Duke ITAC - June 20, 2013 Minutes

Duke ITAC - June 20, 2013 Minutes

ITAC Meeting Minutes

June 20, 2013, 4:00-5:30

Allen Board Room

I.        Announcements

·         The ITAC group welcomes two new stenographers: Vanessa Simmons & DeAnna Hall

·         Approval of Minutes from 9/27 & 10/11 – Status: Approved

·         DNS (Domain Name Service) Update: The legacy DNS & DHCP infrastructure (predecessor to Blue Cat) will be decommissioned on Thursday 6/27/2013

·         Health System Update:  The EPIC system is going live this weekend

·         Jeff Ferranti has been named the Chief Information Officer for the Health System and hope to arrange for his attending an upcoming ITAC meeting.

II.      Agenda Items

Bookstore Student Laptop Recommendations – Angel Wingate / Clarence Morgan

Last year’s Back to School sales figures from May 1st  thru Oct 3rd indicate 312 Apple, 61 Dell, and 28 Lenovo laptops sold.  82 were picked up at Lilly Library, mostly international students.  23 out of 401 students used purchasing plans thru the Bursar’s office. 11 printers were sold.

Fall 2013 Service/Product Offerings & Changes:

1.       The addition of the HP ProBook 400 and the ElitBook Folio 9470m add a more competitive pricing and offering strategy as compared with big box stores. 

2.       More accessories are available for purchase online

3.       Computer Type Offerings: Standard, Enhanced, High Performance, Mobility.  HP is only available in Standard and Mobility.

Warranty Program Changes: 

1.       Duke Computer Care Coverage is now optional and is being underwritten by Consumer Priority Service (CPS).  The warranty covers repairs up to the cost of the laptop and does not include the extended warranty.

2.       The PC extended warranty has been changed to 3 years and is consistent with the Apple line.

3.       Accidental warranty service (previously known as Devil’s Pledge) can be performed by any authorized CPS dealer – allowing students more flexibility for computer repairs while away from Duke.

4.       Accidental & extended warranty cost: $249 for machines $1000 and under, $304 for machines costing $1000 to $2000 – a total savings of $135 from 2012.  In the process of working on getting warranty cards for machines over $2000.  No price for that as of yet.

5.       The Accidental & Extended warranties are also available for personal purchases.

 

Questions

1.        What is the timetable for purchasing?/When is the offer presented to students?  A brochure was mailed to students in late May including more detail of Duke Store’s services and warranty changes.  Will sell all the way through the end of the semester.

2.       What O/S is loaded on the Windows computers?  Windows 8

Protected Research Network Update – Richard Biever

The Social Sciences Research Institute has been instrumental in the efforts to improve the Protected Research Network capabilities for the University.

The original state of the network had data stored in an ad-hoc manner with the top recommendation being to store it on a non-networked machine.  This model makes it difficult to perform collaborative research efforts.

Protected data is classified using the Data Classification Standard with Sensitive Data at the top end.

·         Sensitive Data – (Social Security Numbers, Health Information, Credit Card Numbers,) Typically regulatory requirements govern the use (and unintentional exposure) of sensitive data.  Combinations of de-identified data can also be deemed sensitive and can present challenges for protection.

Protected Research Network Version 1 was launched about a year ago.  One issue noted was the challenge of moving large amounts of data into the environment.  We also learned of the need to allow non-Duke collaborators access as well as include features like high performance computing (HPC).

An NSF Grant was developed to build a collaborative network amongst institutions to share and access protected data.  While Duke did not ultimately apply for the grant, the idea sparked conversations with the University, SSRI, RENCI and UNC.  After speaking with internal groups supporting research such as Sanford, Economics, SSRI, needs were identified to improve the technical architecture, meet and provide documented proof of compliance imperatives, and improve partnerships.

