+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
East Midlands Broadband Consortium (EMBC) Thread, emPSN Service Level Agreements in Regional Broadband Consortiums (RBC); Has any school requested and received a copy of the service level agreements that their emPSN-framework contracts are being delivered ...
  1. #1

    Join Date
    Dec 2007
    Location
    Derbyshire. Ish.
    Posts
    257
    Thank Post
    29
    Thanked 22 Times in 15 Posts
    Rep Power
    24

    emPSN Service Level Agreements

    Has any school requested and received a copy of the service level agreements that their emPSN-framework contracts are being delivered under yet?

    We asked on behalf of the primary schools we support - only to be eventually told that KCOM / Capita hadn't finished writing them yet!

    When we pointed out to the rep in question that surely this should have been something that was done before they started selling services to schools if the services were going to be measured against them, there was an amusing amount of "umming" and "ahhing".

    Heard from another secondary in our region that they had a similar response when the question was posed by them.

  2. #2

    korifugi's Avatar
    Join Date
    May 2008
    Location
    Derby
    Posts
    1,020
    Thank Post
    221
    Thanked 311 Times in 176 Posts
    Rep Power
    158
    Anyone? I've attempted to get something, anything from Capita but at the minute it seems like a game of "Laaa laaa laaa - we can't hear youuuu"

  3. #3

    Join Date
    Jun 2010
    Location
    Nottingham
    Posts
    134
    Thank Post
    19
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    Quote Originally Posted by korifugi View Post
    Anyone? I've attempted to get something, anything from Capita but at the minute it seems like a game of "Laaa laaa laaa - we can't hear youuuu"
    Nothing yet. Shocking in my opinion.

  4. #4

    Join Date
    Dec 2007
    Location
    Derbyshire. Ish.
    Posts
    257
    Thank Post
    29
    Thanked 22 Times in 15 Posts
    Rep Power
    24
    Has anybody received anything? Or even had any positive responses when asking for it?

    When I asked Capita for more information in relation to their HTTPS filtering project recently, I threw in a request for a copy of the SLA (the conversation went something along the lines of "Did you actually consult with the school as your client before making this arbitrary decision over a change in the service? Because this was NOT mentioned when you were pitching for the business last year! BTW can I have a copy of the SLA to see how you're supposed to implement change?") and they expertly ignored all requests related to the provision of a copy of the SLA.

    Given this defiant silence in relation to the SLA, if I were being cynical I could very well start to believe that SLAs do not exist in relation to any services procured off the emPSN framework at all!

    Has anyone actually had a copy of their SLA from either KCOM, Virgin, Capita or RM in relation to their emPSN connection yet?
    Last edited by TheCrust; 13th March 2013 at 10:08 AM.

  5. #5

    Join Date
    Jun 2010
    Location
    Nottingham
    Posts
    134
    Thank Post
    19
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    Quote Originally Posted by TheCrust View Post
    Has anybody received anything? Or even had any positive responses when asking for it?

    When I asked Capita for more information in relation to their HTTPS filtering project recently, I threw in a request for a copy of the SLA (the conversation went something along the lines of "Did you actually consult with the school as your client before making this arbitrary decision over a change in the service? Because this was NOT mentioned when you were pitching for the business last year! BTW can I have a copy of the SLA to see how you're supposed to implement change?") and they expertly ignored all requests related to the provision of a copy of the SLA.

    Given this defiant silence in relation to the SLA, if I were being cynical I could very well start to believe that SLAs do not exist in relation to any services procured off the emPSN framework at all!

    Has anyone actually had a copy of their SLA from either KCOM, Virgin, Capita or RM in relation to their emPSN connection yet?
    No, to put it simply. And we are having similar issues with HTTPS connections which is causing havoc with all manor of devices.

  6. #6

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,112
    Thank Post
    403
    Thanked 619 Times in 566 Posts
    Rep Power
    180
    What have they done in terms of HTTPS?

