State of Change, Chapter 11: Education

If you work on a college campus, or if you’ve toured colleges recently in search of one for yourself or your children, you’ve probably been shown the “computer labs.”  My daughter’s nearing college age, so I’ve seen more computer labs in the last few years than in the preceding twenty or so.  I’ll describe them all to you; it won’t take long:  There’s at least one long picnic table with benches, all chock full of monitors and keyboards, all with gleaming “HP” or “Dell” brands, all very well-polished and neat, and all of them turned off.  Because nobody’s using them.

At one college I recently toured, I couldn’t help noting the four people in the computer lab room were borrowing its power to charge their iPads.

The student is — and always has been — the modern computer user.  If you ever want to know how to provision a cloud storage account, or make better use of Evernote, or find the best source to have a specific blend of tea shipped to you from overseas, just ask a student.  If he doesn’t know, he’s within arm’s reach — or rather, one tweet — of someone who does.  There are entire corporate IT departments I would happily replace with about four students whom I could pick from a room at random while blindfolded.  Students understand devices better than anyone on this planet.

For colleges and universities, and to a growing degree high schools as well, students are becoming their assets.  Not only is their loyalty the greatest source of underutilized promotional leverage available to them, but their collective knowledge base is becoming a resource.  Now that some of the more lucrative educational businesses completely lack physical campuses, the information and knowledge that students share with one another is fast becoming the embodiment, and perhaps even the foundation, of their institutions.

These assets will inevitably reflect positively on their schools’ balance sheets.  The notion that schools as businesses are exempt from the requirement to distinguish themselves through differentiated service value, is now obsolete.  But schools are under pressure to find new ways of demonstrating differentiated value for prospective students — their customers — besides simply opening up their educational services for free and unrestricted sampling.

Andrew S. Rosen is chairman and CEO of one of America’s most successful private educators, Kaplan Higher Education.  Once simply a publisher of test preparation material, Kaplan has evolved into a recognized private university, with satellite campuses linked together through a modern, global information system.  While Kaplan University gains accreditations as a learning institution, its leaders are under no illusions that it is a media publisher.  Its parent company — until August 2013 known as the Washington Post Company — sold off its Washington Post newspaper to Amazon chairman Jeff Bezos, in what the Company’s financial reports would indicate to have been judged necessary in the wake of an economic downturn more directly impacting Kaplan, its more important and lucrative business.

In a 2010 speech before a meeting of public universities and their interests (PDF available here), Rosen introduced a new and revised form of his company’s core product:

We have taken broadcast-type content — the kind that is typically given in a large lecture format in some places — and moved it to digital media.  This frees up classroom time to be focused on student-to-student and student-to-teacher interactions.  Students spend their time outside of classrooms receiving content from our best instructors across the country, customizing and reviewing it as many times as they need, and preparing through guided games and exercises.  When they come to campus — and they can do that now, a bit less often — they are there to actually try on their learning, to practice, and to receive live guidance.

Here we clearly see cloud dynamics remaking an industry — the pooling together of information and knowledge resources into a single system whose consumers provision themselves.  Now, a business that built its reputation on the trust of subscribers over eight decades has uprooted that stake, and moved it to the realm of students.  Higher education is now a more lucrative media business than news.

But the education industry is stopping short of redefining its core values.  Public institutions are struggling to maintain the appearance of high value, in an atmosphere when the definition of value is being rewritten by private interests.  So colleges are remodeling themselves (or, at least, the public-facing sides of themselves) into something more like resort hotels or rehab clinics — an effort which Rosen mocks in his book, Change.edu: Rebooting for the New Talent Economy.  In Chapter 2, he writes:

The competitive environment is pushing these institutions to shift their focus from what has driven American innovation — the education they offer — to the college “experience,” heavily sweetened with ancillary and ultimately unimportant offerings that impress students but don’t ultimately improve them.  In fact, these ancillary offerings may serve to make students more materialistic and entitled, while actually undermining the focus on learning.

The question Rosen leaves open is whether information technology, or certain forms of it, qualify as fundamental or ancillary.  But there is no question that the “brick and mortar” of Kaplan University contains a high degree of fiber — the fiber-optic variety — and any effort to make access to computing seem as frivolous as Rosen characterizes access to NCAA-sanctioned sporting events, would sound quite hypocritical.

Campus of the Mind

Is campus IT ancillary to the greater goals of higher education?  The answers you get from schools may differ depending on their respective business objectives.  But the answers you’ll get from students are more galvanized.

For students, the PC model of computing is already outmoded.  PCs remain dependent upon a tremendous amount of bulky, space-consuming, power-hungry storage.  More power consumed by local storage means less power for the local processor.  A student with a laptop is often found recharging, perhaps inside one of those under-utilized computer labs.

Giving students a way to run heavy-duty applications through a remote server by way of a thinner, lighter-weight, more power-conscious device, is a gift nearly as desirable as forgiving their student loans.  It just so happens that consumer devices are more adaptable for students’ emerging needs than bulky, semi-portable PCs.  But it’s not the devices themselves that make this possible, but rather the explosion of wireless bandwidth.  This bandwidth is what’s necessary to connect students’ smaller mobile devices with the wealth of resources they’ll need to work and study.

Specifically, bandwidth enables large tasks to be run on large processors, but monitored and used through small devices remotely.  This is where virtualization first enters the picture, beginning for many institutions around 2008, and eventually reaching its peak in 2011.

The first colleges to adopt virtualization saw it as a panacea for their campus IT problems.  Immediately, they generated “golden masters” of virtual machines with fresh copies of such things as IBM’s SPSS statistical software, or MATLAB, or Mathematica, already freshly installed.  In some cases, any damage done to a VM through the careless downloading of some virus masquerading as a cat picture, could be eradicated by the disposal and replacement of the affected VM with a replicate of the original.  In other cases, security software was installed on the master VMs to disable, through policy, the use of such things as browsers through which such viruses could be acquired.

Very soon, these virtual machines became unmanageable, and it was this state of unmanageability which gave rise to a new breed of campus IT — a class of specialist that was as knowledgeable with XenDesktop, VMware View, and VirtualBox as with iPad, Kindle, and Xbox.  You can spot the colleges where this new class of specialist flourishes by looking for signs such as this, usually written in Sharpie on construction paper, taped to the doors of the dormitory bathrooms where everyone will eventually see them:  “Never, NEVER save anything to your desktop or DIE!”

The proliferation of construction paper-based security policy on college campuses reveals a more alarming, fact of this new era:  No one — students, faculty, or anyone else — is sufficiently skilled in the technologies schools will need to efficiently manage a cloud computing environment.

In a 2012 survey of some 2,000 IT professionals in all fields (including, but not limited to, education) by IBM for its annual Tech Trends report (PDF available here), nearly half of respondents admitted up front they lack the skills necessary to manage a cloud environment.  Some 36 percent said they had “considerable skill gaps,” while another 11 percent reported they have “no skills available at all.”  Again, this was for all industries.  But the reason for this skills vacuum is education, or the lack of it:  Just one respondent in 10 admitted to having a “significant” teaching plan in place for educating themselves and their IT workforce, while the remainder were looking for anyone — consultants, colleges, online videos, anyone — who teaches cloud computing.

IBM’s findings were confirmed a few months later by research firm IDC (PDF available here).  Combining the results of its own IT industry survey with existing employment figures from the U.S. Bureau of Labor Statistics, IDC projected that by 2015, the annual rate of growth for cloud-related IT positions (filled or unfilled) will exceed the growth rate for IT positions in all categories by six to one.  By that time, the firm said, some formal certification process will need to be in place so that employers can verify whether job candidates with the highest computer science degrees were capable of fulfilling even basic cloud-related tasks.  Until that time, IDC reported, companies of all types are relying on help wherever they can find it.

