Squaring the Circle in IT Architecture and Security at a University

Harald Rotter, Chief Information Officer, the University of St.Gallen

Whenever I get to talk outside of the university community about our IT technology, the setting we've chosen, and the challenges it presents, I often see big question marks from my counterpart. An often asked first counter-question is: "Why on earth do you allow the chosen setting at all?" or, why don't you simply restrict this or that access? My answer often degenerates into a somewhat lengthy monologue about university specialities. I would like to illustrate this with our University of St. Gallen (HSG). For me, as CIO, there are many different stakeholders:

Stakeholders: Study and teaching.

This area includes all the IT systems of our undergraduate teaching (Bachelor, Master, Doctorate). Stability for the large mass, in our case > 9500 students, must be guaranteed here. In terms of time, this is divided into spring and fall semesters. This is the time of lectures, exams, group work and much more.

Stakeholders: Academia

In this area, the respective employees work in the field of research. Especially the professors with their doctoral students, assistant scientists, researchers, etc. They all want and need, for various reasons, the greatest possible freedom in the area of IT infrastructures. Starting with different infrastructures for the same or similar use cases, installation rights on client devices up to the opening of web content that would rather be blocked under "normal" circumstances.

Stakeholders: Continuing (Executive) Education

In our environment, the area of continuing education (executive education) is very pronounced. In addition to the building itself, we also operate our own hotel for this sector. Our customers pay a lot of money for their programs (eMBA, iMBA, MAS/DAS/CAS programs, etc.), and therefore, the expectations are much higher.

Stakeholders: Central administration

The central administration can be compared to a "classic" company. Real estate, personnel, finances, information technology, library and the like fall into this area.

" In our environment, the area of continuing education is very pronounced."

In addition to all these different areas or departmental requirements, employees also have different functions at our company. We call this multiple employment. A professor, for example, is, on the one hand, an employee of the university. In addition, he or she may also have an employment contract with his or her institute and may also conduct research (contract and/or basic research). And in the best case, the IT should be operational for all these different tasks. Under all these conditions, we, as the IT department, must try to ensure the security and stability of the infrastructure. In addition to these technical challenges, it is also necessary to address and, where possible, enforce data protection and compliance-relevant issues. In larger companies, the framework of the so-called "enterprise architecture" is also used for this purpose. This is an attempt to draw a red line in the IT system landscape wherever possible. The focus here is on combining use cases, reducing applications and the like. In my opinion, this is very difficult or even impossible to implement in the university environment. It is taught but cannot be lived for various reasons.

To summarize. At our university, we run informatics for more than 9500 students and more than 3300 employees (without continuing education) in this outlined environment. Thus we, and probably all university computer science departments, try a bit to "square the circle". The tasks are highly interesting and innovative but also quite challenging. Many mechanics that are given in "classical companies" can be implemented and enforced at universities, at most in partial areas.

Information Technology