2U: Transforming and Securing Education through Tech

The face of education is changing. With an evermore interconnected world, the times of having to attend educational establishments in their physical locations no longer applies. Educational Technology (EdTech), in the form of educational delivery platforms, is transforming this landscape – there may even come a day, when education journeys are taken entirely online as part of global culture.

This landscape has its challenges of course, but it also brings with it major opportunities to overcome some of the restrictions that traditional educational systems have not been successful eliminating. 

In terms of the challenges, the most pressing is probably that which concerns data. 2U is the parent company of global online learning platform edX which provides over 45 million learners with access to over 4000 digital education offerings from more than 230 colleges, universities and corporations. Each one of those learners, and the educators that constitute that learning relationship, has data that pertains to them. That’s a lot of data. 

Naturally, the security and the trust in the service is central to the educational dynamic and to 2U’s success – which is invariably tied to the outcomes of its users. In other words, the quality of education is now inseparable from the quality of the technology, which implies, amongst other things, the security of the systems that deliver that education. Homeschooling has a new face, and if home is where the heart is, then school is wherever learners want it to be.

Andres Andreu is the Chief Information Security Officer at 2U. His role entails overseeing everything to do with security, ensuring those educational potentialities are maximised by minimising the risk involved when such systems are online. “I'm responsible for the internal side of the house – or what is traditionally called IT security,” he says, “and I'm also responsible for everything having to do with the customer-facing side of the house, which is where we engage with our partners, instructors and students – a larger ecosystem than the internal side. I also oversee SRE (Site Reliability Engineering) or DevOps and DevSecOps as well.”

As CISO, there could hardly be someone better fitted for the job at 2U. Andreu has a long and fruitful professional history, steeped in the expertise that such a position requires.

His career began in the early nineties, in a federal law enforcement agency in the US. At the time, Andreu was actually pursuing a career in law enforcement in the field, and “through an interesting series of events”, ended up on the tech-side, building what's called 'Title Three' technologies or ‘lawful intercept’, wire-tap technologies. “I really never looked back from there and fell in place with tech,” he says. 

Andreu began his tech career as a software engineer and also did some hardware engineering at that time. “When I left the government, I basically ended up at a large international advertising agency and took over the entire global applications operation, which included everything on the application security side as well – and, in those days, APPSEC was in its infancy.

“On my own, I started doing a lot of pen testing (penetration testing or ethical hacking) and built my own business, and this was before the big players were involved in pen testing. I also wrote a book on pen testing in 2006 and that started my public speaking path. After that, I began consulting for a number of governments around the world and ended up with an interesting contract at the United Nations, oriented around the technology side of human trafficking and counter terrorism work.” 

From this, Andreu co-invented three cybersecurity products as employee number three of Bayshore Networks. “We started in 2012 and built the company and the products up to exit in Jan of 2021,” he says, “where an Israeli company bought out all the intellectual property and the engineering team.”

Andreu was then asked to join 2U to spearhead their security programme. Learning and security have clearly always been a motif throughout his impressive career. 

As an EdTech company, 2U is presently at an interesting migration point, where they’re making a very hard push to move from a product company to a platform company – and there's a sizeable difference between the two. “From a tech-perspective, we feel that an effective platform is the future of the company. That shift will really streamline and facilitate our partners' ability to engage with us.”

Layer Seven – Securing the data, not the network

Since 2U’s customer-facing solutions were born in the cloud, Andreu sees cloud and application security as “very tightly coupled”. 

“This is really the protection of our users, their data, their experience - from what's known as a 'layer seven' perspective. A lot of traditional security focuses more on networking devices and networking nuances. Layer seven, or application security is a totally different animal, because you're dealing with elements at a data level – not at a network level. So to me, application security is the cornerstone of my entire programme here. We've put a lot of work into it, but it really encompasses movements on both sides of the equation.”

This means that Andreu and his team have to address security at the core. “In other words, we need to make sure that our software engineers are coding with certain models in their minds, which are protective mechanisms at a code-level,” says Andreu. “And then we have the other side, which is where we add elements like web application firewalls and content inspection at the actual delivery points – right on ingress and egress.

“And so to me, I see application security as an entire ecosystem within itself. Data security is really paramount to us because our objective is always to provide the safest possible environment for our learners – and our users and our instructors trust us with their data – so protecting data at rest is one extremely critical dynamic.” So there is data at rest, and then there is data in transit, and these all fall within Andreu’s remit as CISO.

“Now, there are some obvious challenges with the space given that we can’t control what a student has on their machine”, says Andreu, “and I can’t control how they operate from their personal machine. So, given these challenging environments, there are multiple protective elements we have put in place in order to maintain the safest possible learning environment for our customers.”

Risk and Compliance

Since Andreu joined 2U, they’ve built an enterprise risk management committee, the responsibility of which is to understand the identified areas of risk that 2U brings to the table. The committee then makes decisions in terms of priorities in addressing those risks, implementing mitigating controls within certain areas and calculating how much budget they're going to put into those decisions. 

“That committee is really at the heart of our risk management,” he says. “As a company, from a compliance perspective, we are mandated by a number of partnerships to have several assessments and compliance requirements. So, for instance, we are required to have SOC-2 (type-two) within certain business units, we pursue the UK cyber essentials certification, we also are required to have PCI-compliance, all the way to externally validated compliance and so on. From a compliance perspective then, we're pretty broad in terms of the requirements that we have to meet.”

The Cyber-Age-Old Question of Identity

“Perhaps a gross oversimplification, but in any security system, to be able to understand the landscape, we obviously have to be able to discern those things that are connected to the ecosystem, and Identity Access Management (IAM) is really a framework in terms of the end-to-end management of digital identities.” Andreu pauses before continuing, “and I'm going to be very clear here, because I'm very opinionated on this subject.” We’re all-ears. 

“Every organisation defines identity differently. However, having done a lot of work with identities, to me an identity is really not just a user. Yes, a user does have an identity, but from an IAM perspective, a machine also has an identity – and even certain elements of software have identities.” This is an interesting approach. 

“This,” he says, “is all very important if you start thinking in terms of implementing future zero-trust environments, because identities are obviously at the heart of zero-trust, and so we're pushing into that space rigorously. From a user-identity perspective, I can tell you that we're already on the journey to go passwordless and that's an important part of the access aspect of the IAM framework.”

Andreu expresses that he never loses sight of the idea of software elements as having identities, “because,” he says, “if you think about machine-to-machine communications at an API level, there's no human involvement at all in that process, and so it really needs to be thought of in that way.”

Layers of Security and the Locus of Defence

I begin to wonder whether a completely secure network is even possible, especially in the face of greater interconnectivity and the data explosion that’s taking place on such an unprecedented scale. So I asked him, and his answer was rather stringent, but honest. 

“I think network security is just nonexistent at this point, and anybody that thinks their networks are secure is, in my opinion, delusional. Think about it. Our perimeters have disappeared, just as the traditional network has in fact, also disappeared. Our networks now are extended into cloud environments and deep into people's homes. So you put in controls to try to limit the attack surface within your network, but honestly, you really have to just come to terms with the fact that the network is no longer the locus where you can protect things. At 2U, we are successful at our network security, but I also understand that the network is not really a good choke-point to try to implement security effectively.

“If you take the layer seven example for instance: you could have all the network security in place that you want and an application that gets deployed, but it's chock-full of holes. Unless you have something looking at layer seven data natively – at a granular level – your network security controls are totally useless. From an infrastructure perspective, then, 2U is actually in a really good state because we have a lot of infrastructure as code deployment builds and so have many security guardrails built into those CI/CD (continuous integration/continuous delivery) pipelines. It helps us to automate the entire process of securing the deployment of infrastructure.”

The Future of Education

Andreu predicts that we're going to see a lot of intelligence built into the ecosystems of the EdTech industry. “For instance, in the same way that there's adaptive testing, like where you might get two or three questions, and then the difficulty increases accordingly – there's going to be, I predict, an ‘adaptive learning’. Imagine 40 students in a coding class, all 40 are going to have varying levels of background and experience – so half the class is going to be bored half the time, while the other class is going to be challenged. That’s the traditional model of education.

“But imagine an adaptive environment where a baseline gets set when the class begins. Then the difficulty of the challenges that get presented to students are dynamically adapted based on their performance, on their level of knowledge and ability. I think that's really powerful, and it’s going to be something that slowly remoulds the entire educational environment through technology and AI in the EdTech space.”

2U's mantra is ‘no back row’, because, typically, the back row in a classroom misses out. “They're the ones that are not focused and are not getting the same level of attention from the professor,” says Andreu. “Our objective is to remove that back row and to make this accessible to anybody who's willing to take on the challenge of these classes.”