  7. #7

    Join Date
    Jun 2010
    Location
    Nottingham
    Posts
    134
    Thank Post
    19
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    Quote Originally Posted by Edu-IT View Post
    What have they done in terms of HTTPS?
    They have "SSL Enabled us" and given us a certificate to publish to all of our computers on the Root CA. Any certificates that are received from websites, have the issuers replaced with OpenHive and a lot of services reject this because they dont trust it. Cant install the certificate to tablets, so anything secure on there is rejected, including our MDM profile. So we cant push apps anymore, or update, or use certain apps. And every secure website throws up an error in Safari.

  8. #8

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,866
    Thank Post
    574
    Thanked 998 Times in 770 Posts
    Blog Entries
    15
    Rep Power
    461
    Errr, my knowledge of SSL certificates for websites and HTTP is ropey at best but I have been dealing with it enough on IRC to know that it's quite pointless as it is - Openhive "replacing" them as *another* man in the middle, effectively doubling the risk?
    Could someone explain that to me? I am making an outright assumption that I'm being daft rather than Capita doing something dangerous.

  9. #9

    Join Date
    Jun 2010
    Location
    Nottingham
    Posts
    134
    Thank Post
    19
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    Quote Originally Posted by synaesthesia View Post
    Errr, my knowledge of SSL certificates for websites and HTTP is ropey at best but I have been dealing with it enough on IRC to know that it's quite pointless as it is - Openhive "replacing" them as *another* man in the middle, effectively doubling the risk?
    Could someone explain that to me? I am making an outright assumption that I'm being daft rather than Capita doing something dangerous.
    Pretty much covers it yeh, and a lot of services will instantly reject the modified certificate. Rightly so.

    No you're far from being daft.

  10. #10

    Join Date
    Dec 2007
    Location
    Derbyshire. Ish.
    Posts
    257
    Thank Post
    29
    Thanked 22 Times in 15 Posts
    Rep Power
    24
    @TMODAlpha So in effect they did stuff, completely without consultation with you as their customer, that has had a negative impact on portions of your network?

    Hmm. That's not good and I know what I would be telling them in that situation. The polite version goes something like: "I say, chaps, you have breached your part of the contract by not only not supplying me a SLA to measure the performance of the service against, but then imparting changes in an arbitrary manner without consultation or consideration on how they effect me mean there has been a negative effect on the operation of some of my systems. Either you remedy this situation and start playing by the rules, or I consider the agreement between us terminated."


    When I asked them what they were up to with this HTTPS / Certificate project on behalf of our supported primary schools - one thought we had had was by acting as a "man in the middle" they could intercept stuff to which they had no legal right such as between the exam boards, or the DfE, and the school - they eventually came back with this:

    We can assure you that we do not de-crypt or re-encrypt any part of a user request. In order to perform the filtering function, Webshield looks at the user REQUEST URL to determine the host portion of the HTTP-part of an HTTPS request. This allows Webshield to carry out an allow/deny decision on the requested host name of the server, prior to any data being fetched from the web server (the RESPONSE). The software that Capita uses allow us to use either the full URL when asking for an allow/deny decision, or just the hostname of the web site (note this is still the REQUEST not the RESPONSE).

    Following the action taken by Webshield to either allow or deny the REQUEST, if the request is valid no further interaction takes place, the data is fetched from the web server and delivered through the Webshield proxy server directly to the web browser. As stated we do not at any stage de-crypt or re-encrypt data and neither is there caching of any data, nor any data held on the Capita operated proxy servers. When the actual requested data is fetched it simply flows through the proxy server, the transmission over the Internet is secured, as is the transmission across the emPSN. We do not log, nor cache any aspects of content from the RESPONSE.

    Obviously if the request is not valid/denied the user will receive a deny page from Webshield.

    This process is the same for HTTP requests and for HTTPS request and our Webshield service does not differ in this sense from the previous embc service.

    We are required by both duty of care responsibility, and by UK law enforcement organisations to trace requests back to their source should an investigation be triggered. The Webshield system report logs enable us to trace users and timestamp the URL requests but again this does not allow us to inspect at any time detail or content. This is also a requirement of the emPSN and therefore of the service.

    I presume based on your concerns that we were inspecting content you asked if the school can opt out of this HTTPS inspection entirely and remain on the current filtering system.

