Hi David et al,

Thanks for moving this forward. I think the access that we require is:

* Mail (with an arbitrary exchange-compatible client, not just the outlook client)
* MS Teams for meetings (and teaching — almost all machines are for both of those uses). This includes some access to the files (I am slightly unclear about the relationship of the Teams “files” tab to Sharepoint and OneDrive).
* Office 365 — but this really means the applications, not the web, except for access to OneDrive. (I personally only use the web interface to the files, and really only so I can upload teaching material which I will need to access from the lecture theatres.)
* Zoom
* HPC and Data Store access (presumably over ssh).
* Machine-to-machine access over ssh and vnc. This is related to the issue of being able to make new users.
* Some ICIS access (e.g., to see payslips)
* Web page editing
* Blackboard and starfish. Blackboard, at least, absolutely needs to be accessible from non-College networks.
* Library and journals

Currently, I understand that all of these are accessible not only from any machine on the college network, but in fact from anywhere,. Access via ssh and vnc, and some journal subscriptions, are the only things on this list that requires the vpn, I believe, and everything else is at least behind a college password screen, completely unrelated to the machine being used for access. 

In short: we are all quite happy with the status quo for “byo” machines for our research purposes.

It would be very useful if they could give us a list of the “college services” that they are considering restricting access to, and what forms those restrictions might take. We also need to understand how and if any of this relates to the “Unified access” plan about which we received an email over the summer and is referenced elsewhere in this thread.

Sincerely,

Andrew

______________________________________________________________________
Professor Andrew Jaffe                          a.jaffe@imperial.ac.uk
Director, Imperial Centre for Inference & Cosmology   +44 207 594-7526
Blackett Laboratory, Room 1018B
Imperial College, Prince Consort Road
London SW7 2AZ UK                 http://imperial.ac.uk/people/a.jaffe

On 22 Nov 2022, at 20:17, David Colling <d.colling@imperial.ac.uk> wrote:

Hi All,

I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.

As some of you know ICT are increasingly confining what people can do on college machines,  even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).

In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:

service: Office365 (including sharepoint, email, OneDrive teams etc)
Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.

[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]

Service: ICIS (Payslips, expenses claims etc)
Access: Secure web access should be enough.

Service: Starfish
Access: Secure web access is sufficient.

What other services are needed and how?

Other comments:

- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.

So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.

Best,
david

_______________________________________________
Physics-Departmental-Computing mailing list
Physics-Departmental-Computing@imperial.ac.uk
https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing