Should I Trust The Cloud?

https://www.flickr.com/photos/dherholz/450303689/

I received an email recently from a colleague asking about data sovereignty, and in particular asking about how schools deal with the  need to store all personal data on Australian servers to be compliant with the law. This was my reply…

When deciding whether to do a thing – any thing – you need to assess the relative risk. There is NOTHING that can have it’s risk mitigated to zero. So while we can have debates about the security of the cloud, the fact is that ANY service is generally only as safe as the password that protects it. It’s far simpler to socially engineer your way into a system than to hack it, and it’s easier to follow someone through an open doorway before the door shuts than to crack the lock. There are security risks involved with every system.

What makes you think that data saved on a server that happens to be geographically located on Australian soil is any safer than data on a server located on the other side of some imaginary geographical dividing line? What policies make Australian servers impervious to security issues?  What is it about Australian passwords that are safer than non-Australian passwords?

It’s interesting that whenever I hear the security argument from someone, I ask them whether they use 2-factor authentication on their online accounts. The answer is almost invariably never. I find it hard to take someone seriously when they bleat about security and yet do nothing to secure their own stuff using the safest and simplest technology we have available; 2 factor authentication.

I also find it amusing that these same people who bang on about not trusting the cloud, also almost always have a bank account. When I ask them where their money is stored, they say “in the bank”. When I ask where is it actually stored, they have no idea. They don’t know where their money – or the digital records that define the concept of money – is actually stored. They never stop to consider than when they go to an ATM and withdraw $50, it’s not the same $50 note that they actually put into the bank. There is no magical shoebox under the bank’s bed that stores their actual money… it’s all just computer records, kept on a server, somewhere, and I guarantee that they have no idea where that somewhere is.

That’s why the debate about whether we should be allowing our data to be stored offshore is such a laughable concept. It shows a real lack of understanding about the way the Internet actually works.

The truth is, it doesn’t matter WHERE your data is stored. What matters is WHO is storing it, and whether you trust them with it. I’d rather trust my data to major cloud provider offshore who offer privacy policies that I trust, along with strongly encrypted and sharded data storage techniques, virtual and physical security over their datacentres, and a proven track record of doing the cloud right, than to some minor player in the cloud storage space just because they happen to have servers in Australia.

I’m also not a lawyer.  However, I’ve done enough research into the Australian data sovereignty laws to feel satisfied that I’m interpreting them the right way. And contrary to all the Fear, Uncertainty and Doubt being spread around regarding these laws, they do NOT say that cloud services cannot be used unless the servers are in Australia. What they say is that the cloud service USER – that’s you – needs to feel satisfied that the cloud service PROVIDER is offering a service that meets your expectations of safety, security, privacy and redundancy.  If you do your due diligence, and come to the conclusion that you’re satisfied with your cloud service provider is giving you a level of service you can trust, then you are free to use it and in turn offer it to your users. If you don’t believe they are offering this level of service, then don’t use them. It’s as simple as that.

Your choice will never be able to come with a 100% guarantee. Nothing does. But if you do your research carefully and make your choices well, the chances are as good as they will ever be that you have made the right decision. The cloud offers amazing possibilities, and I’m completely convinced it IS the future of computing. I’m all in on the cloud as the platform.

To me, there is really only one obvious choice in picking a cloud provider. You want someone whose entire infrastructure is built for the cloud, whose entire business model is built on doing it right, managing data with security and integrity and maintaining the trust of their users. I’m not mentioning names because I’m sure you can make your own decisions about who you trust and how well they do this cloud thing.

What I don’t want to do is to place my data with a cloud provider who is still playing catchup, whose cloud infrastructure run on legacy platforms that were never built for the cloud, and whose business practices in slagging their competition I find completely distasteful.

I don’t care where their servers are located.

Header image by Dave Herholz – CC BY-SA

Not Opinions. Facts.

We all see the world through our own personal lens. Consequently, we all form our own opinions about the world and depending on the sorts of experiences you’ve had in the past, your view of the world and how it works can easily be coloured by those experiences.  Sometimes, we form opinions about things based on experiences that are limited or incomplete or biased one way or the other, and the interesting thing is that we still believe those opinions are correct, even when they can be completely wrong.

There’s a lot to be said for real expertise. One of my favourite examples of pitting a narrow opinion against broad expertise is from the movie Cool Runnings.  In one scene, the team coach Irving Blitzer (played by John Candy) is having an exchange with Sanka Coffie (played by Doug E Doug), where they are arguing about who should be the driver of the bobsled. Sanka is a Jamaican pushcart champion and sees himself as the obvious choice. But Jamaica is a small island and Irv has a slightly bigger perspective about it…

Sanka: I’m the driver.

Irv: You’re not. You’re the brakeman.

Sanka: You don’t understand, I am Sanka Coffie, I am the best pushcart driver in all of Jamaica! I must drive! Do you dig where I’m coming from?

Irv: Yeah, I dig where you’re coming from.

Sanka: Good.

Irv: Now dig where I’m coming from. I’m coming from two gold medals. I’m coming from nine world records in both the two- and four-man events. I’m coming from ten years of intense competition with the best athletes in the world.

Sanka: That’s a hell of a place to be coming from!

It happens in education too. There are a lot of people who have all sorts of opinions about what it takes to keep kids safe online. There are still many schools around the world who block, filter and prohibit access to parts of the web on the basis that it’s not safe for children to have access. Other schools take a very liberal approach to the web. Both these viewpoints are based on their own unique understandings and perceptions. If we could just step back a bit, and be a bit more objective, we’d realise that many of our beliefs about the world are rooted in fairly limited experiences, and yet we allow those beliefs to dictate many of the things we do. We think we are the best pushcart driver in all of Jamaica.

