Why is SURFconext being used less for collaboration than expected (in spite of its growth!)? On 9 May, 60 participants from various disciplines and institutions discussed this question. They identified a number of bottlenecks and suggested solutions that both SURF and the institutions could contribute to.
Collaborative use lags behind expectations
SURFconext provides a secure and reliable infrastructure for authenticating and authorising users towards online services in order to facilitate education and research. Roughly speaking, there are two usage scenarios for SURFconext: the collaboration scenario and the enterprise scenario. The collaboration scenario is characterised by the large number of services that often need to be made available to small numbers of users at each institution, for example a group of researchers. In contrast, the enterprise scenario involves a small number of services that are actually used by all or almost every employee and/or student at the institution. The use of SURFconext in the collaboration scenario in particular is lagging behind expectations. This is unfortunate, as the service can be of great benefit to researchers, teachers, employees and students, and it can make working and collaborating online a great deal more secure and reliable.
Why is this so?
Risks associated with providing personal data
Institutions feel very responsible for their users’ personal data and information. The use of online services is an added risk that can conflict with this sense of responsibility. The natural response is to limit this risk by blocking access to services via the institutional account. However, this is experienced by the user as an impediment to their work. The user will therefore immediately start looking for workarounds which allow them to access the service using their personal accounts. This however does not mean that the institution is no longer responsible in case of an incident.
100% security can never be guaranteed here. The most effective way of actually limiting such risks is to create awareness amongst users to allow themselves to consciously and responsibly engage with using online services.
Deviating from standard agreements
Institutions want to ensure that data shared by them and their users via services connected to SURFconext are secure. To ensure that this is the case, there are robust standard agreements between SURF and providers; however, these cannot be applied to all types of services. Exceptions are sometimes made, and this creates ambiguity, which results in inconvenience and delays.
SURF adds value by serving as the linking pin between all the individual participating institutions within educational and research. Trust is crucial in this regard, not only between the institutions and SURF but also amongst the institutions themselves. SURFconext happily builds upon this trust by making it easy for participating institutions to also offer their own services to other institutions. Internationally, SURF also plays an important role in this regard by facilitating connections with other trusted education and research federations worldwide. However, from a strictly legal perspective, trust is of no value. So what role should SURF play here?
The institutions as well as SURF can contribute to tackling this problem. A list of proposed solutions follows below, but this list is definitely not exhaustive.
What can the institutions do?
- They can support and train their users to use online services consciously and responsibly.
- They can put agreements with their users in place, such as acceptable use policies, to explicate their own responsibility.
- They can ensure that the user knows who to turn to, for example to request a connection to a service or to submit a collaboration agreement to in order to show which agreements have already been entered into with the service.
What can SURF do?
- SURF can continue to focus on the robust agreements entered into with providers in order to facilitate the enterprise scenario. It can also reflect on how to provide optimal support to the collaboration scenario.
- SURF can optimise the flow of information towards the institutions about which exact agreements apply in relation to each service (via the SURFconext Dashboard).
- SURF can help the institutions draw the attention of the users to their own responsibility for their use of online services, for example by introducing a policy screen next to the consent screen currently in use.
- SURF can introduce authorisation functionality, which institutions can use to reduce certain risks. For example, this functionality could allow only a particular group of researchers to access a particular service, instead of all the users at the institution.
- SURF can introduce more extensive error reporting to provide better assistance to users, for example, if a user cannot access a particular service. Who does the user have to report to? Why is there no access?
The underlying discussion
You have just read a brief summary of the discussion that took place on 9 May. Of course, the issue at hand is in fact a bit more complicated. We therefore recommend that you also read the extended report (only available in Dutch), which provides a more detailed description of the reservations institutions have about using SURFconext, as well as the remaining uncertainties surrounding the implementation of the modifications to SURFconext.
To find a solution, we need to enter into a discussion with each other. The viewpoints of the various stakeholders within the institutions must be taken into account. I would therefore like to encourage everyone to submit their response below, or else directly via email to: email@example.com.