Safe computing in the cloud

Today I was pointed to an excellent article on the use of OneDrive from the University of Wisconsin Milwaukee:  It outlines the risks of using cloud based storage, followed by excellent information on practices that can mitigate those risks.  This is something I have been trying to start a dialogue on at Queen’s for some time.  It is normally more about how we handle information than the tools we use to transmit it and where it is stored.

One thing I think is important to note:  The article’s focus is OneDrive, but the risks and recommendations it covers apply with many other storage solutions, whether cloud-based or not. Regardless of where data is stored, we all need to pay greater attention to understanding and applying safe handling practices for the different types of data, especially that which is considered confidential or sensitive.

The first part of the article really focuses on these best practices.   We should be cautious when using unsecured connections, make sure our systems are up to date and equipped with the latest virus and malware protection software, consider what needs to be encrypted, use strong passwords, and be wary of unsolicited emails asking for accounts and passwords.  We should all adopt these safe practices, no matter where the data resides. A server plugged into the Queen’s network or on a home network will in almost every case be more vulnerable to being compromised or infiltrated than a major cloud based service used globally.

I encourage people to click on the link in the article which takes you to their data classification standards, where you’ll find a very good distinction between confidential and sensitive data.   SIN, credit card numbers, login credentials or information that is protected under a statute, act or law, are confidential in nature and need extra care.  Our sense is that too often people send this type of information over email, even though email really is not a secure means of transmitting anything valuable.  I don’t think being confidential precludes us from using the cloud to store a file, but ensure you take extra care.   Maybe for these files you want to attach a password to them or if you are at Queen’s you may want to use other servers like QShare or the AD File Shares, even though we do not believe that in and of itself it mitigates the risk.

All in all, the article is a great read and something that we should all pay more attention to.  Our information assets are valuable and we need to ensure we do our due diligence.  How we classify, distribute and handle the information is probably more important than where we store it.   Moving to OneDrive, we have done our due diligence and  have subscribed to a secure environment that protects the privacy and confidentiality of our information.


One of the biggest challenges and opportunities in HE these days is facilitating on-line collaboration.  These things tend to happen organically, but in a community like Queen’s there are advantages to consolidating around common solutions, where we can easily find our ‘community’, use common tools, build consistent support and be sure it is done safely and securely.  We sometimes refer to this as virtualizing the residential experience.

This is an exciting week at Queen’s.  We  rolled out OneDrive for Queen’s, (also called OneDrive for Business) to all of our students, faculty and staff (notifications going out Monday).  This gives everyone at Queen’s access to 1 TB of web based storage per person.  That means you can securely access all of your files from anywhere that you connect to the web no matter what device you use.   It is also easy to automatically sync to your computer, so an up-to-date version of your files is always there even if not connected to the web (remember to encrypt your local synced files if there is sensitive and personal information on it).   You can share files and folder with colleagues at Queen’s or beyond.  From the Web App you can open files using Office products like Word, Excel and PowerPoint in the cloud, and multiple people can edit the same file concurrently.  People using the new active learning classrooms have been asking for this type of functionality.

OneDrive is a secure place to store your files,  backed up by negotiated contracts that ensure we maintain ownership of our information and that it is protected..  The data moves securely between Queen’s and the external data centre and is stored in a highly secure infrastructure, monitored 24x7x365.  The level of security is far better than what we are resourced to provide on-premise.

The solution isn’t perfect, but we are working on it.  As an example, there is not yet a OneDrive app for OS X, although there is for your iPhone and iPad.  Patience…. it is coming very soon and you can always use the web based app to access your OneDrive.   At the moment this is also really designed to be storage for the individual, although you can share with others.   The next step will be to roll out Share Point and Team Sites which will open up another set of opportunities around group collaboration.

Some people may be critical of the fact that the data is in the cloud.    We have done our due diligence here and had discussions with a lot of experts, including privacy commissioners and legal counsel. I encourage you to read my other blogs and also look at the Office 365 collaboration tools page on the CIO website.   There is a lot of information that I hope alleviates some of those concerns.  Also check with your peers and you will begin to see a lot of people are already storing information in the cloud, unprotected by any legal contract that involves Queen’s.

At Queen’s we also have access to QShare, which is still a good choice for group sharing, but OneDrive takes web-accessible storage to new heights.  As well, many people have what they call departmental file shares or AD file shares.   The ITS Team is working on documentation to explain when you might want to choose one over the other.   Stay tuned.

So, we are excited.  I think the team worked really hard, in a compressed time frame, to introduce a great new collaborative tool in OneDrive at Queen’s.   It is a lot of storage, works really well and there will be more to come as we enhance this with new features and expand the quiet of integrated collaborative services.

Let us know how you use it.  We are interested in hearing about the application of the service.





What the heck are those IT ‘guys’ doing anway….

You may be tempted to complete that title with ….playing video games all day. In reality the bulk of the work done in IT organizations is done behind the scenes, and that work is becoming increasingly complex and demanding, and there is very little ‘extra’ time in the day.  With the consumerization of technology it is becoming harder for the community to appreciate what the IT organization is doing, especially when it doesn’t seem to impact them directly.

Last week, at a CUCCIO meeting in Winnipeg we heard David Barnard say that the broader community tends to focus on local optima, while the IT organization focuses on global optima.  This can lead to confusion and frustration, even though the two groups want the same thing.  It is the fact that the perspective differs that things appear to be misaligned.

Last weekend a big part of the ITS team and Finance were engaged in a significant upgrade to our Financial systems.   Not only were staff working around the clock on that weekend to try and minimize impact on the business, they were also in on a weekend a few weeks earlier to do a dry-run of the upgrade.   An incredible amount of work goes into upgrading these systems and there is an incredible amount of testing done to make sure everything works.  The community doesn’t like change and are reluctant to change process, so we end up supporting a number of workarounds and customizations.  To put it into perspective, this upgrade involved over 16,000 hours of work between Queen’s and IBM.   Think about that – that is close to 10 years of work, and it doesn’t fully account for all the effort.  That is just the effort tracked and recorded against the project budget.

Overall this was a really good upgrade, and we actually brought the system up early so that people could start using it first thing Monday morning.  Staff really care about what they are doing and the partnership between ITS, Finance and IBM worked very well.   That is not to say that everything was perfect, but if issues did not arise during the upgrade then the end result would not have been as good.

The team doesn’t really get a break now, because many of  the same people that keep the lights on, do double duty on the project.   Inevitably things will need to be fixed and tweaked as people start pushing the system over the next while.  In addition, more work will be starting on Campus Solutions (student) and HR shortly.  We need to upgrade these systems in order to add functionality, fix problems and ensure we continue to have a system that is supported by Oracle.

The expectation of technology today is that it just works and we probably don’t resource our teams to align with that expectation.  People are focused on what is in front of them and if it doesn’t work, that is what is fresh in their minds.  Every once in a while we need to step back and appreciate all the effort that goes into making things work, because for every problem that people talk about there are 10 good stories where staff went above and beyond.

Thanks to all for a great upgrade.

Am I accountable for protecting Personally Identifiable Information?

Last week, one of our team pointed to a blog post about a ruling from the Public Service Labour Relations Board (PSLRB).   I really liked this very short synopsis of the ruling. The blogger highlighted the  lack of concern from the employer for the privacy of the employee when investigating the improper handling of corporate documents.  I think this is critical and we need to ensure we “create and administer a protocol that governs non-routine access to system information and non-routine system monitoring”.   However, of more interest to me, is the  heart of the ruling around the severity of an employee having ‘restricted’ corporate documents on a personal email account.  Dismissal is a significant outcome and I wonder how prevalent these activities are, and whether  people are really informed about the risks associated with some of their behaviours

In this particular case the employee had sent files to their personal email account that related to a job competition and contained personally identifiable information (PII).   The PSLRB upheld the decision to discharge this individual for a “serious breach of trust that caused the employer embarrassment”.

