DIGITAL REPORT 2021 IN ASSOCIATION WITH: This is COMPANYtheheadlinetheoffeatureNAMEDIGITAL REPORT 2022 Transforming and Securing Education through Tech IN ASSOCIATION WITH:
2 2u.com
TransformingandSecuringEducationthroughTech
2u.com 3 2U
2U is the parent company of global online learning platform edX which provides over 45M learners with access to over 4000 digital education offerings in partnership with more than 230 colleges, universities, and corporations. STATS
T he face of education is changing. With an evermore interconnected world, the times of having to attend educational establishments in their physical locations no longer applies. Educational Technology (EdTech), in the form of educational delivery platforms, is transforming this landscape – there may even come a day when education journeys are taken entirely online as part of global culture. This landscape has its challenges of course, but it also brings with it major opportunities to overcome some of the restrictions that traditional educational systems have not been successful eliminating. In terms of the challenges, the most pressing is probably that which concerns data. 2U is the parent company of global online learning platform edX which provides over 45 million learners with access to over 4000 digital education offerings from more than 230 colleges, universities and corporations. Each one of those learners, and the educators that constitute that learning relationship, has data that pertains to them. That’s a lot of data. Naturally, the security and the trust in the service is central to the educational dynamic and to 2U’s success – which is invariably tied to the outcomes of its users. In other words, the quality of education is now inseparable from the quality of the technology, which
4 2u.com 2U
Andres Andreu, Chief Information Security Officer at 2U, a leading EdTech player, explains why security is critical to the present & future of education
2u.com 5
As CISO, there could hardly be someone better fitted for the job at 2U. Andreu has a long and fruitful professional history, steeped in the expertise that such a position requires. His career began in the early nineties, in a federal law enforcement agency in the US. At the time, Andreu was actually pursuing a career in law enforcement in the field, and “through an interesting series of events”, ended up on the tech-side, building what's called 'Title Three' technologies or ‘lawful intercept’, wire-tap technologies. “I really never looked back from there and fell in place with tech,” he says.
“Yes, a user does have an identity, but from an IAM perspective, a machine also has an identity – even certain elements of software have identities” implies, amongst other things, the security of the systems that deliver that education. Homeschooling has a new face, and if home is where the heart is, then school is wherever learners want it to be.
Andreu began his tech career as a software engineer and also did some hardware engineering at that time. “When I left the government, I basically ended up at a large international advertising agency and took over the entire global applications operation, which included everything on the application security side as well – and, in those days, APPSEC was in its infancy.
Andres Andreu is the Chief Information Security Officer at 2U. His role entails overseeing everything to do with security, ensuring those educational potentialities are maximised by minimising the risk involved when such systems are online. “I'm responsible for the internal side of the house – or what is traditionally called IT security,” he says, “and I'm also responsible for everything having to do with the customer-facing side of the house, which is where we engage with our partners, instructors and students – a larger ecosystem than the internal side. I also oversee SRE (Site Reliability Engineering) or DevOps and DevSecOps as well.”
6 2u.com 2U
ANDRES ANDREU CHIEF SECURITYINFORMATIONOFFICER,2U
2u.com 7 2U
Andres Andreu, CISSP-ISSAP is the Chief Information Security Officer (CISO) at 2U, Inc. and a Boardroom Certified Qualified Technology Expert (QTE). Andres is an industry veteran and recognised industry leader. He was chosen as one of the Top 10 CISOs for 2022 by C-Level Focus. He was also chosen as CISO/ Leader of the week by the Cyber Startup Observatory in February 2019 and Computerworld, where he was voted one of the Top 100 IT Leaders for 2009. Andres is the sole author of “Professional Pen Testing Web Applications” as well as numerous magazine articles and an Internationally granted patent.
ANDRES ANDREU TITLE: CHIEF INFORMATION SECURITY OFFICER LOCATION: RALEIGH-DURHAM-CHAPEL HILL AREA, NORTH CAROLINA
8 2u.com
“On my own, I started doing a lot of pen testing (penetration testing or ethical hacking) and built my own business, and this was before the big players were involved in pen testing. I also wrote a book on pen testing in 2006 and that started my public speaking path. After that, I began consulting for a number of governments around the world and ended up with an interesting contract at the United Nations, oriented around the technology side of human trafficking and counter terrorism work.”
