Thursday, April 10, 2008

Re: Looking for Browser Based Hosted Email Solution (UNCLASSIFIED)

On Wed, 9 Apr 2008 16:17:45 -0400, CHRISTOPHER BUTLER
<CBUTLER@stjohnsprep.org> wrote:

>I hope someone has a good response to what I'm about to write. I don't mean
>to rain on the parade of praise for off-site email, but I do have some
>concerns with not having more control over the server.
>
>What happens when a student's account gets abused by another student who has
>stolen a password? Assuming that you can even get access to the logs that
>track logins, read messages, etc..., if it happened during the school day
>(or if you are a boarding school) the best info you will get is your public
>WAN address. You'll have a bear of a time tracking those logins back to
>particular machines on campus.
>
>We've had this happen a few times here and within 15 minutes, I can
>associate an email login to a computer on campus by IP and cross-reference
>that with workstation logins and pretty quickly get a very short list of
>students who were probably involved. No need to wait for Google to provide
>the info (assuming they will even do that). In some cases, we've even
>tracked the suspect logins to public IPs and have been able to cross
>reference those with other logins from that IP and challenge the students to
>a decent explanation of what our logs show.
>
>We also have access to detailed message tracking for both internal and SMTP
>messaging so that we can usually get the information we need pretty quickly
>to solve problems.
>
>I would be happy to save money go with an offsite solution, but I'd also
>want to continue to have detailed tracking and reporting for tracking down
>inappropriate use and troubleshooting. Do any of the off-site vendors off
>this?

Google Apps offers a number of tools to more closely track what is going on.
On the email side you can route all inbound and outbound mail (including
internal domain mail) via a gateway SMTP server and thus log everything.
Even easier to implement, Google offers some very reasonably priced services
to education customers through Postini (MUCH cheaper than the commercial
prices) which add much better anti-spam as well as email journaling which
allows an administrator access to all email (both the envelope and body)
sent or received. It also satisfies the e-discovery issues that we all are
going to have to deal with sooner or later.

On the authentication side Google Apps allows SAML authentication which
could be used to provide much more detailed and accessible authentication
logs. I have not explored this beyond a few minutes of reading about the
Google SAML API so I can't add any detail. I also only have a very cursory
knowledge of SAML.

That said, turning off your Exchange/Lotus Notes/FirstClass/etc. server and
handing the reigns to Google Apps does cede some control to Google. I for
one see this as a good thing because it frees my department to spend more
time working with teachers to use technology better and offices to make
their operations more efficient. While we all have to deal with the kind of
situations you describe above, I think it is important that we weigh the
costs properly. How much is it worth to catch that student who uses another
student's email account? Is it worth saying no to the teacher who needs help
with a new technology s/he is excited about? Is it worth saying no the the
headmaster's assistant who needs help getting an important mailing out? My
opinion is that the many hours needed to manage a messaging platform is not
worth the possibility of catching a student or two breaking an AUP.

I should also add that students aren't stupid. When students find out we can
catch them logging on as another student on the school network they'll find
other ways to do the same thing if they really want to. All they would have
to do is use their home computer and you wouldn't have a chance of catching
them as no ISP will give you an IP short of a court order. They could also
simply use a public kiosk/computer and log in as the other student or make
use of a laptop left unattended. etc. etc. Furthermore, our experience is
that the most common abuses happen with IM, Facebook, and other systems
completely out of our control.

To conclude, I don't think the ability to catch one specific type of abuse
is a good reason for keeping email in-house.

--
Tom Phelan
Director of Technology
Peddie School
http://www.peddie.org

[ For info on ISED-L see http://www.gds.org/ISED-L ]
Submissions to ISED-L are released under a creative commons, attribution, non-commercial, share-alike license.
RSS Feed, http://listserv.syr.edu/scripts/wa.exe?RSS&L=ISED-L