Educause Security Discussion mailing list archives
Re: FW: Skype allowance
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 7 Jun 2007 13:51:17 -0400
Hi,We allow Skype, as we allow any other P2P. It is calculated in your bandwidth usage and if your machine get designated as a hub, you may find yourself in the penalty box.
I think that Steve makes some very good points (except for the bandwidth charging stuff :-), but our policy of "you are responsible for everything that your machine does and for all traffic on your network connection" covers that.
Are the people who are blocking Skype providing an alternate low cost way of making long distance/international phone calls? Regards, Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Thursday, June 07, 2007 1:31 PM -0400 Steve Schuster <sjs74 () CORNELL EDU> wrote:
Charlie, We've been wrestling with the question for awhile now at Cornell. We do not have an official, university decision so we're taking no action by way of university-wide blocking. Cornell, however, is distributed enough that we can allow local units and colleges to make local decisions -- I don't care about Skype usage in many areas across campus but in others, Alumni Affairs, Financial Affairs and other administrative units come to mind, I care a great deal. By supporting local decisions we help them think about some of the risks, help support their direction and will take the blame if they feel that would be helpful. We've also helped respond to some requests to local units with messages such as the one below. Hope this helps and good luck, sjs _____________________________________________________________________________________ Dear, XXX Thanks for the mail and for your very good question concerning using SKYPE at Cornell. Cornell currently has no university policy that prevents such applications or services from running on our computers or within our network. As a matter of fact, I wouldn't expect one to be developed as this seems to be a little too narrow in focus to constitute a university policy. I'd hate to see a situation where we would have to create a policy for every service we want or don't want on our campus. So local units are making these types of decisions individually after determining business needs and risk to the business and the data they are responsible for protecting. With all that said, however, let me give you my security perspective on SKYPE. I'll break out my concerns into a few areas: 1. Because SKYPE is set up to be a peer-to-peer application and SKYPE's user agreement requires you to allow other calls to potentially be routed through your computer (calls that you're not making or a part of) this could be a burden on our local networks and Cornell networks as a whole. Additionally, because we do local billing for our network use this might mean some larger monthly bills than the unit expects or should be responsible for. 2. Because calls can potentially be routed through you and due to the increased visibility on the Internet this has a likelihood of exposing your computer to hacking attempts or other such things. 3. Risk of data loss. We have a responsibility to protect our community's personal data from unauthorized access and take steps to remove risks of such compromise. I think this is particularly true in <unit removed> where you deal with private information. I would hate to think about the situation we might find ourselves in if the data your department processes were exposed in an unauthorized manner. As a matter of fact, according to NYS law we must notify if we have such a computer break in. We need to set some sound practices on what applications are acceptable and unacceptable in our work environment. Due to the concerns that I've outlined above I support not using SKYPE within most places of our network. I think the ONLY places where SKYPE might be viable for use are areas where we can guarantee there are no risks to our sensitive data or risks to the availability of our computer resources that could lead to interference with business. The only area that comes to mind that meets this guideline is probably ResNet. So while there might not be Cornell policy that restricts or forbids the use of SKYPE I do believe it is in our best interest to tightly limit its use. There is a pretty good article that further discusses using SKYPE in a work environment at http://www.computerworld.co.nz/news.nsf/news/1C31DD62E610104ACC2570B40016C985 This probably isn't the answer that you wanted or maybe expected to hear so for that I'm sorry. If you would want to discuss this further I'd be happy to. Thanks again for the question, ______________________________________________________________________________________ Steve Schuster Director, IT Security Office Cornell University sjs74 () cornell edu On Jun 7, 2007, at 12:21 PM, Kutil, Charlie D. wrote: Can anyone share their universities stance on the utilization of Skype on the university network? Are you blocking it, allowing it, or ambivalent towards the application? Thank you, Charlie Kutil Charlie Kutil, M.P.H., CISSP Information Policy & Security Officer Office of Information Technology (OIT) Texas A&M Health Science Center Coastal Bend Health Education Center (O) 361-825-2805 (C) 361-876-3781
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- FW: Skype allowance Kutil, Charlie D. (Jun 07)
- <Possible follow-ups>
- Re: FW: Skype allowance Elliot Kendall (Jun 07)
- Re: FW: Skype allowance Steve Schuster (Jun 07)
- Re: FW: Skype allowance Visser, Ernest (Jun 07)
- Re: FW: Skype allowance Cal Frye (Jun 07)
- Re: FW: Skype allowance Joel Rosenblatt (Jun 07)
- Re: FW: Skype allowance Samuel Young (Jun 07)
- Re: FW: Skype allowance David Gillett (Jun 07)
- Re: FW: Skype allowance Martin Radford (Jun 07)
- Re: FW: Skype allowance Michael Renne (Jun 07)
- Re: FW: Skype allowance Cal Frye (Jun 07)
- Re: FW: Skype allowance Tomo (Jun 07)
- Re: FW: Skype allowance Cal Frye (Jun 08)
- Re: FW: Skype allowance Tomo (Jun 08)
- Re: FW: Skype allowance Cal Frye (Jun 08)
- Re: FW: Skype allowance Bruce Curtis (Jun 08)