When I was in New Zealand last year for ULearn, I was seated at dinner next to a guy called Brett Lee. Brett had given a spotlight talk at the conference about cybersafety and online bullying. While I’ve heard many people talk about this topic in the past (and have even talked to students myself about it), what made Brett’s viewpoint different was the place he was coming from. Unlike most of the “experts” I’d heard talk about this topic, Brett had been a police officer in the Queensland Police Force for 22 years, 16 of those as a Detective predominantly in the field of Child Exploitation. In his last five years of service, he was a specialist in the field of undercover internet child exploitation investigations, and spend his days masquerading as underage children online.  One day he’d play the part of a 12 year old girl, the next a 15 year old boy, the next a 10 year old girl, and so on. For five years he’d go into chatrooms and hang out in all the places that young kids go online, and some of the stories he was telling were pretty chilling. Over the course of those five years, he was personally involved in the arrest of numerous child abusers and pedophiles.

To quote Sanka Coffie, “that’s a hell of a place to be coming from!

Since leaving the Police Force, Brett started his own company called INESS and goes around to schools all over Australia sharing his perspective with students.  He recently presented to our Year 9 and 10 students at PLC Sydney and the feedback from both students and staff was incredibly positive.

Now I think I know a fair bit about the Internet, and I have my own opinions on many aspects of it, but when it comes to this side of the Net there is nothing in my own personal experience that comes even remotely close to this sort of expertise. I daresay there’s not much in your personal experience that does either. While there are many Internet safety “experts” out there, few have this unique perspective that Brett is able to bring to the conversation.

What I like about his message is that it’s not about scare tactics and prohibition. Sure, there are some pretty chilling stories, but the underlying message is that the Internet is a wonderful place, with lots of incredible opportunities, but there are risks that can be managed with a bit of common sense and a few simple steps. It’s not a message of fear and scaremongering, but about understanding the risks and assuming some responsibility for your own online safety. When he spoke to our kids he used a number of examples that related directly to our students (it’s amazing just what you can find on Facebook when you look), which made it all the more powerful.

I hear people ask all the time for recommendations on someone to talk to their students about cybersafety and cyberbullying (both terms I don’t much like, by the way). I’d suggest you take a look at Brett’s website and see if maybe his message is what your kids need to hear.  I suspect that most students would get a great deal out of what he has to say.

Here’s a video clip of Brett from the Edtalks series that gets recorded each year at ULearn.

Public Visibility

I have an RSS feed set up that automatically scans the Google news feeds for the phrase “PLC Sydney” or “Presbyterian Ladies College“, so anytime either of those phrases appear in a news publication worldwide I get notified of it.  (Which, if you want to monitor your school’s online public image, is a useful thing to set up by the way!)  While I do get the occasional mention of other Presbyterian Ladies Colleges such as the ones in Melbourne or Perth, and occasionally the abbreviation PLC Sydney turns up some non-related stuff, having the RSS feeds scanning the news for mentions of your school is handy.

Recently, I spotted this article in one of the local papers.  It was a project that I didn’t even even realise was taking place in the school so I was surprised when I spotted it.  (I also like the idea that some of our teachers are now doing interesting projects that use ICT and they don’t need me to make it happen!  Yay! The good kind of redundant!)

What I find amusing is that the newspaper has published the name of the school and the full names of the students, along with a photo… three pieces of information that the cybersafety experts will all tell you should not be made available online.  I suspect that if one of our teachers got their students to do an in-class online project that published their full name, school and photo, they would get a stern talking to.  However, there is still a belief that, because it was published “in the paper” (which also happens to be online) then it’s ok.

We do, in fact, have a “Do Not Publish” list of students, which is derived from a form that all parents fill out at the start of their enrolment at school.  On this form they give advance permission – or not – for their child’s photo and name to be used in school publications.  We keep a record that covers both print and online separately, and before any child’s details can be published we check the Do Not Publish list.  In reality, out of a school of 1300 kids K-12, we have maybe less than 10 whose parents have elected for them to remain unpublishable.

Personally, I think that the benefits of getting some press for the students, either online or in a more traditional format, is enormous. Sporting achievements, success in interschool competitions, musical events, academic successes, etc… these things are all worthy of celebrating and telling the world about. The boost that these kids get to their self esteem, their reputation and their public visibility is a positive thing and these sorts of publications can start to form the basis of their longer term footprint, digital or otherwise.  While we have to respect the wishes of parents who choose not to allow their children to be published (and sometimes those wishes are based on valid reasons and sometimes it’s just paranoia and fear) the kids who do get published “in the paper” really love seeing themselves there.

In a world where being “in the paper” also means being online, this opens a real can of worms. We tell the kids one thing as we drill cybersafety into them – don’t give away details like your name or school – yet we gladly celebrate them being published online in other more traditional forums using all of these very same details.  It’s an interesting double standard.  The local paper is published to the open web with no passwords, no restrictions, yet we baulk at getting kids to publish the same information about themselves to other formats that are equally as open and public.

Thank goodness that all those fears about online safety are so blown out of proportion or this might actually be a real problem.

PS: By the way, if you haven’t seen it, the students’ final work is online at http://plcvasproject.blogspot.com and is worth seeing.  I’m sure they’d love a comment or two if you get a chance.

Photo embedded from the Inner West Courier