ITAC Meeting Notes

June 21, 2012

Allen  Boardroom


Announcements (5 mins.) is external) Update  (20 mins.)
            - Mark McCahill, John Board

Sakai Update & Blackboard Decommissioning (20 mins.)
            - Lynne O'Brien, Ed Gomes, Shawn Miller

Common Solutions Group Report (15 mins.)
            - John Board, Mark McCahill, Richard Biever, Evan Levine


Tracy announced that we have a new ITAC Chair.

Tracy also introduced Charlie Kneifel. Charlie started two weeks ago as a Senior Technical Director in OIT.

The new chairman, Ashutosh Kotwal, started the meeting by asking for comments for minutes from the 4/26/12 meeting.  The minutes were approved.                                                                                                      is external) Update                                                                                                          
            - Mark McCahill, John Board

Mark noted that some in the room had been involved in looking at He explained that is a cross platform web and other interface to some cloud storage. There's a web interface that allows you to drag and drop materials to and from the cloud storage. There are also mobile clients for the most popular mobile devices.

One of the main attractions to and similar tools is that it's a way to get stuff onto and off of your mobile device.  It's specifically valuable for getting videos and pictures on and off your mobile device and into another form where you can best use them.

There is also a folder sync that you can install on Mac and Windows. This allows you to designate one or more folders to be synchronized. Anything that is put in those folders is automatically put into the Box storage cloud.

He showed an example of the interface. He pointed out material that he had uploaded into the space. He also noted that there is a place to invite collaborators to look at materials. There is also a "discussions" tab. Mark pointed out that Box has an ambition to be more than just plain old storage. In addition to storage, Box tries to think of itself as a collaboration platform. Mark buys this, at least on a lightweight level. There are role-based access controls for content so that you can give people variably controlled access.

Notifications are one of the more useful parts of box. When someone views, uploads, comments or does a new version you can get email notification. You can also see a stream of notifications at the Box website. This can be very useful if you want to be sure that someone is actually interacting with the content you dropped off for them.

It's easy to add external collaborators. You can send a link with magic url that gives them appropriate access. Mark found this valuable for interaction with colleagues at Cisco.

The comments, discussion and tasks lists are where collaboration really shines. You can put comments on a given document. You can start up discussions and assign tasks lists. There were vigorous discussions during the evaluation.

Ed Gomes thought that the discussion piece worked very well. You could get notifications of tasks and check them off. It was possible to assign multiple people to tasks.

Mark said that he didn't think it would replace something like Sharepoint, but it's a good lightweight collaboration tool. There is an in-place document viewer so that for some document types you can see without downloading. There's a Powerpoint viewer that would allow you to present from Box, if you wanted to.

Mark thinks the most important part is that there's a pretty good API for developing add-on applications. There is a fairly vigorous 3rd party developer community that is doing extensions to Box that make it work with other platforms. This may give it legs in the long run.

A committee member asked if this is a security problem?

Mark answered that it depends on what the apps are and how you give them access to the content.

Mark continued to explain collaboration. You can invite people and see if they've accepted. Be careful who you invite. Activity tracking can be done so that you can see if someone has downloaded material.

As noted before, it's possible to actually do a Powerpoint presentation in the Box environment. Mark showed a screen shot example.

The 3rd party add-ons are kind of like a little app store. Mark showed a screen shot with examples like being able to save directly from Office if you have the right plug-in.

Mark then moved to discussion about security. Of course, security is important. This is part of Box's story.

  • Redundant servers - currently all in the US
  • Encryption in transit, 256 secure socket layer
  • Encryption at rest, they claim good security, but we're unsure whether it's good enough for protected health information. They have not done a Business Associate Agreement (BAA). They may be close to doing this.

Mark contacted Shel Waggener. Shel used to be the CIO at Berkley, and is now in charge of I2's Net+ initiative which is negotiating and similar agreements.  Shel thinks that within 90 days there will be a BAA in place. Shel and Richard Biever think that how they are changing the key management sounds pretty good. The change is that Box has a piece of the key to decrypt content, but it doesn't have the whole key. To get the rest of the key they would have to come to the Duke Admin. The Admin at Duke does have full access to get at the content.

John Board noted that the consumer grade version is not encrypted.

Mark said that consumer grade version is really just a teaser to get you to set your enterprise up. Dropbox is more aimed at the consumer market. There are a bunch of players in this space. Sugarsync does some interesting things. Sharefile, out of Raleigh and recently acquired by Citrix, is more enterprise oriented and looks like it does some better things with security.

One thing that's interesting about Box is that it comes with Shibboleth support. It's also peering with I2, so speed should be better.

In the Spring we took a look at the EMC offering called Atmos, in the cloud. This can be hosted by AT&T or on premise. They are probably 6-9 months away from having Shibboleth support and their support for mobile devices wasn't as good.

The last group to mention is Webfiles. We have been doing a web front-end to AFS for quite some time. We're looking at trying to disengage from AFS. If we can get something in this space, this makes Webfiles something we can start backing away from.

There's a lot of churn in this space and many players. The features are all over the place.

This brings us to Net+.  What is the purpose of the I2 community jointly negotiating for cloud services? By joining hands we get a little stronger negotiated position with the vendors. The value proposition to the vendors is that you have a uniform agreement and you won't have to spend the time and energy negotiating with each of the universities. Also is you peer with I2, the network path is attractive.

There is a Net+ storage bank. When you sign up for Box, you sign up for a tier, based on the size of your institution and number of users.  In case you miss your target, Net+ will give you a 25% loan of storage capacity. At the end of the year, you will need to reduce storage or pay more.

The Box, Net+ initiative started with 6 schools. Since then 230 universities have done 45 day evaluations, like what we did.

Marks sense that many are holding back based on BAA issue.

We'd be looking for at least 100TB storage. They claim that you can overbook by a factor of 5. Generally only 20% of people hit their quota.

If we do this with Duke Health we'd be at the same tier as if we did it without Duke Health. It would therefore be really wonderful if we could get a BAA in place and it can be used with PHI. This would spread the cost out over a much larger group.

 In the Spring we got 25 seats for 45 days. Many people on the committee kicked the tires. We did a quick survey at end asking if we should do this or not. The response was "yes" and the comments were generally positive. The negatives were that it was another thing that we'd have to train people to use.

Robert Wolpert asked if there is training involved. There was discussion and a general sense that it is pretty simple to use. There would be need to let people know that it was out there. The only training might be for integration of the add-ons. One of the nice add-ons was for Exchange. It was nice to be able to add a Box attachment that didn't clog up the mail system.

A question was raised asking who creates the plug-ins. The answer is anyone who wants to.

Mark said that if you want Box to include an add-on on their list, they have an approval process. They have an API and it's trivial to become a developer. Most of the code is making rest calls, so it's relatively straightforward programming.

Tracy added that general education might be more important than training. It will be most important to let people know why they want to consider this, and why it's different from other options. 

Mark continued with explaining what is next.

  • Need to finish the security evaluation
  • Establish guidelines for use

Marks dream use would be to be able to create access for course groups. We would like to be able to sync to course enrollment. However support for this is split between their version 1 and version 2 API.  API is a little weak in the group area. This is a complaint that the pilot schools have voiced. Mark thinks that they are going to get there, but they aren't quite there, yet.

There was discussion following Mark's presentation.

Robert Wolpert asked if we thought that most users would just use this service to get past the two gig Dropbox limit, or is there a concern about security that would drive this. Mark thinks that it depends on the user, but agreed that for most users it's just more storage and maybe a little better integration with the discussion and task tool.

Lynne O'Brien commented that this will add to the places that Duke "manages" where people are saving things and we have some responsibility for taking care of the space, and future transition. This becomes harder over time as there are more and more places where people keep data.

Ginny Cake and Richard Biever both used to test how the tools would give us access from remote locations to materials at Duke with good security. It worked very well. Richard noted that if we do go to a service like this we'll need to include in the training process an emphasis on how sharing is done and when it's done from a security and confidentiality standpoint.

There was discussion about a need to cite best use cases to be sure that the tool is being used for appropriate activities. It's not necessarily the right application for sharing large data sets, or backing up computers. It's really intended for sharing files

Susan Gerbeth-Jones asked how accounts would be administered. Mark answered that the expectation is that all Duke people would have an account, with the possible addition of all Duke Medicine employees. The admin would designate a quota as a standard based on role or job-title with some mechanism for adding to the quota when exceptions are needed.

