

Gmail Ditched By UC Davis - ukdm
http://www.informationweek.com/news/windows/security/showArticle.jhtml?articleID=224700847

======
symesc
Sometimes decisions like this are just about wanting to maintain control
(read: job security).

The CIO and his people want to run mail and calendaring systems. Nothing wrong
with that, other than the fact that it likely costs them more to do it
themselves than they would pay Google to do so.

In 2010, managing your own email and calendaring systems seems to me to be the
IT equivalent of generating your own electricity.

These systems are utilities like power and water.

But that's just my opinion, based on using Gmail, Talk, Google Calendar, etc,
for my personal life and Microsoft Exchange and BlackBerry in my work life.

~~~
viraptor
Yes - they are about maintaining control, but not about job security. Every
university will have a number of documents defining the level of privacy and
security provided by each involved entity. If exporting the information to
google means that some rule is broken -- for example if bulk transfers of
personal information are forbidden and people start using gmail as a basic
tool of document exchange, something has to change. And sometimes it's easier
to change the technology provider than people... Even if no local regulations
stop them, there might be some law about personal data processing that
completely prevents gmail usage for some specific organisation.

You'll also find that serious tech. universities do have their own power
generators for emergencies.

~~~
derwiki
I've seen more major breaches of privacy (not to mention system failures) with
university run services than GMail. I think it's more that when it breaks,
they want to be able to do something to fix it versus waiting on Google to fix
it.

------
waxman
My grandma is more tech-savvy than my university.

We were scheduled to adopt Google apps this February, but at the last minute a
group of professors stymied the proposal for a number of bogus "privacy"
concerns, which included, and I wish I was kidding about this one, a fear that
our data could be hosted on a Google server in a country with questionable
human rights laws. What?!

Meanwhile, we use the ancient open-source Horde e-mail system, which is slow,
frequently down, and far less secure than Google's. It's expensive to
maintain, and its webmail interface looks like it was designed by a
kindergartener in the mid-90's. Plus, our pricey yet outdated university
servers are just sitting in some random IT room on campus, and are probably
far more susceptible to data theft than anything in the cloud (both virtually,
and in the form of someone just picking up the servers and walking out with
them).

The future is in the cloud. Institutions wise enough to adopt it will enjoy
huge benefits; those who are too afraid will be left behind.

And don't even get me started on the generally sorry state of technology use
in education...

~~~
viraptor
> _I wish I was kidding about this one, a fear that our data could be hosted
> on a Google server in a country with questionable human rights laws_

Was that in UK by any chance? If so, take a look at Data Protection Act -
especially this:

 _Personal data shall not be transferred to a country or territory outside the
European Economic Area unless that country or territory ensures an adequate
level of protection for the rights and freedoms of data subjects in relation
to the processing of personal data._

If you want to be ok with the law, basically you cannot store your emails
(which at some point will definitely contain personal data) in an unknown
location. Gmail storage qualifies as an unknown location for all we know.

~~~
waxman
It's in the US, but that's a fascinating law.

Google actually specifies that they _cannot_ disclose the exact location of
one's Google Apps data because it is automatically distributed across three
different server farms out of several dozen (or more) potential locations.
They also are purposefully vague about disclosing the locations of their data
farms, in general. Incidentally, one likely reason for this is security.

I agree that there are _some_ genuine privacy and security concerns about the
cloud, but I think most criticisms fall into the unforgivable category of "I
don't trust it because I can't see it."

And in this sense, academics refusing to accept the cloud are like academics
refusing to accept gravity.

~~~
viraptor
I think it's not a problem of not seeing the data. After all, outsourcing
storage and processing is very common now. The real problem is that when you
_need_ to see the data, you cannot and you don't know where to find it.

For example, you cannot easily swap the email server for a new one and recover
everything from backups. Actually, you cannot even reliably make full on-site
google apps backups afaik, which is a hard requirement in many places. If you
have problems with disappearing data, not only do you have to wait for Google
to fix it, but you have a specific priority in their queue. In extreme cases
you might want to get a bunch of consultants to deal with the problem on-site
right now. No such option if you outsource your storage.

------
invisible
This is BS. They're saying Buzz was part of the cause for the decision yet
Buzz wasn't even on Google Apps GMail instances. The other issue cited is on
the premise that they are disclosing emails to GMail vs using GMail for a
service provider of their own email. Ridiculous sensationalism in my opinion.

~~~
viraptor
The Buzz comment makes sense really. If they thought that Google doesn't
handle all of its data in a proper way, then there's a reasonable suspicion
they don't do it with your mails.

Let's use a hyperbole: If your bank guaranteed you security, while you see
robbers taking the cash from their vaults -- would you believe them? Would the
situation change if you were told that this vault will not be used to store
your money?

If they mentioned it, they might think of it as a symptom of bigger problems
with the data handling procedures.

------
andreyf
_a leading public university has ended its evaluation of Gmail as the official
e-mail program for its 30,000 faculty and staff members [...] Keltner noted UC
Davis students are continuing to use the service_

According to wikipedia, UCD has 2,092 faculty and 31,426 students [1]. Unless
they happen to have a "staff" of 28,000, it seems someone got their numbers
mixed up.

1\. <http://en.wikipedia.org/wiki/University_of_California,_Davis>

~~~
djcapelis
The relatively incomplete state salary database shows UC Davis as having
21,154 employees.

UC campuses are huge enterprises and contain a lot more than some classrooms
and dorms. Davis for instance, runs one of the few Californian hospitals that
is both an Adult and Pediatric Level 1 trauma center. Davis has many other
things you wouldn't expect, for instance, the campus also has an airport and a
fire department.

University of California, by employee count, is larger than Intel. Larger than
Google, Yahoo and Apple combined. 6 times the size of NASA and is several
times over the size of General Mills. Just to give you an idea. UC is a very
complex organism and many of its campuses are non-trivial.

UC also plays a role in running our nuclear program and has various units that
need to comply with HIPPA and/or national security regulations for dealing
with classified information.

So... I'm not surprised at that number and it's definitely nowhere near as far
off as you speculated even if it was a little high.

More related to the main story, UC policy currently prohibits use of Gmail
applications for non-student affiliates of the university due to security,
policy and compliance issues. UC Davis was one of the leading campuses trying
to change this, (and I think they might have been approved for a pilot or
something?) but it appears they've backed off. (Edit: Ah yes, you'll note the
article explicitly cites a section of their notice stating that the UC ECP
does not allow for this type of data sharing since the university can't get
Google to agree to the necessary data privacy constraints.)

------
timdorr

      Many faculty "expressed concerns that our campus’s commitment to protecting the
      privacy of their communications is not demonstrated by Google and that the 
      appropriate safeguards are neither in place at this time nor planned for in the 
      near future,” the letter said.
    

So, it's a decision made based on FUD. Sounds like that's going to work out
awesomely for them.

Looks like they just want to move things back in-house for perceived control.
That reminds me of a story about a major directory server at Georgia Tech
going down regularly. The hard drive inside kept crashing on a regular basis.
They restored backups, reinstalled software from scratch, and even replaced
the hardware several times. It kept crashing until one day when a tech was out
in the server room to restore it one more time. He found a technician working
in the ceiling above on some sort of HVAC system. Below him was the server
pulled out of the rack partially. The technician had been stepping on the
combination of his ladder and the server itself to reach the unit he was
working on.

So, yeah, on-campus servers are way more secure than scary Google servers in
the mysterious "cloud"...

~~~
viraptor
Poorly implemented local security does not prove anything about security of
Google servers. You cannot draw such conclusions based on this event. For all
you know, monkeys are flinging poo everywhere in the Google datacenter holding
your Gmail account.

In this case the university had at least the chance to fire the technician /
hold him responsible. Good luck holding Google responsible for anything.

~~~
proee
<http://www.youtube.com/watch?v=V7__SWWSaGM>

------
zoltan99
Lets look at an example guys. What if a student while in college had a
disability. Now while I was in school, my University used its own private
servers. Though upon me leaving, they switched to gmail. Now in my school, the
office of disability services used email to schedule test taking and other
arrangements. Now that they use gmail, google knows which students have
disabilities. Data like that is quite scary if ever made public and if it ever
was breached those students like myself, likely would never ever be able to
have a career they have worked for.

------
matthijs
My university just migrated to Gmail (about 2 weeks ago). 30k students and
about 8200 faculty and staff members.

It beats the 2 different systems we had to use before (one exchange account
and one squirrel mail faculty account), and is probably more secure as well.

------
hydo
Looking at the actual url, I wonder how this is 'Windows Security' news.

Oh, I get it.

