Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • Forum 2014-02 Discussion Results Categorized
Skip to end of metadata
Go to start of metadata

Agreements with External Cloud Services

List of agreements

Process for new cloud services

  • A top item: List of existing agreements, and how to get a new service on board.
  • IT Policy Team could work on process for campus users to determine what services are currently under contract and how to go about getting new agreement in place; communications is an issue (example: misinformation about people outside of instructional realm "not allowed" to use certain technologies)
  • CIO office can create and disseminate process for local units to get agreements in place; challenge to get attention and concern of "lower level" IT support who are often the first to know and make decisions quietly
  • How to get institutional agreement in place for cloud service? Local interest in getting agreements in place -- CIO office could help with this. Misinformation coming from purchasing agent apparently.

Compliance

  • Learn@UW service doesn't allow enterprise integrations with external vendors w/o campus agreement in place
  • Improve communications!! so that distributed IT can advise their faculty/students
  • Better communication about available common systems
  • Issue is that we cannot control or enforce, must persuade

Awareness & Training

  • A top item: Compliance - not able to control users – only have education
  • A top item: Raise awareness of risk
  • A top item: Education – faculty/staff/students. Know risks. Know basic things to look for.
  • most want to do the right thing.
  • flip it around, show that access is not needed
  • Recurring security training (like HRS does)
  • Lack of awareness by some users
  • Improve education and communication to faculty that there is a bigger issue than just their personal needs
  • Office 365 ability to remote wipe device - what's the status of this? Need to communicate policy on this
  • Campus already requires basic security controls on BYOD – they remind us that they must follow
  • Transient students who are only there for 6 weeks. It's hard to train them adequately – especially if detail with research data.
  • Use unversity resources, policies, training
  • Create a video to provide basic data protection training
  • Educating Fac & Staff on what resources to use / not use
    • what is safe? Best practices
  • EULA analog for web site
  • Annual security  assessment quiz like the annual confict of interest agreement or HIPAA agreement
  • DoIT newsletters & posters
  • New Employee Orientation
  • New Employee Confidentiality Agreement
  • How do we get the word out?
  • How to get every user to know that this is important?
  • How to reach the people we most need to reach?
  • Maybe have somewhere where solutions are set up very well, very secure, something we can point to as a role model
  • Trying to provide alternatives but sometimes hard to change pespectives
  • Some have changed their mind when the users find out they are personally responsible, personally liable
  • Have to get the word out about risk
  • Put up posters. Seemed to work for peer-to-peer copyright issues
  • Review existing documenation and put "put a password on your phone" – get some thinking about security
  • Highlight only two or thre things in posters/advertising. Users won't ready beyond 2 or 3. Next semester introduce more topics

Cloud Services (specific services)

Not offered by campus (specific services)

  • Cloud services being used in our work:
    • Zotero, Evernote
  • Have a lot of dropbox, some adoption w/ Box because of 50 GB allocation

Offered by campus (specific services)

  • Transition from shared local storage to Box (many reported this)
  • One lab is trying to reduce use of personal apps and use Box for data storage; for some labs 50GB is not sufficient
  • Better communication about available common systems
  • Office 365 ability to remote wipe device - what's the status of this? Need to communicate policy on this
  • iMap doesn't work with Office 365 (70MB per hour)
  • Box - have to trust the rules of the UW-Madison that this cloud option makes sense.
  • The use of Box – availability has really helped and the transition has been pretty smooth
  • Have a lot of dropbox, some adoption w/ Box because of 50 GB allocation

Policy, guidelines and procedures

Campus level

  • A top item: Need recommendations from the campus on how [to handle it]
  • A top item: Having implementation plans for compying with policy
  • Stipend for purchase of personal device; currently an equity issue among existing grad students in one lab/dept
  • CIO office can create and disseminate process for local units to get agreements in place; challenge to get attention and concern of "lower level" IT support who are often the first to know and make decisions quietly
  • How to get institutional agreement in place for cloud service? Local interest in getting agreements in place -- CIO office could help with this. Misinformation coming from purchasing agent apparently.
  • IT Policy Team could work on process for campus users to determine what services are currently under contract and how to go about getting new agreement in place; communications is an issue (example: misinformation about people outside of instructional realm "not allowed" to use certain technologies)
  • Devices need to be secured first and then allowed to access campus data.
  • make it easy.  make it UW wide
  • Recommend don't store university data in the cloud
  • Advise to use Box when there's a need for collaboration
  • Use unversity resources, policies, training