The first problem here has to do with the use of email to send documents with personally identifiable information.  It doesn’t matter if it was corporate email or personal email. Was the message encrypted? Was there an attached file, and was that encrypted?  Was the employee using the information on a personal device and was that password protected and encrypted?.  I think a lot of people are aware of and concerned about privacy, but do they have a good understanding of what their role is in protecting PII on a day to day basis?  I also wondered if the corporation had a clearly stated and operationalized policy about sending files with PII over email.

The second problem is the use of a personal account.  How many people use their personal Dropbox account or even personal email  accounts that have cloud storage attached to them to store corporate files.   In Higher Education I think this happens more often than we might like to admit.  These personal accounts tend to have very loose contractual  agreements in place.   It is normally not clear on who owns the information and what sort of accountability there is if the information is lost, stolen or breached.  When we undertook moving to a cloud email solution there was  extensive effort in developing a Privacy Risk Assessment, reviewing and rewriting contracts to ensure information was safe and that we had an avenue to litigate if there were any issues.

At the end of the day there has to be some onus on the part of the employee to understand the risks associated with their behaviours.  It is also fair to expect the employer to ensure the proper tools and policies are in place and understood. An interesting ruling that I think needs to be more socialized, to help raise awareness and accountability.

Robots and teleconferencing

Have you ever been involved in a video conference or teleconference and felt that something was missing?   You were glad you were having the meeting without travel logistics and costs, but you were left with a feeling that your points, or the remote participants’ points, were not being fully understood.   The technology was getting you closer, but it was not the same as the face-to-face experience.   There is something new and interesting out there from Double Robotics , and the price point makes it accessible.

I was on a regular Google hangout with some colleagues last week, and Brian Paige (CIO – Calvin College) and Pete Hoffswell (Network Manager – Davenport University) wanted to show us something “new and interesting”.   Our bi-weekly conversation is always engaging and fascinating, but this particular one really got me interested and excited and there were lots of questions from my peers on the call as well.  Brian and Pete showed one of Double’s telepresence robots.

Not only is the robot a ‘cool’ piece of technology, I really think it has some very practical applications.  Like a lot of technology it is not the ultimate solution, but it is a step toward that elusive state.  There isn’t much to it, but sometimes simplicity brings the best ideas forward.   It is essentially a talking head, but the head (an iPad) sits on a stick that is attached to a small Segway device.   The remote individual whose head shows on the iPad can steer the device remotely.  It makes use of the front and back camera. One is downward facing to allow it to see the environment and steer correctly.

So, imagine you have a speaker at an event and instead of them being projected on the screen they can now move around on a stage, similar to what a face-to-face speaker would do.  At Calvin they even hung a t-shirt on the robot to add more personality to the device.   I think the point is that the Double device already has more personality than a screen image and we are already interacting with it differently.   Imagine a boardroom meeting and the remote participant actually wheels into the office and pulls up to a spot around the table.  IT isn’t a perfect substitute but I would love to watch if the dynamics change.

In terms of accessibility I also think there could be some interesting opportunities.  The device is small and can go to many places that others may not be able to go because of physical restrictions.   I wonder how meeting participants would react to the device, and whether their reactions to it would be different than their reactions to individuals with or without various accessibility issues.  I don’t know the answer to that,  but I would be curious to learn more about how the device is being used in different sorts of situations.

After the call I got thinking about how Queen’s could use the device.   Calvin was using it in Education to bring remote student teachers into small group meetings.  I could see our School of Business using this for a lot of their remote teaching, which relies heavily on building a personalized experience.  How does this fit into our active teaching initiatives?  What could be done in Health Sciences?   Could we do remote rounds?

These devices are mobile, the price point is reasonable, I think people would find lots of interesting things to do this, and it is fun!   I would love to have one of these around for people to play with.

The demise of XP

Last week you may have read that Microsoft ended extended support for the Windows XP operating system.  You may be wondering why they did that and what it means for you.

