. Michael's users like the combination of Google Apps and myOneLogin services. For teachers, all the student excuses they're used to hearing are gone, Kelly said. "No more 'My dog ate it,' 'It's in my locker.' Once I log into my PC, it's all there. Students can't fib anymore." The head of the English department reported a 50 percent reduction in the amount of time she spent marking up student work by virtue of the fact that students were able to put pressure on each other to keep group projects on track.

Plus, students are able to stay more organized. "With paper folders, they have paper all over the place--at home, at school, in desks. In Google everything is together," Kelly said. "What we found really interesting was that students in danger of falling off the educational track were [enthusiastic]--they could be put on track again using the technology.

"Google Apps releases the potential of students. It allows them to work more efficiently, more collaboratively. It allows the teacher to monitor the work on a regular basis to keep the child on track to reach their full potential. And with myOneLogin, everyone feels secure. They know nobody is going to get onto their accounts," Kelly concluded. "I only use technology if I think it's going to be beneficial. And this is beneficial."