Implementation Insights: What We Learned From Keeping French Students Secure

Sometimes in the comms team here at Netskope I hear fantastic tales that are not yet approved for public consumption. The frustration is very real when I hear of a creative customer implementation that cannot yet be told to the wider world. But today I have contrived a clever way to be able to share one of these stories with a veil of anonymity, ahead of a bigger effort to craft a case study for full public consumption. OK, “clever” may be over-egging it somewhat—I have pinned down a couple of the Systems Engineers involved in this implementation and interviewed them. I have then redacted, with all the flourish of a spy agency, to protect the customer’s name until we are all ready to talk about it properly. So here goes, my interview with “Dia” and “Yuri”*.

(*Names not actually changed, but it makes it sound exciting)

Emily:  Can you start by telling me something about the customer, so we can understand their organisation—without naming names?

Dia: Sure. This customer is a French public sector organisation. Among other things, they are responsible for the Department’s education facilities. A Department is the French equivalent of a county in the UK or US. This particular Department is responsible for about 60,000 “college” students, which means children aged between 11 and 15.

Emily: I’m already interested! Can you explain a little bit about the challenge they were grappling with? The one that ultimately led them to Netskope?

Dia:  Like many education authorities around the world, this Department made the decision to equip all college students with iPads. The motivation was admirable—they knew that digital technologies held huge potential for facilitating learning and connecting to digital education tools—but such a move brought with it a number of complications. In France, minors are protected by some very stringent laws that require schools and education authorities to block access to violent, racist, or adult content. The law is not frivolous, every college director and their education authority is liable and failure to protect students properly can result in fines as well as jail time.

Emily: That sounds serious. Wouldn’t it be easier to scrap the plan with the iPads?

Dia: And walk away from the benefits? This was a big initiative, driven by senior politicians and commanding a huge investment. For the IT team to say no wasn’t really an option. They had to find a way to make it work.

Emily: OK, so what exactly needed doing?

Dia: Well the first thing was to enable compliance with the requirement to block a very long list of websites. This list is central to the law, and is maintained by the University of Toulouse. For Netskope this meant being able to ingest this list. And it’s important to note that this list isn’t short and it isn’t static. It contains about four million sites and is updated daily. We needed to find an automated way to do this that didn’t require any human interaction and would enable daily ingestion to ensure we kept the Department compliant at all times. 

Emily: Well I am impressed already. And we built that for them?

Yuri: We did indeed. We also needed to demonstrate that we could be compatible with JAMF For Schools, the mobile device management system from Apple. And we could demonstrate it, so got an easy tick for that.  

Emily: Brilliant.  Great to speak with you both…

Yuri: That’s not the end of the story Emily… we needed to demonstrate some incredibly competitive SLAs around downtime as well as decryption. Which we did. And we also went through a number of tests and demonstrations to prove that students would not be able to tamper with the protection we put in place. They mustn’t be able to disable it themselves because “we put it in there, but the kids turned it off” is no excuse for non compliance. 

Emily: Oh that’s a really good point. Now this doesn’t sound simple, but it does sound like a straightforward “allow or block” type policy. What about all our cool capabilities which are context-aware?  Does any of that come into play here?

Yuri: Well there’s a complexity because some websites that are not on the University of Toulouse’s firm “block” list can also be undesirable in many ways. Take YouTube as an example… it’s used by teaching professionals around the world to help supplement and support the education environment—but the content isn’t all good. YouTube (and Google too) recognise that they provide a platform which gives access to a range of content, and they have both developed “Safe Search” options. We can enforce the use of these Safe Search functions to integrate existing protections into the Department’s content moderation posture. But even more than that, we can get into granular usage controls, allowing or blocking content based on categories (such as science or education), as well as supporting or disallowing particular activity (for example viewing, liking, subscribing might be allowed, while posting, sharing and deleting are disallowed). 

Emily: That’s cool

Yuri: Very. But our future plans are even cooler because we hope to bring some of our Data Protection capabilities into play to support some carefully designed policies for social media.  Imagine you are teaching 15-year-olds about ethics, or politics, or sociology… in the modern classroom this will involve reference to content on Twitter, Facebook, Snapchat… but each of these is a minefield of its own. The Department wants to enable the students who are old enough to officially be allowed accounts to access these platforms if they wish, but it doesn’t want them participating in inappropriate content creation of their own from a government funded device. This is all part of wider efforts to reduce opportunities for cyber bullying among the student body. So we are looking to allow access to these apps and sites, but block content creation and uploads, or perhaps just certain words (which means designing a list of trigger terms that encompass not just the obvious, swear words, but also keeps up with the evolution of playground language, because kids don’t use the same words we do). 

Emily: This sounds cool, but complex.

Dia: And we have had to be fast. It was important that, given the iPads had been promised and were soon to arrive in the hands of the students, none of this took long to set up. There is a huge buzz about the iPad initiative and it wasn’t acceptable for us to design a solution that would need a six month implementation—we needed to work fast to support the device roll out. Which is exactly what we are doing. Implementation is live right now. 

***

See why I wanted to share this? This is just one example of the sorts of stories I hear from our field teams. Our customers are using our technology to handle some pretty unique use cases, which vary widely between industry sector, region, and individual organisation. I am working hard to share more of these stories with you, but hopefully this sneak preview has given you a good idea of just how broad or tailored things can get around here. 

You can always check out our properly published, unredacted, stories here on our customer stories page too.