Duke ITAC - June 4, 2009 Minutes

Duke ITAC - June 4, 2009 Minutes

ITAC Agenda
June 4, 2009 4:00-5:30
Allen Board Room

  • Introduction of visiting Oracle/PeopleSoft executives - Tracy Futhey & Kathy Pfeiffer
  • Announcements & meeting minutes
  • Single sign-on discussion/experiences/feedback - Klara Jelinkova, Paul Horner, & Rob Carter
  • Security penetration test results and next steps - Paul Horner
  • IT cost savings team "Computer Standards & Lifecycle" (seeking feedback) – Dave Richardson, Ed Gomes, Susan Gerbeth-Jones, & Ginny Cake

Introduction of visiting Oracle/PeopleSoft executives - Tracy Futhey & Kathy Pfeiffer

Terry Oas said the PeopleSoft team spent most of the day meeting with Kathy Pfeiffer.  The team also met with faculty and students to get feedback on the upcoming ACES interface, he said.  Terry introduced the Oracle representatives: Curtiss Barnes, who leads the Oracle’s applications strategy for Higher Education, and Mark Armstrong, who is in charge of the Oracle Higher Education Product Development.

Terry said the intent was to demonstrate the feedback process faculty and students use to regarding IT concerns at Duke University.  This feedback loop has existed at Duke for approximately 15 years and has fostered a culture of open dialogue.

Terry asked the Oracle attendees for any insight into the future of PeopleSoft’s roadmap.  Mark Armstrong said they enjoy engaging with higher education customers and appreciate the opportunity to have the dialogue.  Mark said some of the concerns raised in today’s sessions should be addressed through patches this calendar year.  Mark added Oracle is at a crossroads with new technologies and architectures.  In addition, Oracle is evaluating how it can meet user experience self-service expectations.  Specifically, Mark said Oracle will continue to deliver a robust infrastructure.  Oracle’s goal will be to offer standard web services and frameworks so customers can use off the shelf tools to build their desired front end.  Long term, this should allow customers to share content, he said.  Mark added that Oracle is working with Higher Ed groups on legal and intellectual property(IP) concerns.  Mark said the relationship with Duke University will be very valuable to Oracle moving forward.  Oracle is also changing its release model in response to feedback.  Mark noted that Duke recently upgraded to version 9; however, this model may no longer fit as Oracle moves to a “continuous delivery model.” This process of incremental patches and upgrades enables Oracle to work with customers and provide desired functionality sooner.  He added that he was very encouraged by the conversation he had had with Duke staff and their disciplined approach to functional requirements. 

Tracy Futhey asked about some of the pending product changes and timelines.  Kathy Pfeiffer said her office has met regularly with PeopleSoft to communicate the feedback they have received.  This process has produced specific requirements-largely around the navigation concerns-her office has provided PeopleSoft.  PeopleSoft demoed some of the changes to faculty earlier in the day. Tracy asked for member feedback from the demo.  Terry commented that the navigation improvements are significant. 

Curtiss said the timing of the release would be later this year.  He added that Oracle’s traditional relationship with Duke has been through Higher Ed Users Group.  Over the last few months, a new, tactical dynamic has emerged.  Curtiss said this will be very beneficial in Oracle’s new release model.  He noted there is a growing interest throughout Higher Ed in standards and commonality.  Curtiss said Oracle’s relationship with Duke and others will be critical to informing their architectural decisions.

Robert Wolpert asked about the categories of IP issues Mark raised.  Mark said it depended on the model.  A key question is around what can be built into the based product as opposed to the modules added onto the base product. Moreover, can Oracle deliver features and functions customers can “bolt to” the product or share amongst each other, he said.  This raises questions about IP because sharing a widget may share some core processing.  Mark said sharing and supporting those features introduce liability questions.  He added that this process simply raises some questions that need to be addressed.

Terry asked if any of the functions demoed earlier in the day could be ready for fall semester.  Kathy said Oracle would have it ready by August which would mean Duke University could deliver by October.  Tracy added given the community’s interest, OIT would work to deploy it as quickly as feasible.

Terry invited members of the Oracle team to come back to Duke University.

Brian Fleming asked how prepared Duke University was to capitalize on the extensible architecture PeopleSoft is proposing.  Tracy responded that Duke is in a position to take advantage of this today.  Terry added that Duke’s readiness was apparent at the meeting earlier in the day.


Announcements & meeting minutes

Terry Oas opened by asking ITAC members present at the April 23, 2009 meeting if they had comments on the minutes. Noting no objections, Terry accepted the minutes and stated that they would be posted on the ITAC web site.

Kevin Davis announced that this summer OIT and the Law School are sponsoring an Adobe Day.  Adobe company representatives will be on site to provide training and answer questions. You'll be able to choose from two concurrent morning sessions on June 23 running from 9:30 to 11:30 a.m. (Electronic Document Publishing or Video Production and Distribution), and two concurrent afternoon sessions running from 1:30 to 3:30 p.m. (Communication and Collaboration or Web and Application Development). All sessions are at the Duke Law School (or online via Adobe Connect), and the sessions will be recorded.

Carl McMillon said the FitzPatrick East data center had a significant outage about a month ago.  There was a scheduled maintenance event that was finishing.

Molly Tamarkin was announced as the new Associate University Librarian for IT.  Molly was previously the Director of IT for the NSOE and then A&S computing.   She moved on to become the CIO at the University of Puget Sound.  She will be leading IT projects at the Library.


