Monday, 27 April 2015

RUGIT - Security, Cloud and Innovation

Today I've been to a RUGIT (Russell Group IT Directors) meeting in London at Kings College. A great location by London Bridge with the Shard towering over it.

First up was a session from JISC on security issues, starting with the implications for us of the Counter terrorism and security act 2015. It says that we should have due regard of the need to prevent people for being drawn into terrorism. It also says that as a university, we should have particular regard for promoting free speech.
Guidance on implementing the act has been published and is available here, and it advise that it should not add large new burdens to institutions who are following current best practice. Most of guidance is around updating policies and processes, including acceptable use policy which is expected to mention the new statutory duty, but no wording is currently suggested.

There's no real technology implications, other than if an institution already filters harmful content, then you should consider adding this.
JISC is currently developing on line staff awareness training.

We then looked at some other security issues, around our complex environment which covers everything from providing home broadband to complex research environments.
We have very diverse security requirements in same organisation. Because of this, we've been dealing with issues around things like BYOD and incident response for more than 20 years.
But, because our environment is changing, and the smartphone in our pockets has more power than universities had 20 years ago.
New habits are now routine. Mobile working and the blurring of the life/work means that safe IT behaviour is no longer something you need to do at work. it's a life skill.
Security can't be done by IT alone. Our users no longer need our hardware and can change security zone at the click of a mouse.

The role of IT department is to look help our organisations adopt and choose a package of  behaviour, policy, and technology.

Think "work safe", not "stop unsafeness"

We also had a session from a layer, an expert in cloud  - he has a blog which I've a had a quick look at and it contains some interesting stuff - on cloud risks and how to manage them

The first was SLA oversell, where the sales pitch says the service will be 100% available, secure, unhackable, the best, fastest, cheapest etc. however, the SLA will contain phrases like "make  Reasonable efforts etc".
100% availability except, scheduled maintenance, planned maintenance, unscheduled maintenance, emergency, etc.

Another clause found in lots of cloud terms and conditions is the "As is" service.
Or, the service is as we provide it. It might work, it might not.
There's often other clauses excluding any warranties, with no guarantee over what they provide. No guarantee that data won't be lost. They're not liable to you for any losses, even data. All of the above are contained in a the Ts and Cs of a very big web services company who made their name selling books...

How do you manage it? Negotiate terms? But often can't with big corporates. 
Pay more, get better cloud? Pay for failover, redundancy etc?
Split between public, private and hybrid?

Issues around data compliance tax a lot of people, and we concluded that wherever your data is someone will be able to get to it
 Every country has a surveillance organisation, and some legal jurisdiction to get at data.

How do you manage this? Keep you data in your local data centre? Use a hybrid cloud? Encryption, tokenisation? Or just do a robust assessment of the risks

The other risk with cloud services is Disaster recovery and insolvency. First have gone bust, and administrators have demanded large sums of money from customers to get their data back.  You need to plan for the worst and have a DR strategy

finally we had a session on innovation management from Oxford and Birmingham. Both have implemented solutions similar to a Ideascale for generating, capturing and scoring ideas. Done in slightly different ways in the two organisations, but with similar results. Innovative ideas are sought in a campaign from staff and students, and are voted on, and the assessed by a panel. The most successful are funded. in some cases, the staff or student originator works on the project, in some they are developed by the It at department.

Very good day. Always good to meet the others and share ideas and issues


sdw1106 said...

Thanks Chris - interesting stuff. I wonder how many RUGIT members filter content and how many don't? Steve

chris sexton said...

Quick show of hands yesterday revealed only 1 filtered content