    The answer is you can but opting out will have an operational impact on your school users. You will lose the flexibility of per-user filtering for HTTPS web sites, which typically impacts the staff in school who are more likely to access these sites. Such that, should an HTTPS web site be denied by your site-wide policy (e.g. banking), you lose the advantage of user-based filtering (UBF) i.e. role based/ profiled access to the internet. Even if you log in, no action can be taken to relax the filtering for this web site.
    I'm still not entirely sure what to make of that response as it didn't really address the questions I had put to them - but one impression I got from it was they were giving me something in the hope I would shut up and go away.
    Last edited by TheCrust; 13th March 2013 at 08:31 PM. Reason: Can't spell for toffee!

  11. #11

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,866
    Thank Post
    574
    Thanked 998 Times in 770 Posts
    Blog Entries
    15
    Rep Power
    461
    "Lose the flexibility of per-user filtering for HTTPS websites"

    Capita have always had a habit of over-complicating things. We've got a defunct RM Smartcache 2 box that's been in action for many years that did exactly that without having to faff around like that?

  12. #12

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,112
    Thank Post
    403
    Thanked 619 Times in 566 Posts
    Rep Power
    180
    HTTPS is encrypted though, so surely they have to do some de-crypting? Or am I totally wrong on what HTTPS is?

  13. #13

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,112
    Thank Post
    403
    Thanked 619 Times in 566 Posts
    Rep Power
    180
    Seems I'm not mad. Put this to them?

    The headers are entirely encrypted. The only information going over the network 'in the clear' is related to the SSL setup and D/H key exchange. This exchange is carefully designed not to yield any useful information to eavesdroppers, and once it has taken place, all data is encrypted.
    security - Are HTTPS headers encrypted? - Stack Overflow

  14. #14

    korifugi's Avatar
    Join Date
    May 2008
    Location
    Derby
    Posts
    1,020
    Thank Post
    221
    Thanked 311 Times in 176 Posts
    Rep Power
    158
    Hold on a sec...

    This bit...

    The answer is you can but opting out will have an operational impact on your school users. You will lose the flexibility of per-user filtering for HTTPS web sites, which typically impacts the staff in school who are more likely to access these sites. Such that, should an HTTPS web site be denied by your site-wide policy (e.g. banking), you lose the advantage of user-based filtering (UBF) i.e. role based/ profiled access to the internet. Even if you log in, no action can be taken to relax the filtering for this web site.
    Sounds like they're saying this...

    If you opt out - then you'll lose all ability to be able to access sites under slightly less restrictive filtering, for example being able to log into the "inthehive" system as a teacher to be able to show a youtube video to your class. Your finance departments will also be unable to look at anything to purchase due to all sales sites being filtered with you having no way to reduce the filtering level.
    P.S. It's our ball and if you want to play - it's by OUR rules
    Is anybody else reading that or is it just me?
    Last edited by korifugi; 14th March 2013 at 03:02 PM. Reason: makin' sense and takin' names.

  15. #15
    Jobos's Avatar
    Join Date
    Apr 2007
    Posts
    1,133
    Thank Post
    177
    Thanked 49 Times in 42 Posts
    Rep Power
    24
    It seems each week there's a different problem with emPSN and if I had known about all the grief we would have I would have used a different ISP when EMBC finished!

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Sample Service Level Agreement
    By GrumbleDook in forum School ICT Policies
    Replies: 7
    Last Post: 19th March 2012, 01:50 PM
  2. Service Level Agreement
    By scotty in forum How do you do....it?
    Replies: 5
    Last Post: 2nd February 2011, 01:02 PM
  3. What are your Service Level Agreements?
    By carnage501 in forum General Chat
    Replies: 0
    Last Post: 1st October 2010, 10:54 PM
  4. Service Level Agreement example.
    By Disease in forum Network and Classroom Management
    Replies: 1
    Last Post: 21st January 2009, 07:18 PM
  5. Sample/current Sevice Level agreements
    By Kyle in forum How do you do....it?
    Replies: 2
    Last Post: 21st May 2007, 06:43 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •