Data Security | Feature

Maintaining Control of Document Access in Google Apps for Education

This Michigan school district wanted to make sure it had oversight of documents that might contain personally sensitive information even if they were stored in the cloud.

The sorry state of public funding in Michigan has got Pete Poggione being as "prudent as possible with every penny" at Mattawan Consolidated School, the 4000-student district where he works as information technology director. That thriftiness included adopting Google Apps for Education about four years ago to eliminate the district's heavy reliance on Microsoft and Novell applications for productivity applications and network management. The network has 2,200 computers--PCs, Macs, and more recently Apple iPads--in use by staff and students.

To err on the side of caution, the district issued Google accounts to teachers and staff first to allow them time to work with the cloud service, then a year later rolled Google accounts out to students as well. Although those two groups resided on a separate domain in the beginning, the district was having problems with collaboration between the two domains. Says Poggione, "Once you get into Google Applications collaboration within your own domain, it's great. That works lovely." That said, he added, "You can't collaborate effectively between domains. It's just not an easy thing to do."

After a couple of years of use, district IT simplified user interaction with Google Apps by putting everybody into the same domain and managing users through organizational units in Microsoft's Active Directory.

The Google Apps Vulnerability
In the course of growing Google Apps usage, Poggione discovered a vulnerability. There was no way for him as the administrator to know what documents were being shared outside of the school's domain that should have been kept private. A staff person's departure from the district showed him that the only way he could sort out what documents that person's account controlled was to log into her account--take ownership of the account--and go through the documents one by one. "It was a big manual process," he recalls. "That's not a good way to manage documents out in the cloud."

His fear was that a user could designate a document as "public on the web" in order to simplify sharing among the members of a department, and suddenly it would be available to the world at large.

"Take for example all the IEP documents (Individual Education Plan)," Poggione explains. "The school owns hundreds of these documents and each one contains sensitive and private information about each student participating in this program. It's key that we have the visibility and control to make sure these documents comply with privacy regulations."

A second problem was that the same former user had shared with her personal Gmail account a lot of documents that weren't "technically public."

Google Apps allows users to keep documents private, share them with anyone online, or share them with people who have a link.

Although Poggione insists the district hasn't had any instances where anything was shared publicly that shouldn't be, he wanted a way to address the potential data breach issues that could surface.

Google makes multiple application programming interfaces available for developers to create applications to manage Google Apps. Likewise, Poggione came across a Python toolkit that could be used to write administrative scripts. Those were "all fine and dandy," he says, but he didn't have time to undertake learning how to use either of those solutions. He did a random search of Google's Apps Marketplace, which uncovered a tool called CloudLock by a startup company of the same name.

Poggione applied for a free trial account and discovered that the vendor was hungry for reactions from an education user. "They treated me as if I'd been a client forever," he recalls. "They listened to my feedback. As they kept adding functionality to their product, everything was relevant to what I do on a daily basis. They have yet to add anything to the product that I have found superfluous."

In the 2010-2011 school year, the Mattawan district became a CloudLock customer. The cost of the service, Poggione says, didn't make him "even sneeze. It's a lot cheaper than a fine."

From that moment forward, the district was able to see what sharing permissions it had on its documents and make sure the right controls were in place for those.

Daily Notification of Document Sharing
Now, every morning Poggione receives a "tickler" email message that gives him a list of documents that are newly created or that have had their sharing settings changed. Besides telling him how many documents are available in Google Apps, the email also tells him what types of documents they are and lets him know how many of them have "public exposure to the entire world."

He scans that email, looking at the names of the documents and their "owners." "Humans are creatures of habit," he says. "Sometimes it's easier to make [a document] public than to select the users you want to share it with." When that happens, he quickly notifies the user to let the person know that he or she has just created documents that are public.

Poggione is quick to emphasize that he's not averse to sharing documents through Google Apps. This is a matter of user training. "If a document needs to be globally publicly available, by all means, share it with the world. That's what education is all about," he notes. But he wants to make sure his users understand the default settings for documents. "When you click on 'Public on the web,' that means making this document public. Anybody can read it, and anybody can see it. If that's your intent, great. But if that's not your intent, then you need to make a change."

The typical recipients for those email notifications are teachers, Poggione says. Student-generated documents are by default saved as private. They have to explicitly share a document with other users by providing a link or granting permission to others to access the files.

Monitoring for PII
More recently, Poggione has been testing Compliance Scan, a new service from CloudLock. Whereas the CloudLock service for Google Apps was built primarily as a way to let IT manage document access and visibility, Compliance Scan allows the administrator to scan for specific types of information within documents, such as Social Security numbers or credit card numbers without giving IT visibility to the document contents.

The IT person sets up a policy that runs in the background. When the various filters catch a document that fits the criteria, an alert is sent. Poggione expects to set up an automated email that will go out to users to explain that they've created a document caught in the filter; the same message will go to Poggione or another administrator as well.

The program doesn't provide access to the document, Poggione says, unless he takes ownership of it, in which case, the program logs that activity, which can't be changed. That log can be used as evidence of compliance to regulations and internal policies. "It does a great job of auditing the auditors," he notes.

The scanning can be done for any kind of document or for any of the user groups set up within Google Docs, such as students. The program also allows IT people to write their own expressions and matching criteria for custom filters.

Poggione said he expects to use a similar feature in the product to perform filtering of student-generated content to run them through a checklist of "bad words." In particular, he wants to be able to check for inappropriate content without assuming ownership of the documents in order, for example, to ensure that students aren't doing cyber-bullying.

Using the Right Tools
"When I sold Google Apps and email to our school board, I flat out told them, 'Who do you think is going to recover from a huge disaster faster from any type of problems--me or Google? Who do you think is going to have the resources to get back up and running?' Do I trust the cloud? No more than I trust anybody else. But that means I have to do my work to ensure that I have the tools that I need to do the things that I need to do." CloudLock," he concludes, "is a big time saver for us."