Sakai Update & Blackboard Decommissioning                                                                    
            - Lynne O'Brien, Ed Gomes, Shawn Miller

Shawn passed around handouts.

He started by announcing that Blackboard will be gone forever on June 30th.

He then summarized what has been going on since March 2011. We've tried everything we could think of to make all users aware of the change. This started in May 2011 with email blasts to all BB users. These decreased over time as we got pings back from accounts that are no longer active. We now have about 3500 users, down from 4500, after trimming inactive accounts.

Training and support have included;

  • 18 different types of workshops
  • 97 sessions
  • At least 400 participants
  • 66 office visit session where faculty drop by for consultation or discussion
  • At least 50 instances of consultant going to an individual faculty member for consultation


We know we have about 980 faculty who are actively using Sakai. There have been about 1600 unique course created in Sakai since last Fall. Over this time we've migrated over 28,000 Blackboard sites into Sakai. Some of the content transfers over, some doesn't. This is basically all the courses that have been created in Blackboard since 2007.  This affects about 14,000 people if you include students, staff and faculty.

Last spring we had about 1300 courses that were used. Courses that have not been migrated are not necessarily a problem.


There is growth. This may be that more people are using technology. It could also be duplication as part of the transition.


Shawn showed charts of usage.  Business has never used Blackboard, but is planning to use Sakai. Nursing has some good adoption. Law is coming along. A&S is still hanging out around 50-60 %. We're ready for a small rush of people who come in late August, early September from people who say they had no idea this was happening.


Tracy stated that Shawn, Lynne and the team have been good about communicating this change.

Ashutosh asked what it meant to say that it is gone.

Tracy said that we will have turned the system off and certified with the vendor that it is turned off. - We won't have Blackboard as a system. We have already ported over all of the data into Sakai.


Shawn also explained that we don't move over student information like assignments and grades. We only move the raw content. It also won't necessarily be in the same format when it moves to Sakai.


We have all the archive files. There is a tool call Be Free that UNC developed that can be used to crack into the data and extract other content, like discussion boards, wikis and assignments. This would require someone to do this on their own, or with assistance. We are providing some archive files to groups that have identified this need.


We have had some faculty who are upset because they thought that we would be using Blackboard to archive everything we had, forever. This is understandable since we have had it for so long. We should be better about setting expectations for Sakai. Sakai also has a different way of moving stuff from one course to the next so it may be better at handling this.


Shawn resumed by noting some upcoming things that we are looking at.

  • Focusing on changes to toolkits this Summer
  • Work on the idea of delegated access for support staff
  • Work on a way to batch create chunks of courses when we need them and then link them up to their enrollments.
  • Hopefully getting all patched up to stay in line with the rest of the Sakai community.


Ed and Shawn presented to the Jasig Sakai Conference last week. It turned out really well. We were surprised that we aren't necessarily behind. A lot of people are looking at what we did.


Shawn then opened for questions.

John Board asked if we are still content with the hosting arrangements.

Shawn answered that given the time allowed that this was what we needed to do. Longsight, the hosting vendor is the most highly respected of all the vendors. We feel good about having that connection.  We have our issues with hosting at a distance. We have these outlined if anyone wants to look, but there are simple things like that LDAP isn't sitting right there, so there are router hops that slow things down.


Another question was raised about routine data exports in case the service has to go away for some reason. Shawn replied that it's backed up and redundant.

There was discussion about data recovery and backup plans and preservation of materials, in context.


Lynne O'Brien noted that we need to think in the long term about how we would advise people to store materials that are used on various locations.


There was agreement that instructors who have a need to keep all materials for extensive periods of time should be responsible for archiving their own material. We adopted a retention policy for Blackboard years ago. This was never technically enabled. Sakai will be able to do this. We push SISS data to Sakai. This will drop feeds that will hide content to the end -user so it will seem like we have cut that feed off.

People should be ready for retention policies to work.

Additionally Netid's expire, so as students graduate they will lose access.



Common Solutions Group Report                                                                     

            - John Board, Mark McCahill, Richard Biever, Evan Levine


John Board reported that the above-mentioned staff represented Duke in Iowa City at the Common Solutions Group meeting. This group is made up of very Senior IT staff from about 3 dozen public and private research universities. This group assembles two or three times a year to commiserate over common problems and seek common solutions. There is also a function of leveraging the total mass of higher education to negotiate better deals such as the RFP efforts around email with Google and Microsoft.