XP was originally released in 2001, growing out of Windows NT.   It has had a long life for an operating system and has been superseded by things like Vista, Windows 7 and now Windows 8.x.   XP stopped shipping on desktops around 2008 and on laptops shortly thereafter.

Once a product is “end of life”, security updates are no longer released and, over time, vulnerabilities appear and the security risk of running that Operating System (OS) increases.   XP has been widely adopted around the world and it exists on millions of systems.   These systems include desktops, but also other devices such as lab equipment.  You may not even know a device that you use has a built-in copy of XP.

Here at Queen’s we started identifying Windows XP systems many months ago.   When people go through our portal, or our Active Directory we can identify their OS and ITS have been using this information to contact individuals and offer them assistance to update their systems.  At Queen’s we have a campus agreement that allows individuals to upgrade their operating system at no additional cost, and there is also a home use license.   There is a cost in the effort, and we provide that support.  This has been very successful and we have updated many systems.

We know we have not captured all of the XP systems on campus and this is something we need to address. We do have the ability to do scans of the network, at a point in time, which will identify XP systems.  This is something that we are looking at doing and then extending the offer to upgrade those systems, where possible.  In some cases the hardware will not let us do an upgrade, and that brings up a new set of questions.

As time progresses the security exposures are going to get higher and we are going to need to look at this more prudently.  We might decide to put systems behind firewalls, or we might decide to partition them from the network.  In some cases we are going to have to retire these systems.  The risk to other users on the network will become too high.

At the moment we do have the ability to partition systems from the network, based on their Operating System, but it is a time consuming, manual process.  We are exploring new services that allow us to dynamically scan and partition devices based on a set of predefined and accepted parameters.  Memorial University decided that, after April 8th, they will no longer allow XP systems on their network.

The end-of-life for Windows XP has brought these discussions to the forefront, simply because of the widespread use of that specific OS.  There are also other computers or devices running outdated versions of Linux and Mac OS that have equal or higher risks and we need to address these.  If you are still running XP, get in touch with the help center.

Responding to faculty questions on moving to the cloud

This past Friday, I attended a meeting of the Faculty of Arts and Science’s Faculty Board to discuss a direction around Queen’s collaborative tools.  This was an opportunity for me to hear what the community was thinking, and the feedback and questions were very helpful.  The issues around  collaborative tools and moving them to the cloud are complex and there has been a lot of discussion amongst my peers in CUCCIO over the last two years, and during consultation with experts in the field.    In this post I would like to elaborate on some of my responses to questions raised, to ensure I have understood the issues and that we are appropriately addressing the questions.   I hope this is of value to the larger community.

Prior to the meeting we distributed the notes listed on the Queen’s Wiki for the Faculty Advisory Committee .   These are just brief summary notes.   There have been discussions about this at the CIO Faculty Advisory Committee, and we have posted additional information resources on the Wiki listed above.

Proposition: Queen’s wants to equip faculty and staff with suite of contemporary e-collaboration services to support the teaching research and administrative activities of our University as it operates on a global stage.

Question Responses:

I have paraphrased a number of these questions to try and group them and better answer the questions in as concise a way as possible.

Q.  Why is this free and what is preventing Microsoft from changing the model?

A.  I think Microsoft sees an opportunity to capture long-term clients with their student offering.  Advancement now offers “email for life”, so once a student graduates they will be able to continue using their existing Queen’s account.   The rules change at that point, but there is some appeal to this as you get to keep your identity, correspondence, documents, and contacts.   Initially, the Faculty and Staff offering did not have the same model, but given competition it is now offered free as well.  In the interests of transparency, we have extensive dealings with Microsoft, including a campus agreement for  software including Office, Operating System upgrades, and Client Access Licenses.

In the contract it will stipulate that Queen’s will continue to own all of the information on O365, so if the model were to change down the road we could migrate to another platform.  This is similar to how  faculty and staff migrated from an older email environment to Exchange a couple of years ago.


Q.  Are there tools that allow me to encrypt my email messages?

A. The notion here is that some of an individual’s email is more sensitive and requires a higher level of protection.  I think it is important to note that existing practices do not necessarily take this into consideration.   We believe people currently use email to send some information that probably should be encrypted, and it is important that we begin to resolve this.

Under O365, all email sent between your end device and Microsoft is encrypted by default.   We are exploring options to allow individuals to encrypt specific messages.  There are tools within Outlook that allow you to do this now.   You essentially set up a trust relationship with someone else by sharing a private key.   We are exploring these options in addition to others.  Convenience, lost keys, and interacting with people at sites that do not support this are issues that will need to be addressed. This is something that we need to do, irrespective of our solution.

Currently, many pieces of software such as Word, Excel, and Adobe PDF also allow you to protect them by adding passwords.  There is an overview available on the Microsoft site.  As a reminder, this is about more than just email, and it includes storage.  We are watching what our peers are doing and considering a hybrid solution that makes use of public cloud storage, as well as private cloud storage (at Queen’s) for more sensitive information.  We will continue discussing this and looking at potential joint opportunities.  As we develop more answers to this we will provide links to online resources.


Q.  How will this decision be made?

A. We are working on establishing a sound governance structure in line with the IT@ Queen’s review.   We have put  and Administrative Systems Steering Committee in place  to oversee administrative systems.  The Student Learning Experience Task Force (SLETF) has recommended a new governance group that will oversee educational technology.   The piece still missing is the IT Oversight Committee.  In its absence we are using a series of advisory groups and meetings to get feedback.   In the absence of this IT Oversight Committee, the final decision for moving faculty and staff collaboration services to the cloud should rest with the University’s Operations Review Committee (ORC) and the Vice-Principals’ Operations Committee (VPOC).

Q.  Will I have to learn something new?

A.  The transition of email for the end user will be seamless since everyone is already in an Exchange environment.   You can continue to use Outlook if you wish.  If you use another desktop email tool, there may have to be a few be changes, but the affected community is very small. That being said, O365 is more than just email and there will be new services available for those who choose to adopt them.


Q.  I have seen situations where there have been issues with cloud services being down for extended periods of time.   There was a specific reference to blacklisting.

A. In the contract with Microsoft there are specifics around the Service Level expectations, and the uptime guarantees are significant (99.9% of time, I believe).  These cloud solutions are far more robust than what we can build and maintain in-house.   The economies of scale of large data centers like the one in Quincy, Washington are game changers in terms of reliability and uptime.
Blacklisting is a situation where a service, like Queen’s email, is identified as doing harm, possibly by sending out spam, so it is blocked by other service owners.  This happens frequently and is very challenging.  If a user responds to a ‘phishing’ attempt, their account can become comprised and is used to start sending out spam.  This happens more often than you may think.   We see fewer problems now, but we still expend resources to throttle accounts and do manual intervention with end users to try and stop it before Queen’s is put on a blacklist.  This is costly when we are working with constrained resources.  With the Student O365 we have not seen any issues with blacklisting and we believe the spam filtering is more robust than our in-house solutions and students are seeing less phishing.

Q.  In the notes, what items on page two are mitigated and what items are a real concern?

This is a very complex question.   A short answer is that outstanding issues will be addressed in the Privacy Risk Assessment and the contract.   Accountability for information on our systems can never be outsourced.  It is my role to ensure that we make an informed decision based on a clear and full understanding all of the risks.   Given that 90% of Fortune 500 companies use Lync (one of the O365 tools), adoption of O365 in the risk-averse corporate sector is quite high, which I think we can take as reassurance.

• Data ownership is lost…

We continue you to own the information and this is stipulated in the contract.

• “They” will mine our data…

Microsoft  is contractually obligated to not do this. This changes on the student side when they move to alumni Email.

• It is not free – there will be advertising that I’ll see…

The Contract stipulates that there will not be any advertising.   This changes on the student side when they move to alumni Email.

• We lose our ability to fulfil University obligations related FIPPA compliance…

We have tools available that allow us to fulfil our obligations related to FIPPA.

When looking at the next set of concerns we need to ensure that we consider the overall risks including such things as capacity, reliability, accessibility, and security beyond just privacy.  We also need to look at what the existing risks are and evaluate whether moving to O365 changes this risk profile.   My comments above about encryption highlight challenges that exist irrespective of the solution adopted.   The Privacy Risk Assessment is meant to capture and asses the whole picture.

• We lose Ontario and Canadian law protections…

The contract is written in Ontario and Canadian laws apply.

• There are less stringent privacy laws in the US…

We use the contract as a way to mitigate concerns in this area.

• Canadians are deemed foreigners and not protected by US law…

There are many issues around jurisdictional boundaries that come into question when dealing a global community.  The contract is written in Ontario and Canadian laws apply.  Given what we have seen in the media about surveillance we believe this point is moot.   In Global collaboration systems documents are at rest in a variety of jurisidctions.

• The Patriot Act is a problem…

Experts, including David Fraser (legal) and Ann Kavoukian, have commented on this and compared it to similar legislation here in Canada.   This similarity and sharing of information between Canada and the US  was commented on by a member of the Faculty Board in  meeting.   It is our conclusions that it not likely to change the risk profile from what we currently have.

• Government surveillance programs in Canada, USA, and elsewhere make this a less secure option…

Government surveillance is a broad concern.   It is the view of people like David Fraser and Ann Kavoukian that keeping our e-communications systems in-house does not improve the risk profile.   See the quotes at the end of the notes in the wiki. It is our view that O365 is more secure than our existing Exchange environment.

• Vendor complicity with NSA – surveillance, etc. – could be a problem…

It is safe to say that the last thing Microsoft wants to see is a story about them being complicit with the NSA.  The cost for them would be very high.   There is a blog post that  gives some insight into their thoughts and perspective:

• Internet hardware operated by vendors cooperating with NSA, etc. could also be a problem…

See above

• Encryption compromised by NSA, etc. could be a problem…

This would open up problems across the board, not just O365

• ITS and/or Microsoft employees will have inappropriate access to email…

Staff all sign Non-Disclosure Documents.  There are some responses to this question towards the end of this FAQ .

If I have missed any of the questions, or you have additional questions, please let me know:

Is culture impeding security?

Have you ever questioned how effective we are at doing our job, when you see all these reports coming out about servers being hacked and personal information being lost?   We are certainly aware of these reports and take them seriously.  It seems like there is a new one every day.  Recently it was announced that Target lost the personal information of tens of millions of people.  This is stunning.  Higher Education is not immune, and has its fair share of attacks.

In some cases, attacks are becoming more sophisticated, while in other cases, brute force processing power is used to find weakness.  Last week I was talking to some of my peers in the U.S. and we had an interesting discussion on why these attacks seem to be happening more frequently and what we are doing about them.

We bounced around a few ideas we had heard elsewhere, and three things surfaced:

The culture of hoarding:  We simply keep too much information.  We need better record retention strategies and we need the policies in place to make sure people follow them.  In our information age, the days of trusting that individuals have the skills, judgment, and capacity to manage this are long gone.

The culture of frugality:  We need to invest more.  In higher ed we sometimes lag in having the proper governance structures in place to be able to make the tough decisions on where resources are needed and what the priorities are.  It is hard to commit new investments when funding is being cut and tuition is regulated, but we need to look at the whole picture.   Information Technology is an integral part of the university and we need to stop treating it as a cost centre.  Our investments need to be strategic and effective.  In some cases this means looking at the cloud, which means we need to overcome the perception that information in the cloud is less secure.  This is not necessarily true and in many cases cloud security is significantly better and more cost effective than what we do today.

