RUGIT meeting, Monday 27th April 2015

KCL

Attendees: Stuart Lee (Secretary, Oxford); Simon Marsden (Chair, Edinburgh); Eileen Brandreth (Cardiff); Chris Sexton (Sheffield); Paul Drummond (Durham); Jason Bain (Newcastle); Lynne Tucker (Exeter); Malcolm Days (Warwick); Martin Bellamy (Cambridge); Oz Parchment (Soton); Paul Jennings (Imperial); Martin Furner (Russell Group); Nick Leake (KCL); Mike Fraser (Oxford); Alison Clarke (Nottingham); Nandy MIllan (Birmingham); Darrell Sturley (Bristol). Arrived after competition notice: David Brakes (QMUL); Sean Duffy (Birmingham).

1.  Introduction

The Chair (Simon Marsden) reminded the group of the requirements under competition law. He advised that if he felt that the conversations strayed into areas inappropriate he would curtail these. Late attendance would also be recorded.

2.  Minutes and matters arising

The minutes of the last meeting were accepted.

Update re JISC. Cloud services survey was discussed – it was noted that the survey design was not ideal. Lynne Tucker noted that due to her departure we needed a representative on the JISC learner predictive analytics group.

Action – everyone to canvas volunteers around learner analytics, this may form a sub-group and chair could attend JISC group. SL to progress.

RUGIT Web site:

Action – ALL to check membership, details of their institution on web site and send updates to .

Top 3 topics – this was discussed. Annual survey was agreed for topics, then leave members open to raising items for future meetings.

Future meetings were discussed.

3. Legal Session 1: Andy Cormack

Counter-Terrorism and Security Act 2015:
Clause 26.1 is the key part of the Act. This was passed on last day of Parliament, but noted that Universities also had to have particular regard for free speech. So what does it mean to us:

-  More data added to DRIPA2014: essentially think this refers to DHCP and NAT logs, but only applies to public communications providers so not Universities unless you offer public access; and only applies if Home Office contact you.

-  Separate guidances for England/Wales, Scotland, and NI not there yet on prevention. States it should not add ‘large/significant new burdens’ to institutions. Guidance is about 3 pages, updating policies/processes on safety, welfare, training, visitors, AUP; wording seems to imply that if you currently do not filter then there is no requirement to do this, but if you do bring in relative filters in this area (Scottish policy is slightly more ambiguous here).

-  Sensitive research: just know where it is, do it safely, follow UUK guidelines on this. Check this against open agenda though as some research data may be deemed not suitable for making open.

-  JISC is developing on-line staff Awareness training in this area.

-  It will be supervised by HE funding councils it appears.

-  No expectation then of new technical solutions.

-  All comes into force on 1st July, but no date set (yet) for HE or GE institutions so we do not have that hard deadline.

Quick show of hands suggested only 2 HEIs filter.

Action: SL to notify RUGIT when JISC training is available.

Security as ‘Opportunity’:

If security isn’t helping your business why are you doing it?

Universities are uniquely complex in terms of service and data provision/requirements. But noted also that much of what is now being discussed (de-perimiterisation, network partition, incident response, BYOD) had been with us for 20 years.

New opportunities – crypto everywhere, location independence, 2FA, etc.

Challenge – IT is no longer the gatekeeper to IT.

Security for research and education cannot be done by IT anymore. Users do not need our hardware, users change security zones by moving around (e.g. on train).

So IT should look at ‘packages’ based around behaviour + policy + technology (e.g. if you are doing this use this package; by way of example setting up your network). Asset owners have to choose what needs to be secure or not.

Think ‘work safe’ not ‘stop unsafeness’.

Discussion: But the view we hear is that Universities are unsafe/insecure. Do we have a PR problem if we are doing OK (mentioned CPNI felt that we were)? External agencies think we are doing well, only providing a tenth of the problems they would expect.

Could JISC do more, e.g. detection service? Looking at this but technology is not there to keep up with JANET speeds of 100Gbps. Looking at work on the edges instead. Could JANET start to look at dark net infiltration to protect University assets? [Do already look for password dumps.]

People were directed to the new UCISA Security toolkit.

Action: Receive an update from RUGIT security update in the future.

4. UCISA Conference

Chris Sexton raised the issue of the UCISA conference and asked for suggestions for speakers.

Action: All to send suggestions to Chris.

5. Russell Group

Martin Furney mentioned the Russell Group ‘lines’ (as in take on key issues/policies).

Action: Invite member of Russell Group to attend (begin with Martin Furney).

6. Ts&Cs Cloud Services – Frank Jennings

Managing your risks in the cloud.

What are the risks?

SLA oversell – Sales pitches are excessive. For example, you will often see ‘except for’ (e.g. 100% availability except for scheduled/planned maintenance, unscheduled, emergency, force majeure, etc).

As is service, no liability – e.g. all warranties are excluded (‘as is’ - so you need express warranties), no reliance on supplier skill.

Data compliance – UK DPA protection of personal data, data controller (University) vs data processor (cloud service). Need to pass on ‘appropriate technical and organisational measures’ to the processor.

DR and insolvency.

AWS have produced a document outlining AWS protection (April 2015). Indicates that their contract is out of synch with their vision presented here though.

7. Innovation

Nandy Millan, Birmingham, Innovation centre

Has an observatory role, raise awareness across the community, manage innovation, run events (student mobile app comp, mobile apps in research summit, seminars/workshops/etc), ongoing programme of experiments etc. Use SPIGIT. Based around challenges on a specific topic.

Stuart Lee also presented on Oxford’s innovation fund using wazoku.com.

8. AOB

Lynne drew our attention to the HEFCE BRAM project (Benefits Realisation). Exeter are working with Falmouth in this to explore money saved resulting from shared services they are adopting. If anyone else is interested in looking at this details to follow.

QMU looking at customer services excellence. Interested in talking to other HEIs who have worked on this.

Benchmarking exercise being conducted across professional services. Some Universities have signed up to this already but it is noted that it is expensive.

Awayday dates in Cardiff have been set 10/11th February 2016.

11. Post Meeting: Arkivum (Mark Ellis/Jim Cook)

Known for: archiving [RDM especially], and integrated RDM suite. Long-term solution on different models 1 year – 25 years. By archiving they mean long-term access of the primary data.

3-6 copies of data in Tier 3 data centre, fully automated solution, certified ISO27001, NHS N3 (clinical data stored on specific segmented piece of storage within N3), and with money/data escrow. All files are encrypted. Data integrity tests using 2 checksum tests on all data.

Arkivum/100: 2 data centres, 1 escrow copy, upwards from 1TB/year. Gateway sits on local network. Offers also drag and drop facility, authenticated via AD. Has 100% guarantee of data integrity.

Arkivum/1+1: 1 data centre copy, 1 escrow copy (can restore from this), 5years+; 250TB+; can sit alongside Arkivum/100.

JANET Framework available: allows Arkivum/100 and 1+1. Does not include gateway appliance so this needs to be bought outside of framework. Deal with Arkivum through resellers (e.g. S3, cristiedata, etc) takes 3 weeks to deliver h/ware, 1-2 days to install.

Arkivum/Flex: allows you to flex your storage requirements. Scale up at request.