We provided leadership positions in the two workshops in this session and we will provide leadership in two of the three in the next session. We also learn a lot from our peers in this process.


The meeting was based around two major workshops. One was around Cloud Services. The other was around Virtual Desktop Infrastructure.


Mark talked about Cloud Services.

The Cloud Service workshop was about projecting institutional infrastructure into the cloud and what that does back into the institution. We talked a lot about what the use cases are for doing Cloud.  One primary reason is agility. Our use case for using it because we can get there fast is a use case. Mark presented that it's not enough to present that someone is in the Cloud. We need to be able to push more meta information for the user into the Cloud Services. This is a weak point with all the vendors we are dealing with. We don't have a great way to push meta information. There is talk about jointly putting pressure on the vendors to put more standard interfaces for pushing group membership and role information into these Cloud Services. It's a common problem. Shibboleth isn't enough. We are ahead of the game with our toolkits efforts.


There was a fair amount talk about switching cost for changing Cloud app platforms. All things come to an end, so we're talking about how fast you can move your stuff. This is similar to what we were just talking about with Blackboard and Sakai.


There was also a very interesting question about cross vendor integration. If you are trying to do business intelligence, how do you do this when you have data that is sprinkled across multiple versions?


Scotty Logan from Stanford did a good talk about how you get permission granted between applications. There was a good question raised about when you use Shibboleth and when you use OAuth.

Scotty had a great answer... Shibboleth is for authenticating people. OAuth is for granting permission between applications. We need to think about how we support OAuth.


Quote of the conference for Mark was that "vendor management is non-trivial on a non-trivial scale."


The last takeaway for Mark was around where we need common things. We need standards for how we push group information into the cloud.


Common contract terms seem like a win.  This is the pitch of Net+. The notion is to come up with some common standards for how we do things and get some common contract terms. If done right Net+ has the potential for doing some good for us. The problem at this point is that Net+ is not quite mature, yet. We talked to Shel for quite a while about this. We're going to get into a show your work mode so that we can see what is being developed. We're not sure that we can trust the current six schools to ask the same questions we would ask.


John found it useful to be reminded about the scale of what is out there. Our data center is not really big. This is a million server data center that requires 300 megawatts of power. The scale dwarfs all of higher education. It doesn't exist yet, but it's the scale that the commercial vendors are going to. We need to look at how we can leverage this economy of scale.


Richard talked about how we can now look at what we don't need on the cloud.

What is comfort level of moving everything to the cloud and what needs to be backed up outside the cloud.


 A committee member noted that we will have multiple sites. There are core services that we need to think about protecting.


John noted that migration processes from one cloud service to another can be painful.


There was also a short workshop was around Virtual Desktop Infrastructure.

Evan was a presenter for this workshop. At first Evan wondered why we would be presenting on VDI, because it really didn't see that we've done a lot with this. But we have, relative to others.


VDI is technically really cool, but common consensus is that we may not want to jump into this full-steam. Almost everyone is concerned about whether they need to do this. All are curious about what the use cases are and whether they warrant a full enterprise system.


Health systems are the exception. They do have reasons to want to go in this direction. There is no question that health systems are going in this direction, but we're not sure that universities are.


Part of the problem is that we're talking about VDI as desktops. It's not necessarily the OS that you're after. The shift is toward applications and virtualizing access to the applications. In most cases this may not require virtualizing the OS.


There may not be ROI with VDI.  It may not necessarily save money. VDI may be good for compliance or security or specific use case.


The real question is, is there a security reason to this? We can give a work from home person limited ability. There is another question regarding how well this will work on the footprint of the mobile devices that people want to use. The formal windows desktop isn't really designed for a tablet.


There's also the old Mac VDI issue. People complained about the lack of Mac VDI. It's an apple thing. Apple chooses not to let you.


Michael Getty's closing advice to the session was to stop thinking about how to make tablets part of our world and to start figuring out how to deliver the service to these devices. Evan said that this is what we mean when we talk about VDI. It's how do we push these services to any device.


Mark added that there's a proposal to make VCL a Net+ service. IBM is partnering one of the universities so maybe there should be a cloud based version of VCL.


Ashutosh adjourned at 5:11