Duke ITAC - July 30, 2015 Minutes

Duke ITAC - July 30, 2015 Minutes

ITAC
 
Meeting Minutes
 
I.      Announcements
 
Microsoft Windows 10:  The newest version of Windows has been released.  It includes a feature called Wi-Fi Sense which allows your friends and acquaintances to connect to your Wi-Fi without knowing its password or configuration information. 
 
Telephony Outage:  There was a 6-hour telephony outage on July 22nd that affected inbound calls for both the University and Duke Medicine.  The outage was due to problems in an external telephony provider’s network that routes calls to Duke.  To lessen our reliance on our external providers during outages, we will be automating a process to re-route calls for the most critical numbers, especially critical Duke Medicine numbers.  Outbound calls were not affected due in part to internal redundancy and call routing options within Duke.
 
Network Refresh:  Richard Biever gave an update on the network core refresh effort.  The refresh should be completed around the first week in August.
 
II.     Agenda Items
4:10-4:35 – Social SAML (Security Assertion Markup Language), Richard Biever, Rob Carter - (20 minute presentation, 5 minute discussion)
 
What it is:  SAML is an open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider.  Social SAML translates authentication responses from popular social ID services to be consumed by Shibboleth. 
 
Why it’s relevant:  OIT has created thousands of guest accounts for parents, students, research partners, etc. to access Duke resources.  Almost all of these people have identities at one of the social/personal providers (LinkedIn, Facebook, Google, etc.).  In some circumstances, allowing the use of a social identity may be preferable to issuing a Duke identity (Parents checking student grades).  Richard and Rob will discuss how it’s being used to support initiatives in Alumni Development, Student Affairs and Duke Medicine, and what the future holds for Duke.
 
OpenID:  Currently, many unaffiliated users such as donors, alumni, collaborators and parents have been assigned NetIds for the purpose of logging into selected and authorized Duke applications.  There is a high risk and cost to maintain these NetIDs.  To reduce risk, non-Duke guests using applications like Sakai and WordPress have been invited to register using OpenID Connect (OIDC) using their Yahoo, Gmail and AOL login credentials via Duke Toolkits.  Over the past 4 years, approximately 4,179 non-Duke guest users have registered using OIDC.  
 
OneLink:  This year, Duke has been rolling out new features to the Social SAML service and rebranding it as Duke OneLink.   Previously, the Social-SAML gateway only supported OpenID providers (Google, Yahoo, and AOL).  Support has been added for OAuth2 providers (LinkedIn and Facebook) and OIDC providers (Google’s interface changed from OpenID to OIDC this year).  Users are now given the option of setting up a OneLink ID if they don’t have an OID/OIDC/OAuth2 provider.  Additional Duke applications such as Ellucian Recruiter, SISS, the Alumni Network and WebGift are or will soon be allowing social authentication via Duke OneLink.
 
Users will be invited to register via an email containing a hyperlink to OneLink.  We already have over 5,617 accounts that have been registered via OneLink bringing our total social users to over 9,796.  When the Alumni Network goes live, approximately 130k OneLink invitations will be sent to users.  Toolkits is scheduled to begin using the OneLink interface after the next upgrade.
 
Questions and Comments:
 
(Q) Emails that are sent from Toolkits to ask users to register in OpenID may get identified as Spam since there is a hyperlink in the email. How can we keep this from happening in OneLink so that the message gets to the user’s inbox?  (A) We could send an initial email without the hyperlink to alert the user to add the address to their approved address list.  (C) Copy the faculty member who is inviting the user and put the name of the faculty member in the email to make it appear more authentic.  
 
(Q) Can we let users set up accounts directly without accessing via the hyperlink?  (A) Sending the email to the address given by the user is part of the authentication process. 
 
(Q) Can we break the hyperlink?  (A) It might be confused as an active link that doesn’t work.  
 
(Q)  Is using social ID more secure or less secure than NetID accounts?  (A) Phishing attempts present a vulnerability to NetIDs and to social IDs.  However, most of the approved OAuth/OIDC providers have multi-factor authentication and the ability to monitor devices, times, and location of logins making it easier for account owners to detect malicious activity.
 
(C) Social ID offers better scalability and will allow us to federate with other universities that use Shibboleth.
 
4:35- 5:00 – International Fraud Login Notification/Self Service Tool Demo, Richard Biever, Jesse Bowling - (15 minute presentation, 10 minute discussion)
 
What it is:  Notifies Duke Faculty, staff and students when suspicious attempts to login to Duke-protected sites and networks are made.
 
Why it’s relevant: Duke’s ever-increasing Global footprint has led to more international travel by our students, faculty and staff; also affording more opportunities for hackers to acquire access to Duke networks and devices.   Richard and Jesse will discuss the evolution of identifying compromised accounts, the process used to investigate and lock the accounts, and considerations for international travelers. 
 
Multi-Factor Authentication (MFA) Update:  Over 18,000 (46%) Duke University and Duke Medicine Faculty and staff accounts have been enrolled in Multi-Factor Authentication as of the last week in July 2015.  Duke Medicine has been pushing enrollment numbers higher recently in preparation for their policy change in September requiring MFA to access some remote Duke resources.  Duke Medicine currently has 62% of its users enrolled.  
 
Device Registrations:  16,287 MFA users (includes students) have registered only one device to use for authentication and of those 1,328 have only their Duke phones registered.  Users who are not able to use their one registered device will not be able to authenticate.  There is a need to push for registering more than one device as a backup in case of service outages like phone service.  A communication in the next month or two will be sent to users with only one registered device encouraging them to register multiple devices.
 