The types of skills that workers will need to contribute to the IT economy for the near-term future, are not being taught.  Someone has to learn them first.

The Campus IT Dilemma

You’ve probably already read, and read again, that students’ rapid adoption of mobile devices is the force driving educational institutions to adopt cloud computing.  The data says otherwise.

Since 1990, a group founded by Kenneth C. Green called The Campus Computing Project has conducted an annual survey of the specific priorities of IT staffers serving educational institutions.  From 2000 to 2003, more survey respondents asked to pick the single most important IT issue for their campuses responded, “Assisting Faculty Integrating IT Into Instruction” than any other option, although the number of such respondents consistently declined.  By 2004 and on through 2008 (coincidentally, believed to have been the period of greatest Windows XP usage on college PCs) the top priority changed to “Network and Data Security,” with about a quarter of respondents each year.  Integrating IT into instruction slipped down to only 12 percent of respondents.

When the survey resumed in 2010, and “Cloud computing” was added as an option, fewer than 7 percent of respondents claimed it as their top priority.  For the fall of 2012, respondents were asked for the first time to rate a complete list of priorities on a scale of 1 to 7 points.  Given this new methodology, some 74 percent of respondents were willing to choose IT integration with faculty as a top priority.  Security was still fairly prevalent with 54 percent rating it a top priority.  But cloud computing was still down there at 33 percent, with the urge to replace existing IT systems at 25 percent.

There is no measurable momentum for cloud computing for college campuses... not really.  But the key benefits that cloud computing should bring — including integration with IT, improvement of campus information security, and the single fastest growing priority on the CCP survey, support for mobile computing — have been high on IT departments’ priorities lists since the beginning.

They want the things cloud computing can provide.  They just don’t know how to find them there.

In light of this, it’s amazing that academia is largely responsible for the Internet itself.  While the U.S. Defense Dept. deserves credit for making it a true American initiative, colleges formed the original backbone of the Internet’s routing system, until the U.S. Government ceded control of ICANN, the Internet’s principal naming authority, in 2009.  The need for colleges and universities to coalesce in order to innovate together, directly led to the adaptive and versatile Internet routing scheme we use today.  Yet amid all this progress, the PCs in use in colleges today remain rooted to Windows XP, and sometimes older, OSes — systems which remain architecturally flawed and technically insecure, but whose solutions would involve a monumental upgrade for which campuses remain unprepared.

At one level, while academia has always been about 20 years ahead in computing infrastructure, in applications it’s about 20 years behind.

The problem of moving information systems forward is more fundamentally unique for academia than for any other segment of the economy, for a number of reasons:

• All private and many public academic institutions do operate as businesses, and thus are just as keen toward business differentiation as any other business.  But the majority of their computing transactions are consumed by research and educational tasks.  This is why faculty and student systems have remained separate, along with their respective IT departments.  One reason for the partition between student and faculty IT systems has been to maintain the integrity of business functions by shielding them from exposure to students.  As long as the partition remains in place, however, schools cannot effectively transition to cloud-based platforms.

• Students expect to access campus resources through whatever device they choose, which more often these days is not a PC.  The need for mobile accessibility has already driven student applications toward Web services models.  While this should be a good thing, security policies that span mobile devices require the type of attention and experience that only certified IT professionals can provide — which is precisely the class of individual that colleges are least likely to employ, given their limited budgets.

• Cloud-based platforms for research applications are so available and adaptive to students’ objectives right this moment that they’re already being put to use, without the blessing or even the knowledge of upper-level faculty.  In many cases, teachers are giving students the directions to bypass campus IT altogether.  As a result, campus research often takes place outside the campus firewall.  This leads to situations where the research products and intellectual property of the corporations with vested interests in the results of that research, end up being propagated not in the cloud but on the Web.  There’s security issues with that, of course, but they’re typically drowned out by the legal headaches.

