4:00 - 4:05 p.m. - Announcements (5 minutes)
4:05 - 4:30 p.m. - Update on Cybersecurity Awareness Month Endeavors, Shelly Clark Epps (15 minute presentation, 10 minute discussion)
What it is: October is Cybersecurity Awareness month. Director of Security Program Management, Shelly Clark Epps, will join us and provide an update on the specific issues Duke and OIT will be emphasizing this coming month.
Why it’s relevant: Cybersecurity Awareness month (instituted in 2004) aims to increase understanding and awareness surrounding cybersecurity and appropriate preventative measures promoting the use of best practices to maintain safety and security both on-campus and online.
Shelly Clark Epps is excited to speak to ITAC about October's Cybersecurity Month. In the past, Cybersecurity Month focused on awareness and training. This year, Cybersecurity Month is focusing on actions that the community can take to be more secure.
Richard Biever's team and the Health Security team put together a self-service tool so that the Duke community can take action to ensure safe computing. Communication has been sent out about the availability of this self-service website where you can see a personalized view of desired account management behaviors and their fulfillment or lack thereof.
Shelly demos the self-service site beginning with the multi-factor authentication overview.
Shelly talks about the simulated phishing exercises that have been ongoing. Analytics show that these exercises have increased reporting and reduced time to reporting. Continuing with this program, users can opt-in for this program at the self-service site, and 15 more simulated phishes are planned for this October.
Another option at the self-service site is to join the Security Ambassadors' Team. A Microsoft Team has been set up and the team focuses on the real-world impact of threats and how these threats could impact Duke. This group is non-technical and focuses on security events.
Also, accessible through the self-service site is Security Awareness Training. This training is open to the entire university in the Learning Management System (LMS.) This video-based training is easy and digestible.
A snapshot of the user base has been taken and at the end of October, another snapshot will be taken to see if this October Security Month has affected actual behavioral changes. Shelly thought Multifactor security for all websites opt-in would already be at 50% per individual but it is much lower. The hope is that this program will drive many people toward voluntarily increasing security.
There are more than 50 prizes to be given away to participants as well as 2 grand prizes and 2 books signed by Coach K.
Shelly concludes by saying the team would like to hear from ITAC about driving security culture.
Richard comments that this is Duke’s attempt to step up security awareness and focus on behaviors. Security awareness is gaining attention in the higher ed community and the higher ed community is now collaborating on security awareness. Stanford holds a security and privacy festival which has now become the Ivy+ Security and Privacy festival. Richard highly recommends everyone checking this out. Richard thanks Mary McKee’s team for providing tools.
Take the Duke Security Challenge this October: https://security.duke.edu/october
Q. David MacAlpine – I love the ubikey. Can these be subsidized to reach more of the community?
A. Shelly asks if DukeUnlock would meet the need.
A. Richard – The ubikey can act as key storage for other use cases. We can take this request back to the vendor. We have been able to negotiate discounts. This also depends on how many we need. We were waiting to see how they approach the technical changes that have been coming with the keys as we would like to standardize on a specific type and not invest in technology that may soon be obsolete.
A. Shelly also says that camera covers were some of the best prizes in the past. She would like feedback on prizes now as well.
Q. Mark Palmeri – What metrics would you like to see improved by the community behaving better?
A. Richard – We want to get the message out there. The hope is to engage groups that will ask us questions and that will provide us with information as well.
I am a fan of certain frameworks because then, we have ranges to focus on. The first 3 areas are:
Devices on the network
We will see after this month how behavior has changed with respect to MFA use. Also, we can look at sponsored accounts – how many are used vs. how many are never used. It's about the basics. Do machines have Crowdstrike? Are the machines patched? Are laptops encrypted? Who has more access than they should? These are basic hygiene measures that are so important.
We have seen the time to report wild phish has gone from 24 hours to 8 hours after the phishing campaign and there has been a massive reduction in the number of clicks.
Q. Robert Wolpert – For Outlook, there is a button to report a phish. If you don't use Outlook, there is no button. Can we forward phishing emails to the Security Office?
A. Richard and Shelly – Yes.
Q. Robert Wolpert – I am now using VPN constantly. VPN drops after inactivity and is not integrated with Duke Unlock. Is there any hope for fixing this?
A. Richard – On the VPN side with Unlock, probably not. We may have shib available for VPN and we may be able to extend inactivity a bit. Robert says VPN is timing out 6 times per day. Richard says that's too many and "we will check your account."
Q. Mark Palmeri – Can a research lab request a security audit of workstations, servers, etc.?
A. Shelly – Yes, either of the Security Offices can schedule a walk-through of the lab and make recommendations.
A. Keith Stouder – Internal Audit is happy to give a gap analysis with recommendations.
A. Richard – We can do this together, so it doesn’t have to be done twice. A security assessment and conversation would be beneficial.
Q. Mark Palmeri – There is an ongoing review of policy into how research data is being handled. This includes integrity, archiving, backup. Does the security team influence this policy? I'm wondering about best practices. For example, some are not using Duke-blessed tools. I'm wondering about how outside-of-Duke tools are being used and if the security team can offer feedback.
A. Richard – This is worthy of an ITAC discussion in and of itself. There needs to be a discussion of this including what needs to be done and the good practices for these tools. The how, why, what are my options are needed. ITAC would benefit from the feedback of this group as well. Logan, please put this up as an ITAC topic.
4:30 - 5:00 p.m. - Annual Adobe Licensing Renewal Process Update, Terril Lonergan, Jen Vizas (20 minutes presentation, 10 minutes discussion)
What it is: The deadline for renewal of Adobe product licensing is rapidly approaching, and Terril Lonergan (Software Licensing) and Jen Vizas (PACE OIT) will be joining ITAC to walk members through the current labor-intensive renewal process. They will then discuss plans for the future of software licensing, and the new tool dedicated to making the lives of those who maintain Adobe licenses easier and more efficient.
Why it’s relevant: The process for renewal of Adobe licenses (and additional software licenses in the future) is being updated. The soft launch of a new, much more automated approach to renewing licenses will be piloted this year, with expectations of much broader deployment in 2022.
Terril Lonergan begins by talking about the current landscape of licensing with Adobe and the recent 1 year renewal at the current pricing.
The current ordering process has been a pain point for end-users, administrative staff, the service desk, and the software licensing team. The current model has not scaled well to where we are today with having 30,000 users. The current model accepts acquisition via fund code and credit cards and requires manual oversight for departmental purchases.
Sean Dilda has created a new ordering tool. At present, software.duke.edu is being used but the option to use this new ordering tool should be in place in 2022, with piloting in test groups getting underway through this renewal period. Credits cards will still need to go through software.duke.edu.
Advantages of the new tool, Software Manager, includes allowing the user to:
1. Order new software
2. View your licenses
3. View orders that you placed for yourself and others
4. Order on behalf of many users easily
Other features include:
1. Netid validation precludes buying an account for someone who already has access.
2. Works only with a Duke fund code.
3. When a user leaves Duke, billing stops automatically.
4. Billing is done monthly and can be canceled at any time.
5. Users can easily change ownership themselves.
Terril, then, demonstrates the simple user interface. Right now, only Adobe products and CrowdStrike are options. The tool was originally designed for CrowdStrike. A list of netids can be entered for bulk ordering. There is a Validate NetIds button. The user can check current licenses and the fund code will be hit every month unless discontinued.
Software Manager will be utilized for 2021 bulk Adobe licensing next week. Other customers will follow. Initial testing with key units took place in September 2021. Plans are in place to add additional paid software ordering/renewals via the tool.
Other important dates include:
10/4-10/14: soft launch of software manager
10/13: renewal notice to all remaining users
10/13 – 10/25: primary customer renewal
Q. Tracy Futhey – Some who work on research projects are familiar with the idea of Research Cores as the means through which services can be approved for charging against federal grants. If you try to charge a federal fund in this case for Adobe, it won’t work. You must use another departmental fund code. We are looking into the process of gaining internal approval for charging this software against grant fund codes but are not there yet.
5:00 p.m. - 5:30 p.m. - Microsoft Teams Demo and Future Additions, Jen Vizas, Steve Gray, Matt Royal (OIT PACE) (20 minutes presentation, 10 minutes discussion)
What it is: Microsoft Teams is a collaborative work space offering team chat, task management, video conferencing, and a portfolio of other versatile tools available to groups of all varieties. Jen Vizas, Steve Gray, and Matt Royal of OIT's PACE team will be joining ITAC to demo the tool that has become the premier internal communication network for OIT, as well as speak on what the evolution of what Teams will look like over the next several months, in order to spread awareness on its cross-departmental capabilities.
Why it’s relevant: With the nature of work being predominantly remote at this point in time, identifying and investing in tools and platforms that can seamlessly serve large number of units and teams with both unique and different goals, is pivotal to ensuring the quality of work and communication. With more than a year and a half of remote work under our belts, the opportunity to identify necessary evolutions and desired additions has begun to present itself.
Jen Vizas introduced Matt Royal and Steve Gray who are Service Managers in PACE. Jen then provides a background for Microsoft Teams. Teams is a hub for team collaboration and a digital workplace for Microsoft 365. Teams integrates people, content, and tools that teams need to be engaged and effective. Teams combines chats (both individual and team-based), online meetings, file storage, document sharing, and application integration. Jen goes over use cases across the university. There are 26,000 Duke Teams users with a throughput of just under 1 million messages per month.
Jen introduces the question: “Do we open this up for collaborations external to Duke?” At present guests can be invited to Teams video meetings and guests can be presenters. Security standards need to be mapped out.
Steve Gray and Matt Royal then talk about the many Teams features and benefits including:
1. persistent chats
2. rich text editing
4. custom alerts
5. search options
6. file sharing
7. ability to edit own chats
8. threaded chats vs. new conversations
9. channel addition and private vs public channels
10. calls and video calls with the option for close captioning
11. document co-editing
Steve concludes by saying it is a good idea to have more than one owner in a Team. Matt, then, plays a video demoing Teams. Matt adds that a non-Duke collaborator would be required to switch personas between their Duke and other Team accounts. A non-Duke collaborator would also only be able to chat into a Team to which they were invited.
Jen says next steps include:
1. Reviewing technical controls and implications of opening Teams to external collaborators
2. Holding meetings with various Duke groups and Microsoft
3. Validating and documenting user experience
Q. Charley Kneifel – I am a member of Teams outside of Duke and the experience is not as nice as being an insider. It gets messy. For example, once you have access to a document, you can do whatever you want with it. This leads to the question of Policy vs. Operational controls.
Q. Steffen Bass – In terms of features, Teams is a really good tool. On the other hand, Teams' visuals are atrocious. Slack has a better visual and ergonomic layout. Why can't Microsoft do better? We do collaborate with many at other institutions so not being able to do this with Teams is a shortcoming. Slack lets you have different workspaces for different types of collaborations as well.
A. Shamyla Lando – I think Microsoft would be open and we should give Microsoft this feedback. Also, we can look into the cost of Slack.
A. David MacAlpine – We have collaborators all over the world with Slack so even though Teams is cheaper for us, we gladly pay for Slack.
A. Brandon Le - Echoing what's been said before: a lot of graduate/professional student groups, classes, and workspaces, in general, are on Slack. With Slack, we can also have people from outside of Duke in the same channel.
A. John Board – Teams pulls together a whole bunch of things. Teams is not best at one thing. Its strength is that it can do pretty much everything O.K.
A. David MacAlpine – It would be great if there were inter-operationality between Teams and Slack.
A. Mark Palmeri – Research data in circles outside of Duke-owned boundaries is an example of where we can run afoul of new policies.
A. David MacAlpine – But sharing is how we move research forward.
A. Mark Palmeri – Should there be Duke transfer agreements for these cases? I have Duke transfer agreements that I have to get Duke Legal to sign off on.
A. Steffen Bass – If every institution had to abide by policy, scientific collaborative efforts would not be able to exist. Trying to get lawyers to come up with transfer agreements is a disaster.
A. Shamyla Lando – The compliance officer should speak to this and on issues that have come up as these issues are complex and complicated. It is worth it to know why these policies are in place and to know how we can protect the institution.
A. David MacAlpine – I say outright in grant applications that all my data will be publicly available.
A. John Board – This is another topic for ITAC to visit in a future meeting as this topic is moving further away from Teams.
Any Time Remaining:
Common Solutions Group Update, John Board, Charley Kneifel, Mark McCahill
What it is: The Common Solutions Group (CSG) works by inviting a small set of research universities to participate regularly in meetings and project work. These universities are the CSG members; they are characterized by strategic technical vision, strong leadership, and the ability and willingness to adopt common solutions on their campuses.
Why it’s relevant: CSG meetings comprise leading technical and senior administrative staff from its members, and they are organized to encourage detailed, interactive discussions of strategic technical and policy issues affecting research-university IT across time. We would like to share our experiences from the most recent meeting held.
John Board says the Common Solutions Group met virtually a week ago in the short-form Covid format. There were 4 workshops:
1. Data Platforms for the Future – This workshop focused on a vision for data that would be available for university business and research alike via data lakes. This runs up against university culture where some feel like they own the data. Also, sharing data between various tools can be difficult. Finally, Globus in front of OneDrive is making OneDrive attractive to researchers.
2. How to Pay for Keeping Data Forever – No one has solved this problem yet. Duke never completely bought into the Cloud Cool-aid. Charley Kneifel adds that one of the primary drivers for this topic is the Google schools who were notified that storage would not remain unlimited. Now, they are needing to look at new cost elements including how to recover costs. There was also discussion around how many cloud options are needed. The general feeling was that 1 was good. 2 was too many. 3 was the same as 2. No one is pulling back from the cloud.
3. Mobile Workforce – There was general agreement that high-stakes meetings should not be hybrid. John liked what UC Berkeley is doing with multi-factor authentication: if someone isn't vaccinated yet, they get an extra message they must click through every time.
4. Exit Strategy with Vendors – Mark McCahill says this session talked about what it means to cut the cord and what the risk factors are that indicate that the university may need to cut the cord in the future. Sometimes this occurs when vendors are acquired or go public. The goal is to have as long of a runway as possible.