The culture of service:  This was the one I found the most interesting and one I had not thought a lot about.  We are moving more and more to a culture of service and trying to deliver whatever our community needs.   As we do that, we may not be emphasizing security as much as is probably needed and we are likely compromising. The stress on this service culture is partly to build up trust and to avoid too much shadow IT in the organization.   Some of that shadow IT is healthy, but we do need to ensure we invest where the value ad is and make certain that security is well understood and implemented.  On top of this, the university ‘network’ has also been thought of as a fairly free and open environment and that adds to the risk and means we need to be more diligent.

Back to the question of whether we are doing our jobs.  Simply put, yes. I know we take the threats seriously, have many mitigations strategies in place and invest a lot of resources. I also feel that the cultures of hoarding, frugality, and service are making it a more challenging endeavour.   We need to engage the community, build a better understanding of the risks, make sure proper policies and tools are in place and back this up with effective investments.  We need to consider all options, because this is only going to get more challenging.

Security – Everyone’s Responsibility

When was the last time you forgot your laptop or phone at a coffee shop, bookstore, library, or restaurant, only to find it still sitting where you left it when you rushed back in, panicked, a few minutes later?

When was the last time your car, office, or home was broken into and something was stolen, but you weren’t sure what?  These are places you think are secure, perhaps even alarmed, but were still vulnerable.

We usually think of something like this in terms of what we would have lost (“my whole life is on that phone!”) rather than what someone else might have gained.  But was there a USB key sticking out of your laptop?  Is your phone password-protected?  Is someone else’s personal information on any of your devices?  Can these devices be used to access other systems?

When we relax our attention, these thefts are more frequent and other security threats become more prevalent.  We need to build awareness and ensure we have the resources to build prevention into our technologies and services.

Most people in our communities are unaware of the massive number of attacks that occur behind the scenes on our systems.  Occasionally, an individual may get caught in a phishing attempt, or maybe they get a virus or malware on their personal computer. These threats are only a fraction of the threats out there and even though the personal costs may seem significant for those impacted, the cost of prevention and remediation to the organization as a whole is a significant part of our operations today.

We need to be aware of these threats and we all need to ensure we do what we can to help identify and prevent them.

In terms of email we see an incredible amount of spam and malware coming to our border.   At Queen’s, we might see about 14,000,000 incoming messages in a given month and close to half of those messages are intercepted at the edge and rejected as spam.  The University purchases and maintains special hardware to make sure the vast majority of these messages don’t make it to your inbox.

Through public education, the community is becoming more aware of phishing attempts and usually ignores them, but accounts are frequently compromised and Queen’s has to expend considerable resources to mitigate the risk that these accounts pose.  Occasionally these accounts send out massive amounts of spam.  ITServices has to keep scripts in place to identify and throttle these accounts before Queen’s is blacklisted and our email systems come to a crawl.   Information can also be stolen from these accounts and the costs to repair that are hard to quantify.  At the moment we only scan Queen’s outgoing email for spam, but there are tools that prompt machines to scan email for things like SIN and Credit Card Numbers and notify the user to a double check before they let the message go out.

This isn’t unique to Queen’s and in the last few days we have seen the following posts at Western and Carleton, reminding the community about threats.

At Queen’s, we also run an intrusion detection/prevention system on our network.  Between January 14, 2013 and January 14, 2014 we blocked just under 20,000,000 ZeroAcess Bots connection attempts.   These are a type of Trojan horse malware that affects Windows systems.  In addition, we blocked over 700,000 ICMP: Nachi-like Ping attacks, which is a family of Worms that attack systems.

There are thousands of other attacks and the threat is significant.

On top of the intrusion detection system, we need to ensure our services and servers are not vulnerable to these attacks and exposures.  In 2013, Queen’s did 231 security assessments, some with external resources and some with internal resources.  These take a lot of time, but they are preventive in nature and well worth the mitigation that they deliver.  We plan for these assessments to be done on new services as well as services that have undergone upgrades.  We also monitor what is happening elsewhere and assess where we feel there may be heightened risks.

In addition, we have numerous compromises that we have to deal with on an emergency basis.  The assessment, mitigation, and recovery take significant effort.  Not all of these compromises are preventable, but education, knowledge, and awareness do come into play.

