- General Best Practices
Tech Tuesday is a vlog series for directors of technology at schools and districts. Finalsite's sales engineer Rob Rawcliffe and our recent cybersecurity grad Cristina Pawlica will discuss a variety of topics in education technology every other week. In this episode of Tech Tuesday, Cristina and Rob discuss an important question: Is data on open source websites safe? Listen in for everything you need to know about your school's data protection on open source platforms!
Cristina Pawlica: Hi, and welcome to Tech Tuesday, a video series for directors of technology working in education. My name is Cristina. I've been with Finalsite for two years now, and I'm currently finishing up my Cybersecurity master's at Denver University. I'm here with Rob Rawcliffe, our resident expert in all things tech.
Rob Rawcliffe: Hey, Cristina/ how's it going? My name's Rob Rawcliffe. I've been with Finalsite for eight years and... Yeah, I completely forgot what I usually say. Finalsite for eight years, and I used to work in the school environment as a tech director, so I'm able to bring some of my knowledge to these forums, which is great. And you'll notice I'm sporting a new haircut this week.
Cristina Pawlica: As you know, Finalsite is all things websites for schools today. We're going to be discussing, why does data security on open source appear so often in the news? So let's start with, what is open source?
Rob Rawcliffe: So open source is really almost a counter to the original idea of software. Obviously when Microsoft and Apple came out with their programs, they were charging for a lot of it. And a idea out there was, "You know what? Why don't we have kind of like a crowdsourcing approach to software." And so this open source was really born. And so it is a collaboration of a group of people. And sometimes it starts off at a university level. Sometimes it just starts off generically. Some of them have different origins.
But essentially open source is, the code is open, anybody can write it, anybody can point out bugs, and then somebody has the ability to go in there and fix it. And usually people are not paid. It's usually like a voluntary thing that they do, although there are some cases where there is a company behind it nowadays, and they do actually own it and they develop it. So there's different levels of open source, basically.
Cristina Pawlica: So that sounds like a great concept. Why is it in the news so often concerning security?
Rob Rawcliffe: Well, the thing with open source is, its strength is also its greatest weakness. So you have this open source platform. It's free, so you get a lot of people using it. You get a lot of feedback. Sometimes that can encourage people to find bugs, and you have people that will exploit those. You'll also get people that find them and close them, which is great.
Rob Rawcliffe: On top of that, you also get a lot of people saying, "You know what? This software is great, but I really want it to do this particular thing." And so you'll get people writing code towards it that... Maybe it's a thesis that they're doing for college, or maybe it's for their individual work that they want a specific widget or a tool to do. And so they'll write that in kind of their spare time, and then it becomes popular, and people pick it up and they start using it, and then certain companies will change their code, and they'll update their code. And the most recent one was, a library was updated... or it wasn't updated and included in the code, so all the people that were using that library were not actually able to get the content they were originally using in the previous versions of the code.
Rob Rawcliffe: So the biggest problem with open source is that when you're developing it, it really becomes a full-time job to keep that code up to date. And so as things move forward, things get patched, if you've got a widget or if you're using somebody else's widget and it's free, do you know that you're paying for it, and do you know that it's getting developed? And if you're not paying for it, chances are that person is not getting paid, and they're probably not going to be developing it for the next 20, 30 years or however long you want to use it.
So it becomes a bit of a liability if you're not paying for something. Again, if you are paying for something, that's great, because chances are it is getting developed and it is getting worked on. So you're getting this free content, but then to actually create more content and functionality, you do have to start paying for it in the end. So there's benefits and there's also drawbacks to that.
Cristina Pawlica: Just like mainstream, there's going to be a lot of benefits, low cost, the flexibility, to schools. How does it benefit them, and how has it hurt them in recent news?
Rob Rawcliffe: So some of the most popular widgets and extensions that have come out... Like I said, if you're not paying for it, then chances are that they're not getting developed. So if there is a hack out there or somebody finds a vulnerability, then all of a sudden your website is exposed, and you've got to go in there and you've got to update that as soon as you can. And with... Has my video just gone funny?
Cristina Pawlica: I don't know what it is.
Rob Rawcliffe: That's bizarre. Hold on. Play with that. Huh, wonder why that just changed?
Cristina Pawlica: Turning into Iron Man.
Rob Rawcliffe: There we go. Okay, that should be better. Bizarre. Okay, so the question was vulnerabilities. Go on, say that back to me again.
Cristina Pawlica: So open source sounds like it can offer a lot of benefits to schools, especially with limited budgets. How does it... Or maybe I should say, what are the risks? That was essentially the question.
Rob Rawcliffe: Okay. Okay, so the risks of having open source-
Cristina Pawlica: I'll probably say, what are the costs?
Rob Rawcliffe: Yeah. So the costs really for an open source website come in your management and maintenance costs. So what we see with a lot of schools is, you get this open source website, and it's great. And if you manage it, you have somebody on staff that knows what they're doing, that's great.
It can quickly become very cumbersome, depending on how much functionality you're using. If you're using just the base code, then great. You're probably not going to have issues. The more extensions and variations and functionality you start to have, the more maintenance that is going to cost you in updating it, in server updates and bandwidth and things like that.
Rob Rawcliffe: So I think if you have somebody on staff that knows what they're doing, that is into it, that can manage that, it's great. If you don't want to get tied down to that and you want something that somebody else is managing and keeping up to date and it's all in their code, then using a company like Finalsite for a CMS is a really good idea, because some of those hidden costs, they're already paid for upfront in your subscription.
So it's really, do I want to get a free website and have the labor costs associated with that, or do I want to pay up front for the cost and know that I'm not going to worry about that in the next couple years? So that's really the big difference between open source and a paid provider.
Cristina Pawlica: And with open source, you did mention some vulnerabilities that are specific to open source versus something like Finalsite or other platforms. Can an open source ever truly be secure? What are the steps that schools can take to almost get there?
Rob Rawcliffe: I mean, that's a million dollar question. I think they're secure in themselves. I think, like everything else, it's only as strong as the weakest link. So if you have got a bunch of good companies that you're using, that you're paying for, that are all over that, that's great. But just make sure you do your research and know that they are covering the vulnerabilities and that they do have the finger on the pulse and they have a security team and things like that.
There are simple things, like are you using two-factor authentication and those kinds of things, that will just help you be more secure. Yeah, I think yeah, just looking out for that weakest link and where the potential problems could be. I think if you've got your eyes open to that, then that's the main thing.
Cristina Pawlica: Awesome. So what I'm hearing from you is, always do your research, always practice good security hygiene, cybersecurity hygiene, no matter what platform you're using, and that will help you overall. So I encourage you to do that. We have blogs on our website that compare open source to other choices for schools, so I encourage you to look at that.
Cristina Pawlica: Next week, we'll be discussing hosting. Why does hosting matter? And if you'd like to learn more about Finalsite itself or get an inside peek to our specific platform, request a demo by emailing firstname.lastname@example.org.
For more on why open source solutions may not be the safest solution for schools, read these blogs:
- Is Open Source A Good Solution For School Websites?
- The 9 Biggest Problems Schools Face When They Choose Open Source
- Best Practices