“This is really the protection of our users, their data, their experience - from what's known as a 'layer seven' perspective. A lot “From an thoseguardrailssodeploymentinfrastructurewegoodactuallyperspective,infrastructure2Uisinareallystatebecausehavealotofascodebuilds,havemanysecuritybuiltintoCI/CDpipelines”
ANDRES ANDREU CHIEF SECURITYINFORMATIONOFFICER,2U
Since 2U’s customer-facing solutions were born in the cloud, Andreu sees cloud and application security as “very tightly coupled”.
Layer Seven – Securing the data, not the network
From this, Andreu co-invented three cybersecurity products as employee number three of Bayshore Networks. “We started in 2012 and built the company and the products up to exit in Jan of 2021,” he says, “where an Israeli company bought out all the intellectual property and the engineering team.”
2u.com 9 2U
Andreu was then asked to join 2U to spearhead their security programme. Learning and security have clearly always been a motif throughout his impressive career.
As an EdTech company, 2U is presently at an interesting migration point, where they’re making a very hard push to move from a product company to a platform company – and there's a sizeable difference between the two. “From a tech-perspective, we feel that an effective platform is the future of the company. That shift will really streamline and facilitate our partners' ability to engage with us.”
“GuidePoint Security have greatAndextremelywe'vetheknowledgeablebethemselvesproventonotonlyveryinspaceswhereusedthem,buttrustworthy.tome,that'sacombination” ANDRES ANDREU CHIEF SECURITYINFORMATIONOFFICER,2U 10 2u.com 2U
of traditional security focuses more on networking devices and networking nuances. Layer seven, or application security is a totally different animal, because you're dealing with elements at a data level – not at a network level. So to me, application security is the cornerstone of my entire programme here. We've put a lot of work into it, but it really encompasses movements on both sides of the equation.”
This means that Andreu and his team have to address security at the core. “In other words, we need to make sure that our software engineers are coding with certain models in their minds, which are protective mechanisms at a code-level,” says Andreu. “And then we have the other side, which is where we add elements like web application firewalls and content inspection at the actual delivery points – right on ingress and egress.
Since Andreu joined 2U, they’ve built an enterprise risk management committee, the responsibility of which is to understand the identified areas of risk that 2U brings to the table. The committee then makes decisions in terms of priorities in addressing those risks, implementing mitigating controls within certain areas and calculating how much budget they're going to put into those“Thatdecisions.committee is really at the heart of our risk management,” he says. “As a company, from a compliance perspective, we are mandated by a number of partnerships to have several assessments and compliance requirements. So, for instance, we are required to have SOC-2 (type-two) within certain business units, we pursue the UK cyber essentials certification, we also are required to have PCI-compliance, all the way to externally validated compliance and so on. From a compliance perspective then, we're pretty broad in terms of the requirements that we have to meet.”
Risk and Compliance
2u.com 11 2U
“And so to me, I see application security as an entire ecosystem within itself. Data security is really paramount to us because our objective is always to provide the safest possible environment for our learners – and our users and our instructors trust us with their data – so protecting data at rest is one extremely critical dynamic.” So there is data at rest, and then there is data in transit, and these all fall within Andreu’s remit as CISO. “Now, there are some obvious challenges with the space given that we can’t control what a student has on their machine”, says Andreu, “and I can’t control how they operate from their personal machine. So, given these challenging environments, there are multiple protective elements we have put in place in order to maintain the safest possible learning environment for our customers.”
“In my mission statement for the cybersecurity team,” says Andreu, “it is 100% evident that our focus is on providing the safest possible platform for our students to learn and for our instructors to engage, so everything's focused on the platform.”
The Cyber-Age-Old Question of Identity
“Every organisation defines identity differently. However, having done a lot of work with identities, to me an identity is 12 2u.com
“Perhaps a gross oversimplification, but in any security system, to be able to understand the landscape, we obviously have to be able to discern those things that are connected to the ecosystem, and Identity Access Management (IAM) is really a framework in terms of the end-to-end management of digital identities.” Andreu pauses before continuing, “and I'm going to be very clear here, because I'm very opinionated on this subject.” We’re all-ears.
