Duke ITAC - May 3, 2018 Minutes
ITAC Meeting Minutes – May 3, 2018
4:00 - 4:30 – Special Guest: Dr. Tallman Trask III
What it is: Each year ITAC has the opportunity to hear from selected senior leaders. The executive vice president will answer questions and share his perspective as it relates to technology and other topics.
Why it’s relevant: As Duke’s chief business and financial officer, Dr. Trask is responsible for the management of all financial and administrative services of the University – including information technology. ITAC members are invited to pose questions.
Dr. Trask III opened his remarks by saying he’s happy to visit this group at least once a year as he’s done for the last 23 years and he does not have a specific agenda for today other than sharing his views on the following topics prompted by questions and comments from the audience:
- Parking systems have improved over the years and especially now with cameras in every deck, supported by technology.
- Duke’s new President’s vision for distance learning and lifetime connections with the university invoke the need for funding technology and how to better engage the alums over a longer period of time with a view that technology will be a driving force in this equation and continue to be funded as its already a part of the provost’s budget.
- Most Ivy+ schools are using Cloud systems whereas Duke strongly relies on the technology and support from on-prem systems and appreciates the local control of having critical systems up and running in a timely manner if and when there is a disaster. Also, Duke has consolidated procurement systems using the same technology for the University and 3 hospitals in replacing systems one at a time over a period of 5 years to manage costs efficiently.
- There have been some complaints regarding outdoor Wi-Fi signals being weak in certain areas of the campus and it would be appropriate to install technology in a way that does not mar the architecture.
- The massive enrollment growth in courses in areas of science and technology have posed challenges with large classes for faculty
- There are several technology alliances underway including a Microsoft branch in Durham that will be announced soon.
- Downtown Durham is continuing to expand and will soon have no space left.
4:30 - 4:35 – Announcements
No meeting on May 17th 2018.
4:35 - 5:00 – Consent Attribute Release Updates, Mary McKee
What it is: Consent-informed Attribute Release (CAR) is an open-source system being developed at Duke to manage decisions (both institutional and individual) about how personal data may be shared with sites and services.
Why it’s relevant: Today, administrative agreements define who can receive personal information about members of a university community, and under what circumstances – including user action. CAR offers a way to make these agreements more transparent to end users, helping them better manage their privacy and express preferences about how their information is used.
An attribute is an element of personal data about an individual, such as a name, email address, or date of birth. The release of an attribute is when a resource holder shares attributes with another party or system, e.g. SISS providing student data to e-learning tools or IdM (Identity Management) at OIT authenticating users on behalf of a service (such as DukeHub) or HR providing home address information to invites staff to service award events.
Attribute release is an old practice, but the game is changing in terms of how to share personal information and the kinds and scale of attributes that are released.
The user population of students, faculty, and staff have changed to include affiliates, student applicants, alumni, clinical trial participants, volunteers, donors, and research partners etc. The infrastructure attributes sourced from LDAP, are now sourced from LDAP (3 instances), Active Directory (2 instances), APIs (several), Grouper (>1 million groups), Scheduled File Feeds (54), alternate AuthN mechanisms, each with their own policy mechanism controlled by ACIs have also changed. Policy concerns regarding institutional interest, FERPA, HIPAA etc. have also expanded to include University policy, Duke Health policy, COPA, EU GDPR, NIST 800-63, and population-based policy conflicts.
The scale is changing too and supporting innovation means supporting a lot of infrastructure, and a lot of information. Some quick stats from Identity Management, hardly the only attribute source on campus include:
- Applications registered with Shibboleth Identity Provider (IdP): 3,213
- Applications registered with IdP via InCommon: 5,542
- Attribute release policies in IdP: 2,027 (comprising 7,116 attribute and service agreements)
- Active Grouper memberships: 23,606,984
- People in LDAP: 788,762
- Queries against LDAP in the hour prior to this slide’s creation: 819,573 (~228/second, far from peak)
- Shibboleth authentications in the hour prior to this slide’s creation: 12,449
Since these policies don’t age well, CAR can help in establishing a common language, providing a centralized system for tracking, reporting, and regulating institutional personal data, providers or receivers of institutional personal data, attributes approved for transmission from provider to receiver, including basis for decision and/or need and populations in/out of scope. Also, whether to involve user by means of transparency or consent or ordered rules when policies can overlap or conflict, or automate rule application to enforce consistency.
CAR is a policy decision point and not a policy enforcement point. Codifying policy into Shibboleth IdP will delegate “attribute filtering” to CAR replicating policy logic in Scheduled Feeds system, manage discrepancies between system authorization model, reflect into and analyze in CAR, eliminate replication of effort and “Best guess” audit activities, and give end users the option to choose.
The following CAR end-user interfaces are underway:
- Intercept (or Inline) Interface - What a user might see when present to ask for consent. However, not all attribute release happens when the user is present to ask.
- Privacy Manager - A self-service tool for users to review policies (institutional and personal) about how their personal information may be used. Permit, Deny, or Ask me
- Admin interfaces - Dashboard Usage, statistics, activity, and trends
- Resource Holders - Who is providing information? Whom are they providing it to? What information do they have to provide? What languages does this system support?
