Ensuring Fair Access to the Campus Network

Ensuring Fair Access to the Campus Network

Robert Renaud

Ensuring Fair Access to the Campus Network

The steadily increasing demand for computing resources in universities and the limited ability of information technology departments to respond to that demand places information technology (IT) professionals in a difficult position as they attempt to treat their users consistently and fairly. Given the university's educational mission, priority needs to be assigned to the academic, rather than recreational, use of the campus network. At the same time, as the Internet becomes a common carrier for business transactions, entertainment, and communication, it is not realistic to assume that it will be used solely for scholarly purposes. The problem therefore becomes one of balancing scholarly and personal use, and of managing the campus network as a shared resource in a fair, predictable, and understandable manner.

Mark S. Bruhn, University IT Policy Officer, Indiana University, described his own experiences in "Fair allocation of scarce resources: policies and tools" and extracted lessons that could be used beyond his own institution. Certainly, the scale of Indiana University provides a large backdrop for this discussion. Indiana University consists of eight campuses, 120,000 students, staff and faculty, both commodity and Internet 2 connections, and a range of undergraduate and professional programs. Bruhn heads up an office whose responsibilities include policy development, incident response, disaster recovery planning, contracts, and network security.

Bruhn began his presentation by proposing some general thoughts on policy. First, policies need to reflect the values and philosophies of the organization. Second, IT professionals need to distinguish between service policies and institutional policies. Third, technicians should not be in the position of unilaterally making institutional policy. Fourth, auditors should not make policy. Finally, he suggested that existing institutional services, such as judicial processes, mediation services and even legal services, be applied as appropriate. Although it seems self-evident, this advice is sometimes lost in the heat of an event that places front-line technical staff in the position of making rapid decisions.

As an overall technology use philosophy, Indiana University applies a Facilitative Use Policy that "Taxpayers, students, and other sources of funding supporting technology resources at Indiana University expect that these assets will be used equitably and only in support of the University's missions of research, instruction and learning, and community service. Unrelated and inappropriate use reduces the amount of resource available to satisfy these missions." Bruhn accepted personal incidental use of campus computing resources as being inevitable and generally benign. The use of these resources becomes unacceptable at the point that "a user or process is consuming a resource to a level such that service to other users is degraded, or where the actions of a user could cause degradation if the user is permitted to continue their practice or activity". This commonsense approach recognizes that the Internet is a shared resource and that it needs to be managed to ensure fair access to all users.

The staff in Bruhn's unit work with other offices to ensure fair access to the campus network. Another office samples traffic captured from the campus Internet router to monitor inordinate consumptions of resources. When such events occur, the user is identified and is sent an e-mail requesting that he or she reduces personal usage. After three such notifications, the University IT Policy Office is informed so that a more forceful warning can be issued. Further offenses are reported to the Dean of Students for students, or the department head for staff. Bruhn noted that this procedure results in compliance in the vast majority of cases. However, by relying on existing institutional procedures, the process works within Indiana University's culture to manage compliance.

Like many colleges, Indiana University found its ability to manage computing resources fairly put to the test by Napster. In December 1999, users began to complain of sluggish response time. IT staff applied the Facilitative Use Policy outlined above, identifying high bandwidth users, and asked that they reduce usage. Further questioning revealed that the Napster application was the cause of this surge. Despite vigorous application of the policy, Napster use continued, consuming at one point 61 per cent of the campus community Internet connection. The failure of the normal communication process to alleviate the Napster problem led to the more drastic action of blocking Napster access on the campus network. Fortunately, the Facilitative Use Policy provided a solid foundation based on institutional policy for this action since Napster was a recreational application of little or no educational value. The pattern set by the policy also smoothed the path to community acceptance of the action. In fact, Bruhn noted minimal community reaction on the part of students, faculty, and staff, relative to the entire university community. Ironically, the action provoked broad media reaction outside the Indiana University community, as the Napster issue became front page news.

Since the initial surge of interest in Napster, Indiana University has actually worked with Napster to understand how the application works and how it affects network performance. It even restored access to Napster for a time before deciding again to block it the wake of legal action by the music group, Metallica.

Bruhn's presentation pointed to the wisdom of working within the university's existing policies, procedures, and institutional culture to ensure fair access to network resources. For harried IT professionals on the front line who at times feel under siege, his advice is timely and wise. By working to put in place clear policies grounded in institutional processes, they can be ready when the "next Napster" hits.

Building Bridges for Electronic Commerce

As government, private companies, and universities move increasingly towards Internet-based business relationships, the need to authenticate identities in a seamless, reliable, and secure manner becomes essential. The Public Key Infrastructure, or PKI, represents a set of standards, policies and practices that can provide this level of assurance. By creating "digital signatures", PKI creates the same level of assurance provided by a handwritten signature.

Since PKI has been defined in a flexible manner that can be adopted by a wide range of organizations, it may be implemented according to several models. For example, a company may implement it only within its own enterprise, thereby ensuring security, consistency, and control. Similarly, it can be implemented across an industry, as in the Automotive Network Exchange, to facilitate electronic commerce between trading partners with a community of interest. The broadest model allows consumers to interact with companies and other individuals. These models allow organizations to authenticate the identities of those interacting with them over the Internet. However, each implementation creates a boundary, or "stovepipe", that inhibits interactions with organizations beyond their boundaries. These models specifically pose challenges for large entities, such as federal government agencies, which represent both substantial enterprises and organizations that need to interact with each other. The session entitled "Federal and state PKI Bridge evolution: cutting across stovepipes" outlined the issues posed by this challenge and described approaches being developed to address it.

Richard Guida, Chair, Federal PKI Steering Committee, Federal Chief Information Officers Council, described a voluntary effort within the federal government to create a policy authority that cut across agencies. He emphasized that the resulting policy authority, the Federal Bridge Certificate Authority, or FBCA, was voluntary in nature and involved key charter members such as the Departments of Commerce, Defense, and Justice. Given its voluntary nature, and therefore its inability to impose solutions across agencies, it employs a non-hierarchical, peer-peer, approach that maps policies between agencies. This allows agencies to pursue approaches that best meet their needs while at the same time affording operability across agencies. Guida confirmed that this concept had been tested successfully in February 2000 and that full implementation would be pursued after Congress appropriated the necessary funding.

The same challenge exists at the state level. Robert F. German, Jr, Director, Policy and Strategic Planning, University of Virginia, and Shirley C. Payne, Director, Security Coordination and External Relations, University of Virginia, discussed efforts within the Commonwealth of Virginia to achieve PKI interoperability between different implementations. Whereas at the federal level the impetus for PKI arose out of the need to achieve efficiencies among huge government agencies, the driving forces in Virginia were that of ensuring the state's leading position as a center of high technology and that of delivering services to citizens in a leading edge and seamless manner. For example, the assurance provided by PKI provided a foundation for services such as driver registration over the Web.

Like the federal government, Virginia decided not to impose a single hierarchy, but rather to assume the existence of multiple PKI implementations within the state with their own policy authorities. It decided, as well, to focus on the issue of identity, that is, of ensuring that the individual engaging in a transaction was indeed the individual represented by the PKI certificate. Like the preceding speaker, Payne emphasized the need to emphasize open standards in bridging across PKI stovepipes and to attract, rather than compel, cooperation. She went on to emphasize the value of process reengineering, experienced consultants, and early involvement from auditors within organizations.

Since the Virginia project addresses the needs of individual citizens, it raises sensitive political issues. For example, Virginia Online Transactions, or VOLT, certificates provide assurance for electronic transactions that individuals are who they say they are. With this assurance, some ask why PKI could not be used to allow voting over the Internet. However, suspicions that online elections might somehow be cracked by a hacker or even worse by a government agency, despite the low probability of this from a technical point of view, point to deep underlying issues of perception and trust. As a result, Payne emphasized the need for simplicity in the early implementation phase and to avoid unnecessarily sensitive areas such as electronic voting until the value and reliability of PKI is established in the public mind.

This session provided an excellent, organized view of how PKI stovepipes are being bridged and how political, as well as technical, issues play a role in the success of implementations.

A Case Study in Integrating Media Services

Providing reliable and "seamless" access to media, such as microforms, video and film, has long posed challenges for libraries. The types of equipment needed to access these media are typically costly, difficult to use, and in need of specialized staff expertise. The staff needed to support faculty and staff users can be hard to recruit and retain. The responsibility for providing equipment and media is often split between different departments, adding to the complexity of service delivery. Finally, rapid changes in multimedia technology frustrate efforts to plan space, services and staffing levels.

One poster session, "Creating Dartmouth's Jones media center: from concept to vision to implementation", provided an honest and complete case study of the technical and organizational dynamics surrounding an effort to integrate equipment and media in a new library building. Michael J. Beahan, Director, Instructional Services, and Ridie Wilson Ghezzi, Reference Bibliographer, of Dartmouth's Berry Library, compiled the poster session and guided conference attendees through their materials.

Like many colleges, Dartmouth had in the past divided the responsibility for the media services function between two units. The Instructional Services division of Computing Services supported departments, programs, and offices, assisted faculty with classroom-based technology, and worked with external conferences, institutes, and other public events. The Jones Microtext Center, part of the reference department of the Baker Library, provided access to the College's holdings in microfilm, microfiche, and other micro formats. Jones also had a small collection of videos placed at that location for reserve by faculty. Instructional Services remained the primary source of video and other media-related services at Dartmouth.

In 1993 Dartmouth's president created a task force to consider the future of the library. As the college prepared to plan for a major addition to the Baker library, the president wanted the college community to think creatively about how the new building could facilitate better access to scholarly information. Given the increasing convergence of information technology and library services, he specifically asked the task force to think about how the library and computer services could deepen their collaboration in pursuit of this goal. The new space promised by the addition also raised the question of whether computer services might move into the expanded structure.

From the outset, Instructional Services recognized the potential value of becoming part of the library. This move promised to make visible to the college community a large collection of videos, for example, that were not part of the library's on-line catalog. Discussions therefore focused on creating a media center that would not discriminate between types of media and which would serve to integrate media into the larger collection building efforts of the library.

As planning for the addition progressed, a media center became a program element in the overall space planning project. However, the larger question of integrating other segments of computer services into the new structure remained. In the spring of 1997, Dartmouth's provost resolved this issue by asserting that administrative computing, instructional services, the repair shop and the computer store should not be located in the library. At the same time, he indicated that the audio and video collections, and the staff to support them, should move to the Jones Media Center. Interestingly, other media, such as slides and film, would remain in Instructional Services. These statements provided a framework for library planners.

With a basic direction set, planners worked with architects to define the location and layout of the center. As so often happens, a discussion occurred with regard to which floor to locate the center. At first, the center was to be located on the first floor in order to enhance its visibility. However, as planning progressed, the center moved to the second floor. Since the media center was a completely new service point, discussions also took place with regard to exactly what services would be offered. A task force addressed these questions in the winter of 1998. Planners also used focus groups composed of heavy users of media services to gauge needs and expectations. After the fall of 1998, group meetings began to involve the media center's future staff in detailed discussions of services, site visits were conducted, and job descriptions were written. The pace of these meetings increased as the planned opening of September 2000 approached.

Beahan and Ghezzi were wonderfully honest about the bumps on the road to the opening of the Jones Media Center. For example, the library administration was surprised to learn in the summer of 2000 that a critical staff position had not been funded. Beahan and Ghezzi describe the cliffhanger that ensued. Some services formerly provided by Instructional Services were not carried over to the new media center, confounding the expectation that the transition would be "seamless" relative to past service levels. The actual opening of the center was delayed due to project construction delays. Staff discovered that they needed to physically secure equipment after the opening of the center because locks had not yet been installed in doors! Nevertheless, the long years of planning paid off as the new service point began life.

The poster session had been prepared after the Jones Media Center had been open only for three weeks. This might in other circumstances have resulted in a presentation that was premature and unformed. In this case, it resulted in a poster session that was fresh and honest. The Jones Media Services staff intend to provide more information about their facility available over their Web site (http://www.dartmouth.edu/~library/mediactr/). They might also consider placing on that site the handout distributed at the conference. It contains an excellent narrative and set of lessons for planners working to integrate media services on their own campuses.

Robert Renaud is Associate Dean of Information Services, Charles E. Shain Library, Connecticut College, rren@conncoll.edu