Protected Research Network Version 2:  Improve access through Virtual Desktop Infrastructure (VDI) and Remote Desktop Services (RDS) technologies.  This solution has several advantages:

1.       If a laptop is misplaced, the data is still secure and doesn’t get lost.

2.       Provides an easier way consistently manage the Operating Systems storing the data.

A gateway would be added to proxy remote connections into the protected network environment to improve speed, accessibility, and the inclusion of multi-factor authentication.  The team also noted the need to improve how research data was moved into the environment.

Next Steps:

1.       Finish testing existing technology

2.       Update the provisioning support processes

3.       Completing compliance documentation

4.       Partner with SSRI, RENCI and UNC and take advantage of existing processes and technology. 

Questions

1.        Are there emerging standards around accomplishing a project like this and/or are we the “industry leader”?  There isn’t an official set of standards, but there are a number of schools trying to approach similar projects.  Hosted at the Institute for Quantitative Social Science at Harvard University, DATAVERSE (An open source application to publish, share, reference, extract and analyze research data[1]) is an existing model that supports the idea of gathering data, storing it and establishing access control around various views of it.  OIT is looking to partner with SSRI to create a similar framework that may be used to establish a set of standards moving forward.  The Medical Center also has similar concerns about data sensitivity, so discussions surrounding this will hopefully be shared within Duke as well.

Another component of the DATAVERSE is building access control around the data that creates a framework to establish data permissions regardless of where the data requestor is located. iRODS (integrated Rule-Oriented Data-management System) is developed and supported by the Data Intensive Cyber Environments (DICE) group of the University of North Carolina at Chapel Hill and the University of California San Diego.  It helps researchers, archivists and others manage (organize, share, protect, and preserve) large sets of computer files.[2]

2.       Is 2-factor authentication possible with other institutions/partners?  Yes, if they are in the data federation

3.       How long would it be before Duke would look at Enterprise applications can utilize this model?  EPIC is being delivered in this model now.  Scaling this layer of infrastructure is challenging and expensive.  Implementing technologies such as VDI are done from a management or security perspective and no expectations for cost savings should be set. 

4.       How much research done at Duke requires this sort of implementation?  Is it stable, increasing or decreasing?   Research is making a steady march forward.  However, the focus should be on creating a framework to protect the data.  We are finding ourselves in a position where it appears the emphasis may be put on securing the overall framework supporting the data, not necessarily just the data itself.  Federal regulations such as FISMA (Federal Information Security Management Act of 2002) might end up encouraging this shift.  We have already run into grants that have required securing the data regardless of whether the data was sensitive or not.  Rather than implement a global solution across Duke which would be a tremendous undertaking, OIT is planning to identify a core to become the model for other areas to implement as needed.  How will we define the core?  It seems to be more a behavioral, policy and administrative challenge rather than a technical one.  In terms of network growth, we need to consider that faculty may have concerns about protecting their intellectual property and would want to take advantage of this as well.

5.       Are the federal regulators expecting this to be covered via indirect or direct costs?  Research grants do not typically allocate funds directly towards protecting data and is usually considered overhead.  There has been a shift from funding equipment to utilization-based cost.

CSG (Common Solutions Group) Update – Tracy Futhey, John Board, Charley Kneifel

1.       The Common Solutions Group comprises about 30 private and public major research universities all focused on collaborating to address similar concerns and create common solutions for them.  The meeting was hosted by Brown University and is in the format of three longer workshops (half day) and many other shorter sessions.   

a.        Data Warehousing & Data Governance Workshop: How do we easily share institutional data (finances, academic progress, etc.) and its definition broadly to people who need it and make it impossible to access for those who do not?  One peer institution was able to pare down its list of distinct levels of data access to 14 levels.  However many exceptions were made to those levels.  The same institution had big growth in the consumption of the business intelligence piece once it became easier to map roles onto data access rights. 

                                                               i.      Question:  Did this session offer information on providing a research repository?  No.  This workshop was primary focused on enterprise data.

b.       OAuth (Open standard authorization) & Web Services Workshop: How do we make APIs (Application Programmatic Interfaces) available for general use? 

                                                               i.      Wisconsin discussed the University as a platform, emphasizing changes in hardware and software and the need for IT staff to be prepared for more change.  Packaged solutions cannot meet all the needs for IT customers and consumers, creating demand for more programmatic interfaces.