I hope this information has increased some awareness around the number of threats that Queen’s faces and reinforced the notion that security is a concern for all of us.  We need to have strong policies in place, make sure there is user-awareness, that individuals have access to the tools they need, and that we invest appropriately to prevent intrusions and their associated clean-up costs.

Acting AS THE Business

During the last couple of weeks I had the opportunity to spend time with my peers in Canadian higher ed institutions through CUCCIO (Canadian University Council of CIOs) meetings and through a Microsoft Higher Education Executive Briefing in Redmond, Washington.   This is always a great opportunity to share ideas, develop thoughts, establish common ground, and build partnerships.  In one of the background pieces for CUCCIO strategic planning discussions, the following comment sparked my interest:

“..exploring, understanding, addressing the transformation of Higher Education and the CIO role and how we can collaborate on what that looks like and how to effectively manage the change in our diverse and structured environments”.

This is something that we really need to ponder and figure out.  The role of the CIO is evolving in most sectors, as are the roles of the people employed in HE technology.  I don’t think it is anything more than the maturation of our organizations as a whole, and the maturation of the role that IT plays within that organization.   I have talked about this evolution before in various forums.  It is related to the notion that IT is embedded in most everything we do and because of that we need to embed IT decisions into the day-to-day business of the organization rather than having it as something over on the side that is only called upon on occasion, or worse yet, whenever there is a problem.   At the same time, I have also said that IT is an enabler and a partner.   I am beginning to rethink this a bit.  It is not that I think it is wrong, but maybe there is a better way to characterize this.  After all, it is not just about IT changing, it is also about the organization changing, so maybe we need to look at it from the other side as well.

A few months back my Associate Directors went to a development program through the Intervista Institute in Ottawa where they looked at IT Portfollio Management in a strategic sense.   One of the things that they discussed when they got back was the area around IT and business alignment.  It is absolutely critical to get to this alignment, but probably one of the hardest things to achieve.  Whether it is lack of engagement by the business, lack of understanding of the business by the IT unit, lack of resources, or lack of leadership/vision, it is hard to drive this sort of transformation.   At the end of the day it is no longer about producing good code, it is about improving business performance and having a shared vision around what that means.

In the development program, the Associate Directors looked at IT Credibility and Capability and laid it out in two very nice quadrant style diagrams.   In the bottom right of the Capability diagram was the traditional notion of Supporting the Business.  This is about cost and efficiency, which results in a delivery of Low Capability.  This is such a trap that we fall into.  IT becomes a cost centre and at the end of the day nobody is happy because we are not enhancing business performance, even if we say we are working efficiently.

The middle of the graph is where IT is Acting like a Business.   In this area we are starting to drive from efficiency to effectiveness and from cost to investment.  In this area we haven’t yet developed a balance and subsequently we aren’t fully delivering on business performance and we haven’t maximized the IT capability.   I see this as a transitional piece – a place we have to go, but also somewhere in which the path forward is not always clear, and there is always the threat of falling into the efficiency/cost trap.

True alignment between IT and the Business is where we focus on effectiveness (as opposed to efficiency) and treat IT as an investment, rather than simply a cost.   The title of this quadrant is Acting AS THE Business.  IT may be an enabler and partner in this area, but it is also an integral part of the business.  Decisions about technology are no longer made in isolation and we measure business outcomes, not just cost efficiency.

I really like the three states that they describe:  Supporting the Business, Acting like a Business and Acting AS THE Business.  It certainly resonates with me, but I also think this is something that is stated in common language that can be understood by the technology group and the business.  I believe it lays out a clear path forward for us.  In a previous post I have talked about running our senior administration through the Info-Tech CIO Business Vision Survey which is about understanding the business and measuring the business satisfaction.  This is about driving alignment and trying to move us towards acting as the businessAt the moment I am going out to visit each of the people who have completed the survey and, upon reflection, I really think those visits are all about driving alignment and talking about getting IT to act as the business.