Single sign-on discussion/experiences/feedback - Klara Jelinkova, Paul Horner, & Rob Carter

John Board and Paul Horner presented the proposed Acceptable Use Policy (AUP) to the Executive Committee of Academic Council (ECAC).  There was discussion about some of the proposed password policies and the implications of having a single password granting access to a broad variety of services.  ECAC’s discussion has led ITAC to discuss Duke’s single sign-on strategy and what opportunities are available for multi-factor authentication and other security approaches.

A discussion followed about the merits and challenges single sign-on authentication would introduce.  Klara Jelinkova discussed some alternatives for how single sign-on authentication could theoretically work, including application-driven, multi-factor authentication.  In addition, solutions could range from PKI certificates on USB keys to multi-password authentication enabled through the next version of Shibboleth, she said.  Klara distinguished between single sign-on (same credentials accessing multiple services) and account management (service provisioning and rights access).

Dave Richardson asked what the scope of single sign-on is. Klara said most OIT enterprise applications currently use NetID authentication; however, OIT is not synchronizing NetID passwords with workstations passwords, unless specifically requested.  The IT Council (departmental IT directors) has requested that OIT synchronize NetID accounts and passwords with central Active Directory, but that initiative is on hold as ECAC’s concerns are addressed.  Ed Gomes said numerous tools and processes exist today enabling staff to support equipment while ensuring the integrity of user credentials.  Rafael Rodriguez said that the Health System logs authentication activity to protect patient privacy.  He added that single sign-on is different from having the same password for all systems.

Paul said Duke would likely need to have an educational effort focused on password security and best practices.  Jim Daigle said that password concerns are independent of Active Directory and questioned if it should delay the previously mentioned synchronization effort.  Klara said the goal of the discussion was to get feedback.

Terry said that one solution would be to enable single sign-on and encourage application owners to add additional authentication methods.  Klara said this goal is achievable. Rafael concurred that some special applications could use a second-factor authentication.  A discussion ensued about the benefits and challenges of multi-factor authentication for various applications.

Terry said one concern is how to broadly communicate and educate the community on these issues.  He suggested ITAC should examine its overall communication strategy and launch a password education campaign, possibly to coincide with the introduction of multi-factor authentication systems.  Rafael asked if an annual IT compliance module might be appropriate.

Klara said the Active Directory-NetID synchronization would proceed.  She will continue to work with Rob on possible multi-factor authentication options.  Terry asked if Active Directory would be compulsory.  Klara said interested departments could opt in.


Security penetration test results and next steps - Paul Horner

Tracy introduced Paul and Rafael’s presentation by stating that the Health System did some penetration testing of its network in the Fall.  The campus side executed a similar test in April 2009. 

Paul said the goal was to use a similar methodology as the Health System effort.  The group’s charge was to attempt to penetrate the campus side as if they were hackers, but to do no harm.  Paul said Duke has been running Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS), in addition to performing internal vulnerability scans and alerting system owners.  

Paul described the groups’ exploit attempts and how Duke’s systems responded.  Tracy added that Duke’s IPS system quarantines a significant volume of traffic each month.  Paul said OIT communicated the vulnerabilities to system owners and they have been remediated.  Paul said his group is still analyzing the data from the firm that performed the analysis.


IT cost savings team "Computer Standards & Lifecycle" (seeking feedback) – Dave Richardson, Ed Gomes, Susan Gerbeth-Jones, & Ginny Cake

Terry said the Computer Standards & Lifecycle group is seeking ITAC’s feedback to refine its recommendations.  Dave Richardson described the group’s charge as an effort to reduce costs by increasing the institutional equipment replacement lifecycle, as well as, renegotiating vendor contracts.  Dave said stretching equipment lifecycle raises questions about purchasing more powerful equipment up front to be able to run new applications longer.  Dave suggested that divisions are likely doing much of this work already, but that there is minimal communication across divisions.  He supposed that some groups, such as labs, may not take full advantage of Duke negotiated rates.  Bringing these groups into vendor negotiations may provide Duke additional leverage. 

Dave said many groups are beginning to collaborate already, but the some groups have very specific needs that may not correlate to template machines offered by vendors.  The committee proposes that Duke correlate more through the Duke Computer Store to gain economies of scale in prices and warranties, he said.  He said it would be critical to have centralized expert advisors to answer deep technical, pre-sales questions about machines.  He said getting faculty and staff in individual laboratories to go through the Computer Store could be a challenge since they are accustomed to making all of their own custom purchases.

John Board said he currently can get up to four different prices from one vendor for the same equipment: through the Duke Computer Store, through the generic Higher Ed price, through the Duke-specific price on the vendor’s site, and through a call to a vendor representative.  Ed G. said the group discussed the price fluctuation and the Duke Computer Store’s pricing strategy.  Specifically, he said the Computer Store negotiates prices based on the expected number of unit sales.  Ed said they discussed the possibility of re-negotiating with the vendors more frequently.

Susan Gerbeth-Jones said one consideration was bypassing the Duke Computer Store web site completely and going directly to the vendor site(s). Ed G. suggested that the Computer Store should be able to generate similar real-time quotes from a vendor.  Klara asked if it would be possible to simply have a blanket Duke discount at the vendor’s website to leverage the most up to date pricing.

Rafael said the stability of the desktop image is critical.  The Health System does a quarterly review of its system-pricing model.

Terry said the length of the lifecycle should be examined. His experience is that machine performance definitely degrades overtime.  He said support staff might want to offer guidance on how to maintain high performing machines.  Michael Ansel, the new Duke Student Government representative, suggested moving to more central services, thereby allowing lower-powered machines to run newer services.