Local level

  • BYOD saves local lab equipment costs
  • Local dept updates/manages university-owned devices but not personal devices
  • they do allow Remote Desktop in from Service Center
  • No unidentified data to be on any non-UW supported device.  They maintain the security.
  • PKI "not adamant about it"
  • If they don't manage, don't get an IP (laptops)
  • Smart devices must have Airwatch
  • Grad students must be on campus to use network
  • Surgeons not so bad, would get new phone and then hand phone to IT person to set it up (secure it).
  • User must sign a confidentiality form.
  • Has policy that data must be encrypted, but no way to prevent users from placing on cloud
  • Recommend don't store university data in the cloud
  • Advise to use Box when there's a need for collaboration
  • Unit A uses VPN to connect, Rely on DoIT policies
  • Unit B uses VPN for personal laptop, personal phones can be wiped
  • Unit C UWHC policies, Airwatch, remote wipe, dept laptops are encrypted, VPN for files, the rest mailed by the user, remote desktop
  • Unit E uses (for now) DoIT/UW Policies
  • Unit F No personal devices allowed on the network via DHCP
  • Unit G WiscVPN for access
  • No policy, we arrange level of support
  • Follows SMPH guidelines
  • Follows campus policy
  • No teeth in guidelines, we can't mandate

Practicality of Solutions

  • Make it easy to connect to dept. shares
  • make it easy.  make it UW wide
  • Use existing resources and try to make it as easy as possible for them
  • practical or pragmatic for most users, all users
  • realistically able to handle the UW large set of data

Resource management

  • schools and colleges have accreditation board but role is more "are you on mission?"
  • Internal Review Board (IRB) sometimes comes in and makes rules.
  • BYOD increases complexity within environment; greater support load due to wider variety of devices
  • BYOD a bad thing unless managed well
  • Administrative Excellence - Data Center consolidations, where does this take us?
  • IT personnel bring risks to managers and CYA

Resources, lack

  • No resources to even begin to manage it.
  • BYOD increases complexity within environment; greater support load due to wider variety of devices
  • Local dept updates/manages university-owned devices but not personal devices
  • Some interest in virtual desktops that are not managed locally (too expensive, low usage) - perhaps buy into this service from DoIT?
  • Improve software licensing process (ex: Adobe) for labs so that grad students for example could bring in their laptop and use licensed software
  • Lots of students, grad students who bring/use their own because dept-provided is lower quality - these don't get managed locally other than some locking of network access to single jack
  • serving 60,000 vs. 100 people is never considered.  need more resources to support the bigger staff.
  • only one IT staff
  • IT position is funded by L&S chargeback model.
  • Unit X is trying to support 700 people with 300 grad students that BYOD

Resources, savings

  • Desire to use more cloud services primarily due to lower costs, simpler firewall management (port 80)
  • Prefer to decrease amount of stuff (desktops, storage) to manage locally and shift towards cloud services
  •  A campus service for virtual desktops that was centrally managed would help reduce local load and costs   

Risks to institution or department

  • data security
  • Lack of uniform naming conventions for files
  • Mingling of personal and professional data/work
  • Absolute security on one end but freedom on the other hand.  Very hard to implement.

Reputation

  • loss of reputation
  • Reputation of of unit and trust of users coming in as research subjects
  • don't want to lose the large amount of grant money if our reputation is lost.or research data gets "manipulated" without staff knowing it.
  • getting hammered in audit, better than in breach

Financial

  • $3000 or more (our guess from Jeff and Phil)  lose to each record of data
  • Potential loss of intellectual property
  • don't want to lose the large amount of grant money if our reputation is lost.or research data gets "manipulated" without staff knowing it.
  • massive lawsuits
  • legal actions against UW and persons
  • Lots of email on cell phones
  • don't want to lose the large amount of grant money if our reputation is lost.or research data gets "manipulated" without staff knowing it.
  • Legal requirements

Lack of Control

  • Has policy that data must be encrypted, but no way to prevent users from placing on cloud
  • No teeth in guidelines, we can't mandate
  • Lack of user compliance even when they know they shouldn't save data to unsecured locations.
  • Security of systems themselves (personal systems with no control)
  • Loss of control
  • No authority over device

Lack of user awareness

  • Lack of awareness by some users
  • Lack of user understaning & awareness of how to manage data files & risks of bad mgt.

