All week, I’ve been following a thread on the WWWEDU listserv about the “draconian measures” network administrators use to control network resources and stifle the educational spirit of students and faculty. I paid particular attention to this thread, because I’d planned to write this month’s column about locking down the desktop—and other such “draconian measures”—to prevent student tampering.

After reading some of these messages, however, I realized there’s a fundamental conflict between school IT staff and educators when it comes to security. There are a number of reasons this situation exists, but the root cause seems to be a misalignment of goals between teachers and IT departments in many schools.

I’ve frequently heard the complaints of faculty members who are under tremendous pressure to integrate technology into their curricula. Yet, projects involving technology are often met by resistance from the school’s IT staff, because they conflict with network management and security policies. These projects often require higher levels of security for users or require software configurations to be changed. Because the curriculum moves so quickly, the turnaround time for making these changes is often a matter of days. As a result, network administrators are put in a position of compromising security or denying the request and looking like the bad guy.

Because of the involvement of corporate partners and well-intentioned parents, school IT departments and the networks they maintain often are modeled after corporations. Like most corporations, many schools have adopted policies of security and reliability for their networks at all costs. In some cases, students are forced to change passwords on a regular basis. Faculty members are required to jump through hoops and wait weeks to get new software approved and installed. In other cases, district level approval is required just to set up a shared folder between students in a class.

While security and reliability are important considerations in any network, they need to be weighed against the needs of students, teachers, and the generally more dynamic nature of a school environment.

Technology in a corporation addresses a specific business need. New functions and configurations are added, but only after careful planning and a clear projection of return on investment. Goals of technical projects in academia, however, tend to be more abstract and difficult to measure. Experimentation and innovation are critical parts of the learning process, as well as a crucial step in a teacher’s adoption of technology into his or her curriculum.

School IT departments should align themselves more effectively with the educational goals of their institutions. They can do this by addressing three key issues: technical design, policy creation, and personnel.

Technical design

The issue of technical design is perhaps the easiest to address. We must design our network infrastructures to the needs of our institutions. When planning a school network, those who develop curricula should be primary contributors to the design, and various questions related to the purpose of the network in the school must be answered.

Will the students need to create web pages? Will students and faculty need eMail? Will distance learning be a part of the curriculum? How will access levels differ among grade levels and how will these be updated at the end of each year? These are examples of questions related to school operations that have a dramatic impact on how a network is designed. Granted, during planning, these questions might not have answers; but if that’s the case, the network should be designed to accommodate them in the future, while addressing concerns of security and management.

Technical design should also take into consideration the unique and dynamic nature of educational technology. Corporate desktop machines are usually “owned” by a single user, and desktop tampering, therefore, is minimized. Public-access machines in school computer labs, on the other hand, are inviting targets to many curious or malicious students.

It is critical for school networks to prevent students from tampering with the configuration of desktop machines, but faculty often need to configure software in their classrooms or modify the look and organization of their machines. A well-designed network should accommodate both needs based on the user’s login name.

Administrators also need to be able to respond quickly to the needs of large numbers of users. Faculty who teach 125 students aren’t always capable of anticipating the technical requirements of projects weeks in advance. On several occasions, teachers have asked me to enable web publishing for their classes two or three days before the project starts. I have also had to provide student access to an application for a lesson later that same day.

These are requests that would never be dealt with by most corporate IT departments—but the worth of a corporate IT department is defined by its ability to address the goals of the business. The ability to respond successfully to dynamic situations like these is what defines a school IT department’s worth.

Policy creation

Well-designed infrastructure is important, but policy issues must also be addressed if IT is to effectively meet the needs of educational institutions. We must design policies that respect our institutions’ unique goals.

The recent security breaches on government web sites demonstrate that no system is 100-percent secure, regardless of its security policy. What it boils down to is what users must give up, both in dollars and in features, to increase security. This can be addressed by answering two questions. How valuable is your information to you, and how valuable is it to a potential intruder? Most schools will find they answer these questions differently, depending on what information they’re talking about.

At my school, we have very different security policies for administrative accounts and servers than we have for students and faculty. For the latter, we have been willing to loosen the reins a little in order to increase functionality by offering things like FTP access and web publishing.

Personnel

Once the right policies are in place, it is essential for users to understand and respect them. We need to educate our users, through workshops, about why such policies exist. For example, teachers might be told that their passwords must be at least six characters long and made up of letters and numbers, but they have no idea why. They don’t understand the susceptibility of short passwords made up of numbers or letters only to brute force attacks. These issues should be explained, and if possible, demonstrated at security workshops. Our teachers deserve better than the “because I said so” answer to their questions about network policy.

Finally, schools must carefully consider job descriptions and hiring for their technology departments. While not all technical staff will have an educational background, they should be reporting to someone who does. The head of any school IT department needs to have a strong background in education and technology. This person must be able to keenly understand the institution’s mission and help frame policies that respect this mission when addressing concerns of network security and management.

What network security policies do your schools use to accommodate their missions? What policies do you find too cumbersome? Let me know by sending an eMail message to tshaw@sbp.org. You can read a discussion thread on this topic in the WWWEDU archives at http://www.wested.org/hyper- discussions/wwwedu/1999. Browse for the subject line “new thread—controlling Tech. Support.”