- Relying Parties - Who is receiving information? What are they allowed to see? Under which circumstances?
- System Settings - Configuration, branding, assets, feature activation and deactivation
The next steps for Duke are to weave CAR into IdM Infrastructure (underway) and starting with attribute filtering in the IdP. Even without transparency or consent, we can create this abstraction layer now.
In conclusion, IdM is looking to leadership for feedback on approved bases for attribute release, to review existing policies and record these bases into back-end systems, along with other recipient information, such as privacy policies, icons, etc. A CAR pilot with transparency and one context is being developed and usability testing shows comfort and familiarity with authentication-based consent prompts.
CAR has been developed under a number of funding sources, including a National Strategy for Trusted Identities in Cyberspace grant from the U.S. National Institution of Standards and Technology. Infrastructure and interfaces are being implemented here at Duke (lead developer: Rob Carter, with a lot of usability work from the Creative + UX team at OIT) in conjunction with director of middleware Internet2, Ken Klingenstein, and architect Marlena Erdos (of SAML fame).
To learn more, visit the following sites:
Q1: Have you talked with Jeff Chase about his SAFE (Secure Authorization Federated Environments)?
A: Yes, Rob has and found common themes.
Q2: What triggers the consent?
A: Using the self-service tool for the first time.
Q3: Can your suggestion box be indexed from the OIT main page so we can find it?
A: Yes, its in the pilot phase as of now.
Comment: Article 30 of the GDPR explains CAR in detail.
5:00 - 5:20 – DukeHub/Sakai Grade Integration, John Campbell
What it is: This presentation will highlight the new process that allows faculty to transfer their final calculated grades in Sakai to the DukeHub grade roster. John will highlight the issues encountered, report on current successes, and discuss future challenges with the interface.
Why it’s relevant: Integrating these two systems creates new efficiencies for faculty through the ability to transfer grades from Sakai to DukeHub. We will discuss the effects of this process improvement, as well as how Duke can continue to enhance it moving forward.
John explained that the back end for Sakai is PeopleSoft and the Hub was redesigned to accommodate the Sakai interface, however, in Sakai you can have multiple sites that pose a challenge on how to hook the sites together and get the data back in between them. Faculty with grade book sites on Sakai were given handy instructions on how to transfer their grades to the DukeHub grade roster. There were several cases where grades from Sakai did not transfer correctly to DukeHub because of error handling in the Sakai interface due to several default schemes. Also, on the Sakai site you can add students to your class that are not on the roster. One of the issues was due to a load balancer making double calls to the server. The grade A defaulted to 95 and faculty did not realize that they were supposed to change the grading scheme before submitting. So far this process only works for final grades and the next steps is to implement for mid-terms for the next semester.
In conclusion, the faculty had several positive comments and the errors encountered were quick to fix.
Q1: Are there examples of cross-lists?
A: Yes, you only need to select the Sakai ID for one cross-listed section and the others will fill in.
Q2: The grading scheme does not accept decimal points so how do you round up 93.75 to 94?
A: This will be addressed before the next rollout.
Comment: May be there can be a reminder asking “Is this the grading scheme you want to use?” before submitting the grades.
5:20 - 5:30 – TechExpo 2018, Carol Reaves, Kyle Skrinak
What it is: TechExpo is a one-day conference of Duke IT people, by Duke IT people and for Duke IT people. Carol and Kyle will provide a recap of this year’s 11th annual event.
Why it’s relevant: Duke IT staff gather each year to share expertise, learn about the amazing contributions of IT at Duke, enhance skills, and connect with friends and colleagues across the university and health system.
Duke’s 11th TechExpo held Friday, April 13, 2018 and aptly themed "Confront Your Fears" was a huge success. The following are some of the noteworthy recollections:
- 686 registrants, 555 attendees
- 389 “Prize wheel” contestants,
- prizes found at Vendor tables - 370 in 2017, 313 in 2016
- 32 Duke Sessions, 7 Vendor Sessions
- 9 Posters and tables
- 1 photo booth
- 33 Vendors
- 3 parking lots with one continuous shuttle
- One stationary, one mobile prize “wheel.”
- 24 vendors in 2017; 33 vendor tables in 2018
- 3 vendor presentations in 2017, 7 in 2018
- Income: 2017: $14,550, 2018: $27,000
- OIT offset all CVents costs, cutting $4,000 from budget
The committee was tasked with no cost increases in 2018 but since WDI (Washington Duke Inn) and parking costs had increased, the easiest way to offset costs was to increase vendor pricing and participation.
New for 2018
- Committee changes
- New committee: CVent
- Logistics and Vendor committees split into two groups
- Informal agreement that co-chairs commit to a two-year, alternating term, to help with continuity
- Kyle Skrinak stepping down, Jack D’Ardenne to represent DU side
- WDI allowed use of the terrace tent for the day
- Keynote speaker was excellent and received great feedback
- Event preparation and balancing volunteer effort with regular responsibilities is a challenge
- Parking and Shuttle coordination was excellent
- Event communications were great
In conclusion, the annual TechExpo will continue to be a well-received show for the Duke community.