THE NEXT 12 TO 18 MONTHS AT 2U
2U will be wholly focused on the platform, including everything from an engineering perspective, from the DevOps, DevSecOps perspective and in securing that platform.
Layers of Security and the Locus of Defence
2u.com 13 2U
“I think network security is just nonexistent at this point, and anybody that thinks their networks are secure is, in my opinion, delusional. Think about it. Our perimeters have disappeared, just as the traditional network has in fact, also disappeared. Our networks now are extended into cloud environments and deep into people's homes. So you put in controls to try to limit the attack surface within your network, but honestly, you really have to just come to terms with the fact that the network is no longer the locus where you can protect things. At 2U, we are successful at our network security, but I also understand that the network is not really a good choke-point to try to implement security effectively. really not just a user. Yes, a user does have an identity, but from an IAM perspective, a machine also has an identity – and even certain elements of software have identities.” This is an interesting approach.
Andreu expresses that he never loses sight of the idea of software elements as having identities, “because,” he says, “if you think about machine-to-machine communications at an API level, there's no human involvement at all in that process, and so it really needs to be thought of in that way.”
“This,” he says, “is all very important if you start thinking in terms of implementing future zero-trust environments, because identities are obviously at the heart of zerotrust, and so we're pushing into that space rigorously. From a user-identity perspective, I can tell you that we're already on the journey to go passwordless and that's an important part of the access aspect of the IAM framework.”
I begin to wonder whether a completely secure network is even possible, especially in the face of greater interconnectivity and the data explosion that’s taking place on such an unprecedented scale. So I asked him, and his answer was rather stringent, but honest.
2U has a meaningful partnership with GuidePoint Security that has allowed them to achieve much of their vision. Andreu says that he considers GuidePoint Security as a trusted partner, which is notable as such a notion does not come easy with him. “GuidePoint have proven themselves to be not only very knowledgeable in the spaces where we've used them, but extremely trustworthy. And to me, that's a great combination. It's a combination that basically becomes an extension of my team. My team is small, but our scope of responsibility is broad. And so I see GuidePoint as a trusted extension of my team, and it's been an invaluable relationship.”
GUIDEPOINT SECURITY
14 2u.com 2U
ANDRES ANDREU CHIEF SECURITYINFORMATIONOFFICER,2U
“It’s going to be something that slowly remoulds the entire thetechnologyenvironmenteducationalthroughandAIinEdTechspace”
“But imagine an adaptive environment where a baseline gets set when the class begins. Then the difficulty of the challenges that get presented to students are dynamically adapted based on their performance, on their level of knowledge and ability. I think that's really powerful, and it’s going to be something that slowly remoulds the entire educational environment through technology and AI in the EdTech space.”
The Future of Education Andreu predicts that we're going to see a lot of intelligence built into the ecosystems of the EdTech industry. “For instance, in the same way that there's adaptive testing, like where you might get two or three questions, and then the difficulty increases accordingly – there's going to be, I predict, an ‘adaptive learning’. Imagine 40 students in a coding class, all 40 are going to have varying levels of background and experience – so half the class is going to be bored half the time, while the other class is going to be challenged. That’s the traditional model of education.
“If you take the layer seven example for instance: you could have all the network security in place that you want and an application that gets deployed, but it's chock-full of holes. Unless you have something looking at layer seven data natively – at a granular level – your network security controls are totally useless. From an infrastructure perspective, then, 2U is actually in a really good state because we have a lot of infrastructure as code deployment builds and so have many security guardrails built into those CI/CD (continuous integration/ continuous delivery) pipelines. It helps us to automate the entire process of securing the deployment of infrastructure.”
2U's mantra is ‘no back row’, because, typically, the back row in a classroom misses out. “They're the ones that are not focused and are not getting the same level of attention from the professor,” says Andreu. “Our objective is to remove that back row and to make this accessible to anybody who's willing to take on the challenge of these classes.” 2u.com
15
POWERED BY: 7900 Harkins Road, Lanham, MD, USA, 20706 T +1 (301)2u.com892-4350 POWERED BY:
