Shel Waggener put together an interesting presentation (PDF) on campus IT spending from 2001-2007. Some of the highlights:
- Total campus IT spending is estimated at $136 million. $56 million of that is within IST or the CIO’s office; the remainder is elsewhere (including L&S).
- Total IT spending under the EVCP control unit (basically, the academic units minus IST) is approximately $50 million, just a bit less than IST spending.
- Only 1% of EVCP spending is for IT; that percentage is less than half of any other control unit. (NB: There is probably some IT spending in academic units that is not captured by these numbers, such as having GSIs/GSRs do computer support for faculty labs. I don’t recommend the use of grad students for IT support, but it is common practice in the lab sciences).
- IT spending per campus FTE has been basically flat since 2001.
- IT spending as a percentage of total campus budget has been trending downwards since 2001.
- IT spending as a percentage of the institutional budget is in line with other universities; but spending per FTE is quite low. (This basically indicates that IT isn’t the only thing that’s under-funded).
- Two-thirds of our IT spending is on people (salaries and benefits). Salaries and benefit costs have gone up since 2001, while hardware and licensing costs have gone down.
- IT spending as a percentage of total budget has actually dropped significantly in physical and biological sciences. This might be due to large initiatives like QB3 coming online without sufficient funding for IT, or could be an artifact of how they’re looking at the data.
- State funding has dropped from 61% to 56.9% of campus IT funding. “Indirect cost recovery” (which I assume is synonymous with “recharge”) has risen from 4.9% to 7%. “Other sources” has risen from 8.9% to 12.1%. We’re having to get creative to fund IT, even more so than in other areas.
The overall message is unsatisfying but not unexpected; during a period when IT has become more important to our core mission every year, we have actually reduced the resources dedicated to IT.
A customer forwarded this article from the New York Times, on new authentication mechanisms. The author is cheerleading a bit for “information cards” which would act a little like your ATM card; the idea would be that each computer would have a reader where you would insert your card and type in a PIN; after you’d done that, you’d have access to all of your sites.
Authentication can have three factors: something you are (fingerprint, retinal scan), something you have (your ATM card or these information cards), or something you know (your password or PIN). Security experts recommend two-factor authentication for important stuff; you use two-factor authentication when you go to the bank, insert your card and use your PIN. Two-factor authentication means that the password can be a lot simpler, because one of the other factors is acting as a second check.
However, two-factor authentication is not foolproof, either; there have been sophisticated ATM scams where thieves installed a magnetic stripe reader over the normal slot, with a video camera to record the user’s PIN as they type it. One of the things about information cards is that you may have to use them in untrusted environments; if you’re traveling and want to check your email, nothing will protect you from the hacked machine at the internet cafe where you put in your card.
On campus, IST is developing what they’re calling “second level authentication” which can be used for security-sensitive web-based applications. This would augment the security of your CalNet ID; for a sensitive application like HRMS, you would log in with your CalNet ID, but then also input a PIN using an on-screen keypad. This does not qualify as two-factor authentication, because both authentication tokens are “things you know,” but it should make those applications somewhat safer.
There is also a significant effort underway on campus and at UCOP to set up an “identity management” (IdM) system. IdM attempts to combine authentication (verifying who the person is) with authorization (verifying what the person should have the rights to access). Right now CalNet is basically an authentication system; each application which uses CalNet ID must maintain their own list of which CalNet IDs are allowed to access the application. IdM would provide a central place to store information about each user’s access rights, and also provide a way (through “federated identity management”) to communicate authorization to external entities, like UCOP or a third-party vendor. UC Davis recently did a pilot to see if GMail could provide email for students; in the pilot, students were able to use the UC Davis equivalent of a CalNet ID to log in to their UC Davis GMail account. Federated IdM has come a long way in the last year or two (mostly through the Shibboleth project), and I expect we’ll start to see many more of these kinds of arrangements.