Loss of Data

  • Staff storing data in locations not being backed up.
  • Records retention
  • Unit D concerns with record retention
  • Worries total resarch data will be stored on 1 device
  • Loss of data
  • Users take data with them when someone leaves
  • How do we get back control of data once person has left. Had to work with google docs, not even DoIT could help.
  • Resources about how to deal with data when users leave – nothing in DoIT KB
  • Loss of data due to hardware failure, loss/theft
  • Faculty/researchers
  • faculty can do whatever they want "total freedom" but the bad is they have no or little restrictions
  • Biggest risk are faculty with multiple appointments in different colleges storing dat across many areas and neworks.
  • Improve education and communication to faculty that there is a bigger issue than just their personal needs
  • Researchers that think their work is more important than ours are harder to convince
  • department chair works for the faculty,
  • Dept Chairs can kick out the Dean  (inverse authority all the way up)
  • Student grades on personal laptops
  • Student employees
  • Grad students BYOD
  • Transient students who are only there for 6 weeks. It's hard to train them adequately – especially if detail with research data.
  • Some grants have the security rules built into it.  That forces people to be more secure.  (FISMA rules)
  • Worries total resarch data will be stored on 1 device
  • Research data
  • Peer pressure from outside researchers to use unsafe tools
  • Transient students who are only there for 6 weeks. It's hard to train them adequately – especially if detail with research data.
  • Researchers that think their work is more important than ours are harder to convince
  • Don't want to shutdown innovation and research.  Want to keep UW at the top.
  • Patient data
  • HIPAA violations
  • Traffic segregated by VLANS – known risk.
  • Attacks from outside people plugging plugging in behind firewall we/ unknown laptops

BYOD-specific

  • BYOD a bad thing unless managed well.
  • Personal devices w/o passwords
  • No authority over device
  • Devices need to be secured first and then allowed to access campus data.

Cloud-Specific

  • Have a lot of dropbox, some adoption w/ Box because of 50 GB allocation
  • Phone data backup up on computer or cloud
  • Has policy that data must be encrypted, but no way to prevent users from placing on cloud

Access control issues

  • Single sign-on concerns can allow too much access at times.
  • Opening up files to too many, because users might not understand how to share with others, will make things too open
  • Devices need to be secured first and then allowed to access campus data.

Risks to individuals

  • if we do not have institutional agreement in place, individuals are personally responsible
  • legal actions against UW and persons
  • There is a lot for the average user to worry about in terms of service
  • Some have changed their mind when the users find out they are personally responsible, personally liable
  • autonomy of individual people

Security

  • getting hammered in audit, better than in breach
  • grant rules again lead to tighter security
  • Some grants have the security rules built into it.  That forces people to be more secure.  (FISMA rules)
  • Internal Review Board (IRB) sometimes comes in and makes rules.
  • HIPAA experts that serve as resources
  • IT personnel bring risks to managers and CYA
  • Interest in establishing best practices

Authentication

  • Two-factor authentication could be explained and offered to everyone.  
  • Can RDP use our two-factor authentication.

Awareness & Training

  • Annual security  assessment quiz like the annual confict of interest agreement or HIPAA agreement
  • New Employee Confidentiality Agreement
  • Campus already requires basic security controls on BYOD – they remind us that they must follow

Backups

  • Perform backups for BYOD.
  • 2 copies (of data) for faculty; Airwatch for all

Categorization of data

  • A top item: Different security zones have different needs
  • Data should be classified.
  • Data outside of medical field may be at a much lower risk level.
  • Classify the data
  • Use the model the data center uses and base on the classification:
    • HIPAA – extremely secure
    • FERPA – secure
    • Public – minimal protections

Endpoint security

  • Scan dept computers for dropbox installation and remove
  • Encryption is difficult to install, configure locally; would like encryption built into email for transmitting information (not stored files) to other institutions
  • If they don't manage, don't get an IP (laptops)
  • PKI is not supported at Campus level which fragments the solutions that departments make.
  • Smart devices must have Airwatch
  • 2 copies (of data) for faculty; Airwatch for all
  • Unit C UWHC policies, Airwatch, remote wipe, dept laptops are encrypted, VPN for files, the rest mailed by the user, remote desktop
  • Office 365 ability to remote wipe device - what's the status of this? Need to communicate policy on this

Email Security

  • Office 365 - no certificate for secure emails.  
    •    Lacks it in a larger purchased products.  This shows that higher ups might
    •    not care about security so why should we?

Network Security

  • Grad students must be on campus to use network
  • Traffic segregated by VLANS – known risk.
  • Port assigned network access
  • Treat client traffic as external (outside of FW)
  • Unit A uses VPN to connect, Rely on DoIT policies
  • Unit B uses VPN for personal laptop, personal phones can be wiped
  • Unit F No personal devices allowed on the network via DHCP
  • Unit G WiscVPN for access
  • DoIT staff encouraged to use VPN off campus

 

  • No labels