IT Security / IP Authentication Focus Group Notes

James and Norah,

Below is the report from the Focus Groups I conducted this week:

Executive Summary of IT Security Focus Groups with Corporate, Consortia, and University Customers

May 9-11, 2011

Participants:

Sue Jones, The Dow Chemical Company, new CAP Member

Kristen Eilts, Archer Daniels Midland

Luray Minkiewicz, DuPont

Felice Maciejewski, University of Wisconsin Consortia

Cindy Clennon, CARLI Consortia

Jeremy Garritano, Purdue University

Chuck Huber, UC Santa Barbara, Former LAB member

Gwen Owens, Georgetown University

Corporate:

    The situation as it exists now:

-    IP authentication (hereafter IPA) is particularly troublesome for corporate customers given the frequency of acquisitions and divestitures

-    Many so-called corporate librarians have NO relationship/connection to company IT

-    Recently Dow, as part of a new business model, spun off a new company that uses Dow IP addresses while being a completely separate entity from Dow and therefore not eligible to access content Dow has paid for

-    IPA makes it very for the right people at large multinationals to have access

-    IP addresses that companies like Dow provide are often the IP addresses of firewalls rather than users or buildings or departments so tracking the source of abuse is very difficult

Metrics/Abuse:

-    Rather than being asked what regions are using what content, Dow senior management want to know what business units are using what content and this is difficult to provide

-    Nature reports cumulative data year to date and they specify which journal titles goes with which IP which makes determining business units slightly easier

-    The frequency of investigating abuse cases is extremely rare

-    Full investigation of abuse is virtually impossible more than 24 hours after the instance

-    Fully depend on vendors to monitor access and abuse

-    Most effective way to prevent abuse: PEER PRESSURE – all employees are asked to thoroughly determine they need an article before downloading and when someone abuses this it effects the entire working group

What we want:

-    Dream solution: somehow magically connecting Dow users to content they’re entitled to by linking them through our People Database (so it doesn’t matter if they were former Rohm & Haas—now Dow—employees, on a mobile phone, or in Sweden)

-    We NEED more clarity from vendors as to what is OURS when acquisitions or divestitures happen. If Dow expands from 15K to 20K thanks to acquisition, that new 5K should get access to what Dow has paid for now that they are employees

Post-cancellation

-    We expect some kind of online solution. RSC does this now.

Consortia:

Authentication

-    UW system – Milwaukee specifically looking to authenticate through ONE login/password/one authentication source for the consortia

-    With CARLI, schools determine that on their own – there is no consortia-wide policy or mandate

Mobile/ebooks

-    There is no groundswell yet for access via mobile devices as phones are too small and ipads/tablets are not yet ubiquitous

-    Ebooks are the main topic that UW system is concerned with

-    UW system is having a conference on ebooks → UW system plans on issuing a white paper on how it wants to deal with ebooks

-    UW about to start determining policies on access via mobile devices

Metrics/Abuse:

-    Abuse is monitored on the local level at individual institutions

-    The consortia is notified but usually takes no action unless abuse is egregious

Post-cancellation access:

-    Access ideally is on the existing platform with the same functionality/searchability that users had when the subscription was active

o    Many allow continued use of the platform for canceled materials as long as SOMETHING from the vendor is subscribed to

-    Some vendors provide online access with limited functionality

-    Other fulfill the obligation by access via PORTICO – extremely limited

-    CDs are not a solution.

-    “Getting content via CD-Rom is like not getting the content at all.”

    Universities:

    Authentication/Abuse:

-    Generally avoid VPN and try to use EZProxy because of security issues

-    Biggest issue with users accessing content via proxy off campus is their security rights – if the source of abuse is off campus, legal department must give permission for that abuse to be investigated

-    There is no educational moment around abuse – its addressed after it happens

-    Happens RARELY

Post-Cancellation Access

-    PORTICO is considered an acceptable alternative to the platform – Springer has allowed UC system to access canceled content via PORTICO – functionality is limited but its still online and not CDs

-    Many vendors allow access to canceled content via their platform as long as customer is buying something

Best Practices:

-    Chemical Abstracts’ method of dialing back functionality when abuse occurs (read-only) as a step 1 and then completely turning off access to the individuals login/password allows for triage

-    They are more targeted/nuanced in their abuse monitoring – not so many people affected

-    This also makes access to SciFinder Mobile easier too

Recommendations:

-    Make note of EZProxy IP so that if that is the source of the abuse, access can remain on while university investigates—when proxy server is immediately shut off MANY people lose access – leave it on while the university sorts it out

o    The ability to control this depends if control of IPs is at the library level or the university level

    Questions from FG participants:

1.    Is ACS planning on changing its license terms re: post-cancellation access?

2.    Is ACS open to data mining research/projects on a case by case basis?