[Eril-l] Prohibition of Secure Access Service Edge (SASE) Architecture
Electronic Resources in Libraries discussion list
eril-l at lists.eril-l.org
Wed Mar 18 17:13:20 PDT 2026
[Crossposted to LIBLICENSE. Apologies in advance for the duplication! Just
wanted to cast a wide net.]
Hi, all. I have recently encountered a license clause that I have never
seen in my 13+ years of reading library content licensing agreements. I am
hoping that someone out there has seen it before and has some advice on how
to approach it.
There is no confidentiality language, but we like to maintain good vibes
with all our licensors. So, I'll be gracious and just summarize instead of
pasting in the entire clause.
The language essentially prohibits us from employing "any authentication
method associated with a third-party SASE [Secure Access Service Edge]
provider to access [the licensed content]". Also, if we become aware of our
users employing a SASE service to access the content, we have to
"immediately" tell the licensor who will remove the SASE IP and may provide
a temporary authentication method until some other form of authentication
can be implemented. That other form of authentication also has to be
"mutually acceptable," giving the licensor an awful lot of say so in
institutional network security. It's a very slippery slope.
The licensor says that they need this language because SASE providers will
sometimes share IP ranges across clients and this could result in our
content being open to unauthorized users. Network security isn't my
wheelhouse, so I did a little reading on SASE and it sounds like the fears
of unauthorized use are overblown. It appears to be a perfectly legitimate
authentication solution used by a lot of major players in the field, no
more or less secure than any other approach. So, I am really just
scratching my head here.
Based on conversations with the licensor, it sounds like other institutions
have actually agreed to this language, or a pretty close version of it. I
am kind of stunned that anyone would allow a licensor to dictate their
networking security practices like this.
For reference, my institution does not currently use SASE, but we might in
future and the various stakeholders are way too distributed across our
large, complex org chart to ensure compliance with this prohibition. It's
just not remotely possible.
Does anyone else have experience with negotiating a clause like this? If
so, would you mind chatting with me about it?
Many advance thanks!
Tessa
-.-.-.-.-.-.-.-.-.-.-.-.-.-
Tessa L.H. Minchew
Electronic Resources Librarian
Acquisitions & Discovery
NC State University Libraries
919.515.5182
tlminche at ncsu.edu
(pronouns: she | her)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20260318/307f316d/attachment.htm>
More information about the Eril-l
mailing list