• Students, being naturally inquisitive in their own right, will be the first to test the integrity of college networks, especially when they’re hosted off-campus.  The extent to which colleges’ policies are ill-defined will inevitably be revealed not by hackers, but by lawyers.  In the meantime, any resistance to students’ efforts — however ill-advised — to expose vulnerabilities in the name of protecting student safety, often leads the students themselves to coalesce, and their efforts to evolve from a project into a mission.

The current state of dysfunction in typical college IT today was illuminated in the winter of 2012.  A student at Dawson College in Montreal was expelled for using commercial vulnerability testing software to reveal how students’ private information was being inadvertently exposed (specifically, how they were embedded in the URLs of Web addresses).

At that time, Dawson was using a commercial brand of Web portal service made for colleges by a hosted service provider named Skytech.  After the student’s initial discovery, Dawson’s IT department supervised him in making unannounced tests on Skytech, effectively leading the student in breaching Skytech policy.  Those tests revealed vulnerabilities which Skytech soon fixed.  But then, the student followed up with his own unsupervised, unannounced re-test of Dawson’s portal.  While the student was basically repeating what campus IT had already shown him how to do, this time the student was expelled.

Yet the story doesn’t end there.  Skytech then made a public statement effectively admonishing the college for its action, and offering the student both help finding a new school and a job once he graduates — thus making an end-around of its customer’s own policies.  The entire incident revealed a lack of consensus between the college and the institution hosting the college’s private data, which could be just as egregious a vulnerability as the original exposure.

Dawson and other schools appear to have built a set of expectations for their off-campus service that have drifted further and further from reality.  It’s not so much that colleges are being intentionally misled.  Rather, they’re being sold partial solutions for campus-wide needs, and it’s what these solutions don’t cover that leaves them vulnerable.

Toward Only One Cloud

Any complete, cloud-based solution for anyone’s information technology requirements, including those of educational institutions, must incorporate the following elements in their entirety:

• They must enable existing on-premise resources, such as storage and compute power, to be pooled together with cloud-based resources.  This way, existing virtual desktops and virtual applications can be run from on-premise or the cloud.  The reason why is not because true cloud installations must be as radical as technically possible.  This is so everything can continue to be managed from one source, no matter how everything is distributed, and whether that single source is on-premise or remote.

• The combination of on-premise (on-campus) and cloud-based resources must be one system.  Any division between the two can be exploited, and will be.

• One firewall must incorporate the entire system.  One security apparatus, one login, one identity, one authentication.  Whenever any network uses two or more apparatuses simultaneously to represent identity, then it becomes technically feasible for any one account (including accounts that do not represent people but system resources) to impersonate another.  Let’s just say the probability of such an event is always above zero.

• Applications, platform, and service providers are responsible only for their respective products.  Yet they are responsible for them wherever they may reside.  Yes, a cloud-based app may reside on-premise, for any number of reasons; but when that app fails to deliver, it’s still the app provider’s affair.

• An educational institution remains responsible for the security of its users, even when that security is breached off-premise.  A cloud service provider should never assume the responsibility for dealing with student activities, even when those activities involve its off-premise resources.  More to the point, a CSP cannot punish a college for its decision to expel a student.

The first warning sign that a cloud-oriented solution may be incomplete comes when a vendor uses creative license when defining the concept for customers.  In an online brochure for higher education customers, one vendor whom I’ll only refer to by its initials (I.B.M.) cited the definition of the U.S. National Institute of Standards and Technology.  But it then appended NIST’s definition with the following:

More simply, a cloud can be considered to be a collection of hardware, software and other resources that can be accessed over the Internet, and used to assemble a solution on demand (that is, at the time of the request) to provide a set of services back to the requester.  For example, a university student taking a college math course could access a cloud from his or her dorm room, to obtain a physical or virtual server (with the necessary storage) and a copy of Maple or MATLAB software running on it to use for homework or a class project.  Likewise, an elementary school teacher could access the same cloud to request one virtual machine for each of his or her students running TinkerPlots software, as part of his or her classroom instructional activities.

It’s not really wrong; it’s just terribly incomplete, like the first draft of a student’s thesis before his professor sees it.  This fuzziness leads to the common belief that “a cloud” is the same as “a Web site” or “a portal” whose purpose is to deliver apps through a Web browser.  “Put simply, the ‘cloud’ refers to the Internet,” states this Indiana University video instructing students as to how to use its IUanyWare service, “so cloud computing means Internet computing — in other words, running and using applications on the Web browser rather than running programs on your personal computer.”

One could argue that a student may not need to know the technical details of cloud computing, to use a service that provides virtual desktops or virtualized applications over a browser.  But in the case of colleges, security is typically a community process, and students are often tasked with their share of responsibility for the integrity of the system.  Take for example this repeated warning that appears throughout IUanyWare’s support pages (and probably appears in some dormitory bathrooms as well):  “Do not store files in IUanyWare; you can instead use the Cloud Storage service.”  It’s an advisory stating that, while virtual apps appear in virtual machines, documents created with those apps should not be stored there.  Instead, IUanyWare leads students through the process of creating their own Dropbox or SkyDrive accounts, and linking them to their VMs.

Already, you may see the technical problem here:  Consumer cloud storage services like Dropbox have their own authentication processes.  While a Dropbox account can be linked to a device, in the case of a virtual desktop or virtual app, that device becomes not really a device.  The security of that storage becomes a variable, and is now only as strong as the mechanism used to secure access to the VDI server.

Suppose a student loses her smartphone.  Someone else picks it up off the ground.  If her password is stored in her phone, the bearer of that phone now has access to that cloud storage.  And even if the phone’s owner has to key in that password manually, typical password authentication systems will gladly e-mail lost passwords to users who supply their usernames and click the link.  Their usernames are probably supplied by the phone, and in the case of Android phones, they’re probably e-mail addresses in the gmail.com domain.  All the fellow has to do now is read the owner’s e-mail, which is often just a click away, unless the phone is secured with a PIN.

It isn’t really “the cloud,” or even “a cloud,” if security can be compromised by breaking the weakest link in the chain.

The Scale of the Roadblocks

One VDI solution designed by IBM for North Carolina State University applies cloud dynamics in a way that addresses what campus IT specialists would perceive as the core problem: the integrity of the virtual machines.  IBM calls NC State’s Virtual Computing Lab (VCL) a “true cloud computing solution,” (PDF available here) describing it as a model for any educational institutions, right down to the kindergarten level.  With the VCL model, a user can provision her own VMs with pre-installed apps from a simple menu, and a teacher can provision any number of such VMs for his students.  The resources available to those VMs are entirely virtual, so cloud dynamics does play more of a role here — in other words, each VM isn’t trying to mimic a specific PC, such as an Intel Core i5-based system with 2 GB of RAM and 640 GB of storage.

But the problem with this architecture peeks out from the corner of this paragraph:  “The VCL managed by NC State today can be accessed by any user with a valid user account and password.”  Shibboleth credentials are supported, which does enable identity federation and single sign-on.  That can conceivably enable an organization to institute policy-based access for both on-premise and cloud-based resources based on users’ credentials.  But if those credentials are, as IBM says, as simple as user account and password, once again, there’s very little to prevent a device thief from impersonating that user and logging on.

Colleges facing this problem have tried to address this.  The first generation of network access control (NAC) software authenticated users with the aid of their devices, letting those devices serve partly as their own credentials.  This is how the BlackBerry authentication model worked as well, and it did indeed work well... in the era when users were expected to retrieve their e-mail through one and only one device.  What’s more, it was up to the user herself to ensure that the person accessing the campus VDI was the same one who logged on the PC, supposedly providing the pairing between the device’s identity and the user’s.

This led to the creation of the “second wave” of NAC software, including VMware’s vShield.  For this to be effective, VMware recommended the subdivision of the campus network scheme into six discrete classes of zone.  Stated VMware, “An effective desktop security architecture must address security vulnerabilities at the user level, the endpoint device level, the application level, data center level, the network level, and the management level.”  Securing all these levels in any major organization requires a corporate-style delegation of roles and responsibilities which, due to the nature and structure of campus IT, is generally impossible.

One other option comes from security provider Enterasys, but for it to be adopted, campus networks would have to adopt Enterasys’ data center switching devices.  It would enable administrators to impose specific access policies upon the use of VMs by given users, through any number of certified devices.  Theoretically, this would sew together all the loose seams of the VDI scheme, enabling the same ID cards that schools are already issuing to students, to serve as their authentication devices for both the VDI front-end console and each VM apportioned to them.  But it requires an overhaul of the school’s entire on-premise switching equipment, which is already unlikely.

A “third wave” of network access control comes from the cloud itself.  The Fashion Institute of Technology in New York is one example of a customer that has adopted Aruba Networks’ ClearPass Access Management System.  Theoretically (this word crops up often enough, doesn’t it?) ClearPass enables a student to access certain cloud-based applications only when her device’s security policies are met, and only when she herself is currently authenticated.  But this requires the school to either be willing to dump its existing investment in VDI and replace it entirely, or have never made a VDI investment to begin with.  And the list of apps supported by ClearPass thus far is mainly consumer-grade — not exactly MATLAB.

There are genuine efforts at holistic solutions to this dilemma, one of which is Cisco’s Cloud for Education initiative (PDF available here).  Essentially it’s a repackaging of Cisco Unified Data Center — a hybrid cloud platform — with provisioning tools for applications that are geared toward teachers in a classroom setting.  One of the ultimate goals is to enable a teacher to instantly provision a few dozen VDIs for each student, and then de-provision all of them at will.  This would address the problem of making resources safely available for students.  But it exposes other problems that have yet to be solve, and that technology vendors simply cannot solve by themselves.

Infrastructure is the first issue.  Many school districts in the U.S. can barely afford the upkeep of their own buildings, and suddenly the issue on the table is supposed to be fiber-optic connection fabric.  Cloud dynamics can simplify the issue of what information resources can be made available to schools and school districts, but it does not yet solve the physical issue of how the connection is made.  For a school district to afford a 21st century digital infrastructure, it must spread the availability of single systems across schools.  But it must then absorb the up-front cost of connectivity, because wireless bandwidth alone cannot sustain a network of hundreds, perhaps thousands, of simultaneous VDI sessions.

But the biggest of these issues facing schools by far is identity.  Attributing a digital identity for each student is a political issue, especially at the grade school level.  From a technical perspective, it makes sense to secure access to resources by giving each user of every class an appropriate single sign-on certificate.  But should a teacher do that for a first grader?  Should a teacher have the authority to do so?  What degree of parent permission should be involved?  And if a parent must “sign” for a student to be authorized, should each parent have a certified identity as well?  Is the scope of each student’s identity limited to the school, the school system, the district, the state, or the nation?  Does it expire at the end of each term?  And to the degree that the application of digital identity for each school user is relaxed, does the entire school or campus network become that much more vulnerable to exploitation?

IBM’s approach to this dilemma has been to propose (PDF available here) what it calls a state education cloud: literally a pooling of an entire state’s educational IT resources across districts, across counties, and across firewalls.  Unlike the Cisco approach, such a state cloud would be assembled through open source platforms, although IBM has a big hand in the production of those platforms.  The idea there is, if state colleges would adopt virtual computing lab models similar enough to NC State’s, the similarity of their interfacing would enable a sufficient degree of resource pooling.  Conceivably, state institutions that pool their computing resources could also effectively unionize (to borrow a phrase from history) their licensing negotiation power, so that vendors would have to deal with states as a whole rather than district-by-district.  Theoretically at least, IBM believes, this pooling of bargaining power could reduce districts’ existing individual IT bills by as much as half.

At a time when students have already begun to perceive both not-for-profit and for-profit education providers as media publishers with business interests, how schools will remake themselves to meet students’ evolving demands is no longer just a question of skills.  It’s one of identity.