                                                              ii.      Stanford University has examined off the shelf, commercial solutions that present everything in an API but elected to create their own set of interfaces which mobile and web applications can utilize to make data, information and services available.  Stanford is moving to use OAuth 2.0 for the authentication to grant service rights to access data and APIs.  The idea is to allow user to opt in, thus generating acceptance from data owners.  Part of the overall strategy is to provide a catalog service to see what’s available from the programmatic interface, with descriptions and ability to drill into the API.  However, no one has created a universally accepted API catalog with live query capability.  One school has ~2000 web services for their enterprise systems, which they later found to be very useful in creating mobile applications. 

                                                            iii.      Brown University posed the quandary:  If asking users’ permission to release data, there should be thought into how and when you ask.  There may need to be an out-of-band way to allow the users to consider and choose the access they are willing to accept.

                                                            iv.      Another idea was to use social media avenues (Facebook & LinkedIn) as authentication mechanisms in a consistent fashion, allowing access, but without the need to building sets of services to support. 

c.        MOOCs (Massive Open Online Courses) Workshop – Almost all the institutions have some involvement with MOOCs, but there are variances in motivations for establishing them.  Many private institutions had a desire to share knowledge, the value of marketing, and becoming innovator in educational methods.  On the other hand, many state institutions used them as recruitment tool for their paid online course offerings.  Another variance was related to the actual and perceived cost of producing MOOCs.  Some institutions have subscribed to the idea that MOOCs must be of network broadcast quality – i.e. $100K per course.  Most of the Duke faculty have had great success in filming themselves.   

d.       Future of Computer Labs Workshop: Duke has slowly been replacing public labs with multi-functional technology spaces (such as The Link).  Most peer institutions are moving down the same path.  UVA has very few traditional labs, and has drastically reduced the number of departmental labs as well.  There were some questions as to why the interest in VCL isn’t greater.  It is still viewed as a complex implementation and students required to use it do, but voluntary usage is minimal.  Part of Duke’s issue is the statefulness of sessions throughout the semester.  It had been limited to 12 hours.  OIT has begun providing perpetual VM sessions for students.  This service offering is ever evolving.

IVY+ Conference Update – Chris Meyer, Charley Kneifel

1.       Chris Meyer attended the Spring Administrative Systems group at Dartmouth.  Recurring themes:

a.        Cloud-based services.  Schools are in the process of implementing Work Day for their HR and financial systems.  Cornell is implementing the HR module.  ServiceNow: Six Ivy+ schools are using ServiceNow as their incident and request management system.  Of the 6, most are using a 3rd party vendor for application support.

b.       Mobile Application Space – Many schools are transitioning from first generation mobile applications.  Some schools are transitioning to Modo Labs’[3] Kurogo platform, while others, including Duke are developing basic HTML 5 functionality with native capabilities.

c.        Multi-factor authentication – The only other school venturing into this arena with Enterprise applications is Dartmouth using a fingerprint, whereas Duke is using Duo[4].

d.       OIM (Oracle Identity Management)[5]: Implementation is reportedly still a struggle for many schools, even with an implementation partner.

e.       Card Systems: No school seemed to have a one-card solution.  In fact, one had 20 different card systems.

f.         Coursera[6]: Many schools are looking into this

2.       Charley Kneifel:  There was discussion about MOOCs, authentication, email services, and questions regarding Duke’s Office 365 implementation.

a.        Duke has been comparatively stable in IT leadership and school leadership compare with other schools and has benefitted as such.

b.       Many schools are experiencing or have experienced the same issues as Duke with a higher percentage focused on virtualization, where it can be done. 

c.        There is a lot of interest in sharing infrastructure globally, along with collaborative Disaster Recovery strategies.

[1] http://thedata.org/book/about-project

[2] https://www.irods.org/index.php/What_is_iRODS%3F

[3] https://www.modolabs.com/about

[5] http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html

[6] https://www.coursera.org/