IT@Cornell

There have been several really good questions raised about the box.net service that I spoke about previously. The questions are more focused on the box service specifically than on the above-campus model itself. Let me try to answer them as best I can.

Q1. Is the service secure and is data encrypted?

In the lead up to last week’s announcement, a working group was formed to address Box’s security practices. That group, and several others that were formed at the same time, remains active. Cornell participated in the security working group as did Carnegie Mellon, Indiana, Michigan, Notre Dame, and Stanford. In summary, their evaluation indicated that the security technology and practices of the Box environment are sound and well designed.  Data isolation in an environment that may have millions of customers is well thought out.  To all appearances, the environment would be suitable for the storage of university data through the public/restricted classification and, with appropriate contractual language and attention to procedures, through the confidential classification. Data is encrypted in transit and at rest.

More detailed information on security is available and continues to evolve as Box works with the I2 early adopters to ensure their service is secure in the ways required by colleges and universities.

Q2. What objections were raised to the Box strategy and how does it fit with the move to managed desktops?

Most people who look at the Box online demo recognize that the service itself is good, that it fills a need, and that it’s pretty easy to use. Any objections have really been about why, why now, and why is this happening so quickly? Truth is, this is not normally how IT services are launched at Cornell. It is, in many important respects, a paradigm shift, as imperfect and disruptive as any such shift will be.

It is happening now and so quickly because I responded to a time-limited opportunity to put Cornell in the thick of helping to create a new model of IT service delivery that “happened” to be Box.net. The service had to be good and had to address unmet needs especially given the challenges of campus-wide scale Although we’ve tried to be as inclusive and consultative as possible, the driving factors were speed of deployment, scale, and manageable cost. The service support model is still a work in progress, but here again we have the advantage of working with the other early adopters. I’m not sure how it meshes with managed desktops, but I don’t see any inherent conflict in strategy between the two.

Q3. There are many overlapping features with other tools (Sourceforge, Confluence, Dropbox, and perhaps Sharepoint). What business need does Box solve?

These are all good products that various groups on campus are using. Box has some features that overlap with some/many of these, is missing features that some of these products have, and has some they do not. What’s different with Box is that, due to the above-campus model, all Cornell faculty, staff and students have access to the enterprise-level Box service at a very modest institutional cost, which as I mentioned last time will be covered centrally. It may be that some groups migrate from their current service to use Box, some will find new things they wanted to do but lacked a tool or infrastructure or other resources. And we are also going to be looking at the degree to which Box could be an effective “back end” collaboration service for some of our enterprise systems. That will take more planning than is possible by launch date, but it is being considered.

Q4. Can we get a demo of Box in action?

Have a look at the Box online demo to get a sense of the  service. I have discussed the idea of a campus seminar/workshop too, though I cannot make any commitment to that just yet.

Q5. What if Box is purchased by another company, including an off-shore firm?

We need to be prepared for that, and I think we are. Box is becoming an attractive take-over target (as is Dropbox, I might add). The Master Services Agreement (MSA) between Box and I2 includes various provisions concerning data rights, succession, etc. There is now a team of university lawyers, Cornell included, who are developing a standard customer agreement between institutions and Internet that will further enhance the protection of our data and spell out the limits of any such protections. As far as the cost of switching providers, if that becomes necessary, that issue has also been factored into the MSA as much as possible.

I hope this information is helpful, though I may have raised a few questions as well as answering some. While I will probably continue to talk about the Box service in this blog from time to time, and am happy to do so, I also think we’ll transition to some other, more effective communication and engagement channels. Meanwhile, keep those questions coming