Duke ITAC - March 28, 2019 Minutes
ITAC meeting Thursday, March 28, 2019
4:00 PM Technology Engagement Center
Note: ITAC meetings are digitally recorded for meeting minute generation; audio files for each topic are posted to an authentication-protected repository available on request to any ITAC member. Presenters are welcome to request to have their audio program excluded from the repository.
All times below include presentation and discussion time.
Agenda – March 28, 2019
4:00 – 4:05 – Announcements (5 minutes)
The minutes from September 27 were approved.
There is an issue with the DukeCard mobile credential app affecting those who have upgraded to the new iOS version. You need to disable Express Mode and then enable it. There is a guide on the DukeCard site. An outage was posted which is now closed. Apple is hoping to release an update that will fix this.
OIT is going through an update for the Virtual Private Network, VPN. Our eventual goal is to have the login screen be the Shibboleth screen. In order for this to happen, we'll be updating the AnyConnect clients with integration happening soon after. Anyone who is an OpenConnect user is being contacted directly.
4:05 – 4:35 – Beyond Passwords, Richard Biever, Mary McKee, Shilen Patel (20 minutes presentation, 10 minutes discussion)
What it is: Authentication mechanisms encompass a variety of options – from what you know (passwords), to what you have (your phone), to what you are (biometrics). We will be presenting on the next generation of options that could lead to replacing passwords as an authentication mechanism and how this will benefit Duke.
Why it’s relevant: As the future of authentication shifts away from the password, Duke is considering alternatives that would affect how you interact with technology every day. We will demo how moving beyond the standard password would improve security, as well as gather input on how to make this process easier for the average user.
WebAuthn is a new web standard that offers users new ways to perform web and device-based authentication. Duke is working on approaches that may incorporate the WebAuthn for future use.
4:35 – 4:55 – Duke Athletics Tickets/Apple Wallet, Laurie Hyland (10 minutes presentation, 10 minutes discussion)
What it is: Duke Athletics is exploring the use of digital tickets to access Duke sporting events. Laurie will walk us through the process, including the different ticketing options and how to redeem them, and lead a discussion of next steps for the program.
Why it’s relevant: The use of digital ticketing is another example of how mobile technology can be applied in inventive ways to increase convenience and efficiency across campus.
Duke Athletics is testing out a new ticket delivery system. The current system is expensive, from the thermal printers to the paper stock used to print the ticket books. In the new system, the customer purchases a digital ticket which is delivered to an email account and which is also available on the goduke.com website as part of the purchase history. The email includes directions on how to add the ticket to the Apple wallet (this does not interfere with the DukeCard system which is using a different mechanism). The ticket can be printed on paper or it can remain in a digital format. The ticket contains a barcode that is scanned during admission to the event. One the barcode has been scanned, it is no longer operational and cannot be scanned again.
Those who have added the ticket to the Apple wallet will receive a notification on the device screen a few hours before the event. At the time of the event, only the barcode is scanned (NFC is not being used at this time). If the customer submits the ticket to an exchange program, a different barcode is generated for the new ticket holder (the original barcode is no longer usable).
The purchase process is tracked in the user’s account at goduke.com, which includes a purchase history. This system works on both Apple and Android devices. It is necessary to swipe and scan for each ticket which is not ideal. We are researching alternatives, but it is practically no different than having multiple tickets.
We began testing at the women's basketball games, starting with groups of 20 staff members and expanding to 150. These tests were successful and we are hoping to use the new system for lacrosse games, and then possibly football. We also think the new system would be a great mechanism for Duke employee tickets to the complementary football game. Currently, employees must come to the office to collect the tickets. Sending the tickets to the employees would be easier for both employees and the ticket office.
Q: Do I have to print out my ticket for scanning?
A: No. You can print it, but that is not necessary. Your device can hold the image of the barcode. At a minimum, you can go to goduke.com, login into your account, and show your ticket.
Q: If I buy more than one ticket, are all of them on my phone?
A: If you bought them with your account, yes. You scroll to show the different tickets, just like if you are checking in to a flight with multiple people and boarding passes on one phone.
Q: Can you assign these to someone else?
A: You can but it is not as easy. There is a mechanism in the Apple wallet to send the ticket to someone else and there are other low-tech alternatives.
Q: We did see issues with graduate student tickets and the general public tickets looking very similar. Will this system provide a better way to distinguish between them?
A: We are looking at making a distinction between graduate students, students, and regular ticket holders. We will probably continue using specific entrances to preserve the crowd flow. We know that this is an issue.
Q: Do students have to get their tickets from goduke.com?
A: The student method has not changed. Admission is still by DukeCard, but we are looking at other options.
Q: Is this just for season tickets or for any ticket?
A: This would be for all events where we are using this system. "Walk up" customers get a printed ticket. But tickets purchased in advance will be sent to the email address associated with the account.
Q: Other entities at Duke that card for admission use tickets. Are they using a different system?
A: It is a different system. They would need to switch vendors.
4:55 – 5:20 – Security Topics: Box, Web Security, and Remote Access, Richard Biever (15 minutes presentation, 10 minutes discussion)
What it is: As reported in the news, links generated in Box and shared publicly are discoverable via software released by security researchers. We will cover what this means for Duke, as well as review options to address the issue. Second, we will present on progress made in the web security space and ask for input on two new initiatives concerning web certificates and domain registration. We will end with a discussion on open remote access protocols (RDP, SSH and VNC) and discuss the risk to Duke, as well as solicit feedback on options to address the risk.
Why it’s relevant: These three topics are particularly timely, and the security office invites ITAC’s feedback on how to best address these challenges. We will review use cases and possible approaches to each issue, as we discuss ways to balance security requirements with the needs of Duke users.
We are reviewing potential setting changes to Box on how links are shared. Additionally, a centrally supported service for purchasing 3rd party domains will soon available.
5:20 – 5:30 – IT Service Outage Alerts, Vernon Thornton (5 minutes presentation, 5 minutes discussion)
What it is: OIT uses a vendor-hosted service, StatusPage, to post and communicate IT service outages and scheduled maintenance windows. Vern will review the service and discuss plans for growth and expansion.
Why it’s relevant: Students, faculty, and staff rely on technology for all aspects of academic life, so communication about service outages and issues is key.
The StatusPage service is a completely vendor-hosted tool that we use to post alerts. This allows us to update subscribers regardless of the state of Duke's IT infrastructure. Alerts can be posted using multiple methods including a mobile device. StatusPage allows users to subscribe to all alerts or to specific categories or particular services, meaning the user can control notifications. There are multiple notification methods with email being the most popular, but there are also SMS notifications and Twitter updates from the OIT account.
In a typical month, there are about 10 incidents and 20 planned maintenance notifications, the latter usually coming through our OIT change management system. Over the two-and-a-half years we have been using StatusPage, there has been an increase in subscribers but that has leveled off. There are currently 845 email addresses which are subscribed but this figure is misleading. Some email addresses may belong to mailing lists with multiple subscribers so there could be a much larger audience. Conversely, an individual may use multiple email addresses to subscribe, especially using a non-Duke email address so notifications can continue if there is an issue with the Duke email system. We have upwards of 60 individuals who have signed up for SMS notifications. There are 408 subscribers who are following all services and getting all alerts.
Within the status page, the individual listings of applications are referred to as "components" which allows us to target communication the subscribers. We have 83 different applications and services with the Security and Phishing alerts being most popular.
Our goal in the near future is to work with OIT communications to increase awareness and subscribers during the summer and fall. We hope to reach out to new hires as well as the incoming freshman class. We are preforming a review of our IT application services list and we hope to identify those that should be added to the status page. For services or applications that are not listed individually, we include maintenance and outages in the category of "other".
We have had requests from departments to post alerts for local services. This presents a particular challenge because only OIT services are listed making it difficult to reach the users who need to be notified. In these situations, we determined it was best not to post the alert. That said, there may be some alternatives available and we would be happy to work with departments with this need.
Q: Do you have some way of making sure that local IT staff are getting all alerts?
A: We haven’t done that type of review.
This is also typically handled by the manager of the IT staff, including making new employees aware of this service. IT staff may also be part of a mailing list that is subscribed, and which is updated outside of the status tool to include new members of the department. We would encourage you to make your local IT aware of status.oit.duke.edu.
Some of the same data is accessible on the OIT website. A lot of my colleagues go there to get information without subscribing.
That is correct. There is a widget in the top right corner of the main page that takes you to status.oit.duke.edu.
The IT status changes from green to yellow to red depending on the state of services. It also reports on the number of maintenances that are scheduled. Click the links to see more detailed information.
I did find the interface difficult to use when I wanted to modify my settings. It was easy once I figured it out. It was necessary to enter my email address as if I was a new subscriber. Then I could make changes.
I receive a lot of my updates in Twitter by following the OIT account. It would be good if there was more information in these tweets. You sometimes have to click the link embedded in the tweet find out what is happening.
We can take this information back and consider Twitter as we write these updates.