cancel
Showing results for 
Search instead for 
Did you mean: 

IT Security / IP Authentication Focus Group Notes

IT Security / IP Authentication Focus Group Notes

James and Norah,

Below is the report from the Focus Groups I conducted this week:

Executive Summary of IT Security Focus Groups with Corporate, Consortia, and University Customers

May 9-11, 2011

Participants:

Sue Jones, The Dow Chemical Company, new CAP Member

Kristen Eilts, Archer Daniels Midland

Luray Minkiewicz, DuPont

Felice Maciejewski, University of Wisconsin Consortia

Cindy Clennon, CARLI Consortia

Jeremy Garritano, Purdue University

Chuck Huber, UC Santa Barbara, Former LAB member

Gwen Owens, Georgetown University

Corporate:

    The situation as it exists now:

-    IP authentication (hereafter IPA) is particularly troublesome for corporate customers given the frequency of acquisitions and divestitures

-    Many so-called corporate librarians have NO relationship/connection to company IT

-    Recently Dow, as part of a new business model, spun off a new company that uses Dow IP addresses while being a completely separate entity from Dow and therefore not eligible to access content Dow has paid for

-    IPA makes it very for the right people at large multinationals to have access

-    IP addresses that companies like Dow provide are often the IP addresses of firewalls rather than users or buildings or departments so tracking the source of abuse is very difficult

Metrics/Abuse:

-    Rather than being asked what regions are using what content, Dow senior management want to know what business units are using what content and this is difficult to provide

-    Nature reports cumulative data year to date and they specify which journal titles goes with which IP which makes determining business units slightly easier

-    The frequency of investigating abuse cases is extremely rare

-    Full investigation of abuse is virtually impossible more than 24 hours after the instance

-    Fully depend on vendors to monitor access and abuse

-    Most effective way to prevent abuse: PEER PRESSURE – all employees are asked to thoroughly determine they need an article before downloading and when someone abuses this it effects the entire working group

What we want:

-    Dream solution: somehow magically connecting Dow users to content they’re entitled to by linking them through our People Database (so it doesn’t matter if they were former Rohm & Haas—now Dow—employees, on a mobile phone, or in Sweden)

-    We NEED more clarity from vendors as to what is OURS when acquisitions or divestitures happen. If Dow expands from 15K to 20K thanks to acquisition, that new 5K should get access to what Dow has paid for now that they are employees

Post-cancellation

-    We expect some kind of online solution. RSC does this now.

Consortia:

Authentication

-    UW system – Milwaukee specifically looking to authenticate through ONE login/password/one authentication source for the consortia

-    With CARLI, schools determine that on their own – there is no consortia-wide policy or mandate

Mobile/ebooks

-    There is no groundswell yet for access via mobile devices as phones are too small and ipads/tablets are not yet ubiquitous

-    Ebooks are the main topic that UW system is concerned with

-    UW system is having a conference on ebooks → UW system plans on issuing a white paper on how it wants to deal with ebooks

-    UW about to start determining policies on access via mobile devices

Metrics/Abuse:

-    Abuse is monitored on the local level at individual institutions

-    The consortia is notified but usually takes no action unless abuse is egregious

Post-cancellation access:

-    Access ideally is on the existing platform with the same functionality/searchability that users had when the subscription was active

o    Many allow continued use of the platform for canceled materials as long as SOMETHING from the vendor is subscribed to

-    Some vendors provide online access with limited functionality

-    Other fulfill the obligation by access via PORTICO – extremely limited

-    CDs are not a solution.

-    “Getting content via CD-Rom is like not getting the content at all.”

    Universities:

    Authentication/Abuse:

-    Generally avoid VPN and try to use EZProxy because of security issues

-    Biggest issue with users accessing content via proxy off campus is their security rights – if the source of abuse is off campus, legal department must give permission for that abuse to be investigated

-    There is no educational moment around abuse – its addressed after it happens

-    Happens RARELY

Post-Cancellation Access

-    PORTICO is considered an acceptable alternative to the platform – Springer has allowed UC system to access canceled content via PORTICO – functionality is limited but its still online and not CDs

-    Many vendors allow access to canceled content via their platform as long as customer is buying something

Best Practices:

-    Chemical Abstracts’ method of dialing back functionality when abuse occurs (read-only) as a step 1 and then completely turning off access to the individuals login/password allows for triage

-    They are more targeted/nuanced in their abuse monitoring – not so many people affected

-    This also makes access to SciFinder Mobile easier too

Recommendations:

-    Make note of EZProxy IP so that if that is the source of the abuse, access can remain on while university investigates—when proxy server is immediately shut off MANY people lose access – leave it on while the university sorts it out

o    The ability to control this depends if control of IPs is at the library level or the university level

    Questions from FG participants:

1.    Is ACS planning on changing its license terms re: post-cancellation access?

2.    Is ACS open to data mining research/projects on a case by case basis?

Labels (1)
Comments

Hey everyone,

I've just read through the IT Security/IP Authentication Focus Group Notes, and I found it quite interesting. It's clear that IP authentication poses significant challenges for corporate customers, especially with frequent acquisitions and divestitures. The issue of IP addresses belonging to firewalls rather than users or departments makes abuse tracking difficult, and investigating abuse cases is a rare occurrence.

One notable suggestion from the report is the idea of magically connecting users to the content they're entitled to by linking them through a People Database. This would eliminate the hassle of managing access rights during organizational changes. Additionally, there's a call for more clarity from vendors regarding post-acquisition/divestiture access.

In the consortia and university settings, authentication and access management remain key concerns. The preference for EZProxy over VPN due to security issues is understandable. It's interesting to see that abuse is monitored on a local level, with limited action taken unless it becomes egregious.

Regarding post-cancellation access, the use of platforms like PORTICO and limitations on functionality are common. It's clear that CDs are not seen as a viable solution, and vendors are encouraged to provide online access even for canceled materials.

Overall, these focus group notes shed light on the challenges faced by different organizations and their expectations from vendors. It's important for the industry to address these concerns and work towards more efficient and secure authentication and access management solutions.

By the way, if anyone has any insight into whether ACS plans to change its license terms regarding post-cancellation access or their stance on data mining research, it would be great to hear your thoughts.