Identifying Compromised Accounts:  Over the past 6 months, we had over 664 compromised NetIDs.  In most cases the account holders have been quickly contacted and their passwords changed, but occasionally if users can’t be contacted and the compromised account is highly problematic (such as being used to send phishing/spam), IDs may be locked by the Security Office.  Analysis of locked accounts by affiliation shows that 57% were students, 15% were Faculty and 14% were staff. 
 
The Security Office has developed a dashboard in Splunk to help identify compromised accounts.  Using an algorithm called haversine, they are able to calculate the distance between logins using longitude and latitude and calculate the speed one would have to travel between logins.  Logins with speeds greater than the threshold are flagged. The Security Office also looks at other indicators to flag logins including logins from a new geolocation or from a new network.  Activity flagged as suspicious is investigated manually.  Most suspicious activity are determined to be false positives.  Before accounts are locked, the Service Desk tries to contact the account owner.  If there is no contact after an hour, the account is locked.  Faculty and staff of locked accounts are encouraged to set up multi-factor authentication.  NetID account owners will be able to monitor their own login history using a new travel alert system that should be ready in August.  
 
Questions and Comments:
(Q)  What do we do about logins from VPNs?  More people are using private networks when traveling abroad.  When a login looks suspicious, we try to contact the owner of the account.  If it is legitimate, then it will be whitelisted.
 
(Q)  How much time is spent looking at flagged logins/accounts?  (A) The Security Office investigates approximately 50 flagged events a day.  We lock only 2 – 3 accounts per day.  Many can be investigated quickly.  We are looking at ways to partially automate the process.  
 
5:00- 5:20 – Warpwire (Secure Video Publishing), Todd Stabley (15 minute presentation, 5 minute discussion)
 
What it is:  Warpwire is an online video publishing tool intended to support the business, teaching, learning and scholarship of Duke University and Duke Medicine faculty, staff and students.  
Why it’s relevant:  Todd will discuss the history of Warpwire, provide a quick demonstration, discuss first semester transitional utilization metrics, features of the July release and major improvements planned by year end.
 
History:  In 2010, we began searching for a new video publishing tool to replace Kaltura that was easy to use, could selectively retain content and could provide secure streaming using NetID or Grouper groups.  It had to provide asset-level security so that individual clips or group of videos could be protected individually.  It also had to be hosted locally so that we could reduce our ever-increasing hosting charges that we had been incurring to store data on Kaltura servers.  Additional requirements included an LTI integration (video to Sakai course association), image support, built-in Webcam recording and single sign-on capability. 
 
Warpwire met these requirements, while being one of the lower priced options.  We’ve been using Warpwire (warpwire.duke.edu) since January 2015 and have had a good rate of adoption.  It is on target to exceed our 4 year Kaltura (retired July 1) usage based on data projections using 6.5 months of Warpwire data.  Asset-level security is being used successfully in Sakai, WordPress, SharePoint, Duke Wiki, and Spot. 
 
We are currently working to integrate Warpwire data and Tableau so that we can monitor usage on a monthly basis.   More detailed reporting can be accessed through the Warpwire user interface to analyze video specific usage.  Although current reporting in Warpwire is at a high level, we will be expanding the reporting capabilities in future releases.
 
Recent Changes:  Warpwire has recently added support for caption files, made improvements to the Share interface using NetID and Grouper groups, enabled public sharing and provided the ability to change the owner of an asset.  
 
Roadmap:  In the fall, we will be focusing on improving high latency, low bandwidth playback for enhanced global support.  Another big focus will be the ability to organize files into lessons or weeks as learning modules (tagging) and to batch metadata so that the same tag can be applied to a group of files. Sorting search results and being able to manually re-order items in a Media Library will also be looked at in the fall.  Next year we will be looking at enhancements such as multi-speed playback, custom poster frames and expanding searchable groups to include non-course groups.  
 
Questions and Comments:
 
(Q) Is there a means for feedback for video quality issues?  (A) This hasn’t been discussed but will be considered.
 
(Q)  Is there a way to determine how long someone has watched a video or how many individuals have watched a video? Can this information be accessed by Faculty?   (A) There are basic statistics and reporting capabilities available in the Warpwire UI; however, it doesn’t break it out by individual users like Panopto does.  There is a plan to enhance the reporting capabilities in Warpwire.
 
(Q)  Are there any bandwidth issues?  Is bandwidth an improvement over Kaltura?  (A) Bandwidth will be optimized based on device and platform.  Bandwidth has not been an issue.  
 
(Q) Can you add an entire school rather than just a class?  This is a future project, but we are able to set up Grouper groups.
 
(Q)  Does Box.com have a way to add classes or groups like Warpwire?  (A)  Within Toolkits, the owner of a Grouper group for a course can connect that course to other applications like Box.com.
 
(Q) Are other schools interested in Warpwire?  (A) Yes.  
 
(Q) Are there multiple copies of the same video since video optimization is tailored to the device and platform?  (A) Yes, there are 3 copies that change dynamically based on device and platform.  We are looking at adding a 4th that will have a lower bandwidth for global usage.  
 
(Q) Since there are several copies, will storage be an issue?  (A) The videos are compressed for storage so we are not expecting it to be an issue.  
 
(Q) Can videos be exported for archive?  (A) These are highly compressed videos.  Panopto provides higher resolution videos for archiving purposes.