Re: FW: Skype allowance

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Hi,

We allow Skype, as we allow any other P2P.  It is calculated in your bandwidth usage and if your machine get designated as a hub, you may find yourself in the 
penalty box.

I think that Steve makes some very good points (except for the bandwidth charging stuff :-), but our policy of "you are responsible for everything that your 
machine does and for all traffic on your network connection" covers that.

Are the people who are blocking Skype providing an alternate low cost way of making long distance/international phone 
calls?

Regards,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Thursday, June 07, 2007 1:31 PM -0400 Steve Schuster <sjs74 () CORNELL EDU> wrote:

> Charlie,
>
>
> We've been wrestling with the question for awhile now at Cornell.  We do not have an official, university decision so 
> we're taking no action by way of
> university-wide blocking.  Cornell, however, is distributed enough that we can allow local units and colleges to make local 
> decisions -- I don't care about
> Skype usage in many areas across campus but in others, Alumni Affairs, Financial Affairs and other administrative units 
> come to mind, I care a great deal. 
> By supporting local decisions we help them think about some of the risks, help support their direction and will take 
> the blame if they feel that would be
> helpful.  
>
>
> We've also helped respond to some requests to local units with messages such as the one below.
>
>
> Hope this helps and good luck,
> sjs
>
>
>
>
> _____________________________________________________________________________________
> Dear, XXX
>
>
> Thanks for the mail and for your very good question concerning using SKYPE at Cornell.
>
>
> Cornell currently has no university policy that prevents such applications or services from running on our computers or 
> within our network.  As a matter of
> fact, I wouldn't expect one to be developed as this seems to be a little too narrow in focus to constitute a university 
> policy.  I'd hate to see
> a situation where we would have to create a policy for every service we want or don't want on our campus.  So local 
> units are making these types of
> decisions individually after determining business needs and risk to the business and the data they are responsible for 
> protecting.
>
>
> With all that said, however, let me give you my security perspective on SKYPE.  I'll break out my concerns into a few 
> areas:
> 1.  Because SKYPE is set up to be a peer-to-peer application and SKYPE's user agreement requires you to allow other 
> calls to potentially be routed through
> your computer (calls that you're not making or a part of) this could be a burden on our local networks and Cornell 
> networks as a whole.  Additionally,
> because we do local billing for our network use this might mean some larger monthly bills than the unit expects or 
> should be responsible for.
> 2.  Because calls can potentially be routed through you and due to the increased visibility on the Internet this has a 
> likelihood of exposing your computer
> to hacking attempts or other such things.
> 3.  Risk of data loss.  We have a responsibility to protect our community's personal data from unauthorized access and 
> take steps to remove risks of such
> compromise.  I think this is particularly true in <unit removed>  where you deal with private information.  I would 
> hate to think about the situation we
> might find ourselves in if the data your department processes were exposed in an unauthorized manner.  As a matter of 
> fact, according to NYS law we must
> notify if we have such a computer break in.  We need to set some sound practices on what applications are acceptable 
> and unacceptable in our work
> environment.
>
>
> Due to the concerns that I've outlined above I support not using SKYPE within most places of our network.  I think the 
> ONLY places where SKYPE might be
> viable for use are areas where we can guarantee there are no risks to our sensitive data or risks to the availability 
> of our computer resources that could
> lead to interference with business.  The only area that comes to mind that meets this guideline is probably ResNet.  So 
> while there might not be Cornell
> policy that restricts or forbids the use of SKYPE I do believe it is in our best interest to tightly limit its use.
>
>
> There is a pretty good article that further discusses using SKYPE in a work environment
> at http://www.computerworld.co.nz/news.nsf/news/1C31DD62E610104ACC2570B40016C985
>
>
> This probably isn't the answer that you wanted or maybe expected to hear so for that I'm sorry.  If you would want to 
> discuss this further I'd be happy to.
>
>
> Thanks again for the question,
>
>
> ______________________________________________________________________________________
>
>
>
>
> Steve Schuster
> Director, IT Security Office
> Cornell University
> sjs74 () cornell edu
>
>
>
>
>
>
>
> On Jun 7, 2007, at 12:21 PM, Kutil, Charlie D. wrote:
>
>
>
>  
>
> Can anyone share their universities stance on the utilization of Skype on the university network? 
>
> Are you blocking it, allowing it, or ambivalent towards the application?
>
>  
>
> Thank you,
>
> Charlie Kutil
>
>  
>
> Charlie Kutil, M.P.H., CISSP
>
> Information Policy & Security Officer
>
> Office of Information Technology (OIT)
>
> Texas A&M Health Science Center
>
> Coastal Bend Health Education Center
>
> (O) 361-825-2805
>
> (C) 361-876-3781
>
>  



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel