LTS assists the ITS E-Resources team, the Access Services Privileges Office, and HUIT Security Operations to facilitate the resolution of e-resource license breaches.
LTS is authorized to investigate license breaches of e-resources only upon a request from ITS E-Resources (after notification from a vendor) or the HUIT Security Operations group (after data analysis indicates library-related suspicious use). LTS does not mine data logs proactively for breach attempts or suspected compromised user ids.
- External E-Resource Vendors: Flag suspicious access of their resources by Harvard IPs, provide log data to ITS E-Resources to pinpoint source of breach.
- HUIT Security Operations: Analyze logs for suspicious use of resources. Identify users for breaches occurring on library computers or VPN network, are also called in for license breaches with larger security implications. Point of contact with Harvard users with apparent compromised credentials
- ITS E-Resources Team: Point of all direct contact with e-resources vendors, point of contact with library users
- LTS Support: Analyze LTS EZProxy logs to identify source of breach, facilitate communication between ITS E-Resources, HUIT Security Operations, and Harvard Alumni Association
- Harvard Library Access Services: Point of contact with library special borrowers, consult on resource access and license breach policy
- Harvard Alumni Association: Manage alumni e-resources program, identify users whose HAA IDs have been flagged for suspicious use, point of contact for alumni e-resource users
- Initial Report:
LTS Support receives reports of possible license breaches from two sources:
- Vendor Data: Vendors are required to provide adequate log information for us to identify the source of the breach. The E-Resources team will request further information if it is not immediately provided. We need at least the following:
- Exact timestamp (including time zone)
- Source external IP, with port if available
- Destination IP, with port if available
- URL being accessed
- LTS Support notified: (one of the following)
- ITS E-Resources team notifies LTS Support, typically via email, including vendor data. LTS Support identifies specific Harvard user(s) from vendor log data (for activity on EZProxy IP), or in the case of VPN or in-library computer IPs, opens a ticket with HUIT Security Operations requesting they check their logs to identify a user/location.
- HUIT Security Operations notifies LTS Support of library-related suspicious use caught by Splunk. LTS Support conveys information to ITS E-Resources for followup.
- At the request of ITS E-Resources or HUIT Security Operations, LTS Support may temporarily block the user from e-resource access and kill all active EZProxy sessions.
- User contacted: E-Resources team contacts the user to alert them to the problematic activity and either educate them about acceptable use of licensed resources or ensure that the user changes their login credentials, as appropriate. E-Resources team then notifies LTS Support once confirmation is received that the PIN has been changed and/or the user has ended the problematic access.
- Vendor contacted: E-Resources team contacts the vendor to let them know the breach is resolved.
- LTS Support unblocks the user's HUID in EZProxy if necessary and, if not yet done, reports the ID and resolution to HUIT Security Operations.