Securing Virtual Learning at Tulsa Tech

Introducing virtual learning at Tulsa Tech requires making sure instruction is delivered in whatever form the student is most comfortable with. And that, in turn, means the IT organization needs to have a firm grip on who's accessing the network, where they're connecting from, and what they're using to make that connection.

This year about 72,800 people will go through classes at Tulsa Technology Center, a career and technology center school district based in Tulsa, OK. But unlike most other districts that cater primarily to a K-12 crowd, this one reaches three different sets of students, some secondary, some going after college credits, some who fit neither category. First are the high schoolers, 2,600 on any given day. Next are the 1,200 adult learners enrolled in full-time programs taking courses in nursing, aviation maintenance and other courses of training that aren't open to anybody under 18. Then an additional 69,000 adults receive business and industry-customized training.

"Our market is huge," CIO Jerry Moore jokes. "From age 15 to death--lifelong learners."

Moore has a vision to help students spend less of their time on any one of the five Tulsa Tech physical campuses and more time accessing classes from their computers, wherever that might be. "The Web platform is the key delivery mechanism for the future," he said. "We've pushed everything through it."

Going Virtual with Instruction
The epiphany for the virtual campus came in a planning session of campus executives that took place in April 2007, about eight years after Moore had joined the institution. As he recalled, the IT organization had spent the previous eight years with its head down building and fixing broken IT systems. "We were coming out of that. This was the first time I could sit in on a planning session without IT goggles on." And what he heard other participants saying was that "one of the biggest risks we faced was the students' ability to receive our product."

The challenge was that students have busy lives "that were making it increasingly difficult [for them] to come sit in a classroom," Moore said. What the school needed, he knew, was the ability for a student to "time-shift--only come to the lab when they absolutely have to." That would be accomplished by converting as much of their course content as possible to a digital form that could be made available online.

"We can create any instructional environment and deploy it to any computer in the world," Moore said. As an example, he said, "We have a car on a node in a network. The [automotive] instructor can sit in an office and send trouble codes: Make it start; make it stop. You may not be able to drive that car on a highway, but it's still a car. It just has a blue cable plugged into it." The same applies to the health classes. "So much of that [course material] is anatomy and physiology. Then when it gets to the phlebotomy exam, the state board requires that a licensed phlebotomist observe you taking blood. That's one of the few times you have to be in the same time and place with that person."

So Moore and his IT team started on an ambitious overhaul of the IT systems used by the institution, which included Blackboard for course management and Colleague from Datatel for student management. A few months after that initial April meeting in which Moore began to formulate future plans for technology use, Microsoft launched Office Communications Server (OCS) 2007 with Nortel riding alongside the launch, offering native OCS integration in several of its IP-based PBX systems. The school adopted both. Plus, SharePoint was finally in a state, according to Moore, where it could be taken seriously as a Web platform, which is exactly what he had in mind for providing this virtual form of Tulsa Tech. That required a two-year revamp of the institute's Web site, which has recently been relaunched with its new structure and design.

Now every student receives a SharePoint-based MySite, a Web presence for that individual with social networking capabilities. That MySite provides outer-facing aspects--anything that person wants to make publicly available. That might include contact information as well as resumes and samples developed in their course of study. Then MySite also offers an inner-facing area, where the student can access e-mail and calendaring and can use OCS for instant messaging and presence awareness, as well as phone service. A user can access his or her office phone through the computer no matter where it's located.

Tulsa Tech students can "tag" a professor via their MySite to request assistance the next time the professor logs on and vice versa. Students and professors can also engage in real-time remote discussions via the network, making Q&A and remediation timelier. Students can also submit assignments via their "home drives" on the network, to which professors have access. Moore said he believes this increasingly interactive environment can create a stronger sense of community among students, teachers, and faculty.

Those MySite resources remain with that student for the rest of his or her life. "Our hope is that as people go out and leave our system and get jobs, they use this as a portal to come back. That's a tremendous value to us. We can stay engaged with that person."

Keeping the Infrastructure Secure
Moore and the IT organization knew that supporting students whenever and wherever they chose to attend class would require sturdy security measures. For example, Tulsa Tech offers a highly respected cyber-security training program. About once a year, Moore estimated, a student of that program will decide to break into the network. They'll end up in Tulsa Tech's honeypot, he said, "and think they've done something. They'll be bragging."

But even with an estimated 1,100 attacks an hour on its network from multiple sources, Moore said he believes Tulsa Tech has solid security policies in place. Here's another way the hybrid nature of the institution reveals itself. Unlike the typical IT environment in a high school, where the primary concern may be keeping students off social networking sites, Moore said he encourages participation. "We have a Facebook profile. We want you to friend us--engage in our conversations." On the other hand, because the school does have a population of minors, it adheres to the Child Internet Protection Act (CIPA) and imposes Web content filtering.

Unlike a lot of higher ed institutions, Tulsa Tech grants administrator rights on its network only to people in IT. "You can't get by with that in a [typical] college," said Moore. "Every dean and department head thinks their entire staff needs admin rights, and then they think support stinks because their employees keep destroying their computers. We've got that control. The IT department probably has more ownership here than you see normally."

Likewise, Moore's staff doesn't have the challenge of managing residence halls with their unique Web access needs. "Hopefully, we'll never have dorms," he said. "As soon as a higher ed institution adds dorms, the port count goes up, and control goes out window."

One measure of network security is provided by a secure socket layer (SSL) virtual private network (VPN) appliance from Juniper Networks, the SA4000. This network device enables the IT organization to provide remote and extranet access from a Web browser. An SSL session enables a user with a Web-enabled device to access Tulsa Tech's network resources without having to install and maintain client software. The appliance is set with a number of preconditions that must be met before that network access is granted.

As Moore describes it, when a user logs into MyTulsaTech, the appliance will establish who the user is, where the user is, and what kind of device the user is working on. The "who" is based on the user name. That user name will define what rights the user has on the network. The "where" and "what" establishes what kind of device is being used to access the network.

If the user is working from a laptop that's district-owned (or one of the other 3,000 computers available at Tulsa Tech), which gets virus and other updates regularly, that device can connect through the network directly. No SSL VPN necessary. If, on the other hand, the user is at an unsecured kiosk off campus, he or she will receive a set of security parameters preventing access to specific systems on the network. Or, if the user is on campus with a computer that lacks virus protection, the appliance will throw the user into a remediation path: "To access these systems, you need to have virus protection no more than two weeks old," quoted Moore. "And by the way, here's where you can get a virus definition for your system."

The determination is done in a millisecond, said Moore.

"If a user is in the process of connecting through a secure wireless connection and somebody hacks into their computer, the VPN will cut them off from the network instantly." Likewise, once that determination of who, what, and where is done, if the user attempts to change some condition--such as accessing the network via wireless then plugging in a LAN cable--the appliance will kill the access. Also, if there's no activity for eight minutes, the VPN will drop the connection to the user machine.

Tulsa Tech maintains a license for 100 concurrent users, "which is serving us pretty well," said Moore. So does that mean only a hundred users at a time are accessing resources on the network from off campus? Not at all. "You can get to your MySite and chat and e-mail without having to connect through the VPN," he explained. If a student or faculty member is accessing the network off-campus, he or she won't be able to access the home drive or a shared drive without connecting through the Juniper SSL VPN appliance. "We don't want you using a home computer to touch our file structure without going through the security layer," he said.

The presence of the VPN enables users to get to the resources they need while still protecting the campus network from unwitting or intentional malfeasance.

"We call it personal and intuitive," Moore said. "When you're dealing with a population with 15-year-olds and 80-year-olds sitting side by side in the same class, you've got to be able to allow them to choose what they want."

That means providing different modes of technology for each subsequent generation of students. "If you have two Web 2.0 students on a team and they're working on project--you'll find them [instant messaging] each other, back and forth, even though they're in high school at two different high schools," said Moore. "If they're working on a PowerPoint for a robotics contest, they may go open a LiveMeeting session. They'll be comfortable in that collaborative space. That's not going to require the use of the SSL VPN."

If the student is a 30- to 40-year-old, said Moore, "they're going to be more comfortable with the Windows 3.1/Windows 95 file structure. For a team project, files will be saved to and accessed on a shared drive," the scenario where that SSL VPN will be useful.

Also, he pointed out, more people are arriving on campus with their own computing assets, which they're going to prefer to use in the classroom--a movement he whole-heartedly supports. "We've got 20 computers in that classroom, but that kid would rather use this laptop," he said. "The SSL VPN appliance allows them to bring something like that in, to gain the full benefit of your technology system while still protecting you."

Plus, Moore added, "I honestly believe if somebody walks in the door with their own laptop, that's just one less one computer I have to support."

Bringing Faculty and Staff Along
The next step in the transformation of educational content at Tulsa Tech involves getting faculty engaged. This early stage has been devoted to letting students "start to create value," said Moore. "They've done that. We had 1,200 MySites created the first day. Adoption was so fast--everybody was IMing each other. As soon as they did that, teachers went, 'Whoa. I need to learn what IM is. What's Facebook again?'"

Although a few members of the faculty have fully adopted it, according to Moore, the big push to start teaching with the new system won't really kick into gear broadly until the 2009-2010 school year.

But that isn't keeping Moore and his team from doing what they can to expose the faculty and staff to the concepts of Web 2.0 through initiatives such as a recent one he calls the "box campaign." They sent plain white boxes labeled "1.0: Open Me First" to 30 faculty members. Inside was a Creative Zen video player with a two-inch screen and a note that said, "Put headphones on and hit play." A video of "Jacob," a student of the future played, explaining what he likes to do, how he communicates with his friends, and how he likes to get his school work done.

At the end, the box recipient was told to open Box 2. That included a sheet with statistics and information about Facebook and LinkedIn, which they were invited to join.

After faculty members entered their names and e-mail addresses, they were told to open Box 3. That included instructions for entering a contest to win one of the Zen players and a list of names of other faculty members and more information about Jacob, including the fact that they'd be hearing more about Jacob in the future. They were instructed to deliver the boxes to one of the names on the list.

The box campaign was a huge success. "It went like wildfire through this place," said Moore. In about two weeks, all but one of the 700 people on the lists had received the box and passed it along again. (The lone holdout had been on vacation.)

That, they were informed by IT people after the campaign had ended, was social networking. "They took information and passed it along to a group of people," Moore pointed out. "The fact that they didn't get on Facebook had nothing to do with it."

As he started to do pitches about the new Web site, everybody "had a paradigm that they could correlate it to. Now they get it."

Featured