CSG Spring 2014 – Cloud campfire stories, continued

Mark McCahill – Duke

Blackboard to Sakai – wanted to override Sakai’s group management with Grouper to keep Sakai from turning into a de-facto IDM system. Needed a development partner and a hosting partner. Two vendors joined forces – Unicon and Longsight. Doubling the testing does not double the fun. Business school wanted an even newer version of Sakai, so decided to run their own on premise. Started to see failure of course roster display for large courses. Errors in log that LDAP server was not responding. Server was up, but LDAP timeout was set too low for remote LDAP. 

Internet ate the course list! Course list communicated as automated batch upload from Duke’s student system. Turns out that the network was screwing up the file transfer – was hard to debug. Apps should be careful to check input data. 

Office 365 – After HIPAA BAA issues were negotiated, wanted to move Med Center and University. It was hard to explain the complex University setup to Microsoft. MS has improved support planned for “mergers and acquisitions”. You need Microsoft to code Forefront Identity Manager to glue things together. MS throttles migration traffic. Silent (and inconsistent) failure modes mean that you copy the mailbox, then check very carefully that everything made it. Failure modes change over time as new releases slosh through the cloud. 

For users, waves of user-visible upgrades wash through the cloud at seemingly unpredictable intervals. Your service desk has to deal with the fact that different users are on different versions. O365 IMAP was slow for Pine. Duke faculty member reported that to the Pine developer (Eduardo Chappa) who fixed the code. 

Cisco Cloud Connect – Cisco’s Cloud services IDM strategy. Syncs attributes from your AD into the cloud. You can select which OUs to sync, but have to do it from a chooser list. But it takes about 20 minutes to populate that list at Duke. Cisco changed to use email address for the identity, and tries to deduce institution from the address. 

Box: Duke has a Box agreement with a BAA. Medical people want tighter controls on accounts, but it has one set of enterprise controls. The REST API might offer a workaround, but the calls are slow, so a single threaded folder traversal is way too slow. Used Node.js script with non-blocking I/O allows too many concurrent REST calls, until Box throttles it. Will Box allow enough connections? Stay tuned. Maybe look at Box Events API.

Interesting thing now – how can we move arbitrary workloads from on-prem to cloud utiliities? Look at Docker.io – lightweight virtualization, no AWS lock-in, open source framework, gaining significant momentum in the DevOps world. 

Tom Lewis – Washington

Office 365 – Started three years ago – wanted to move live@edu users to O365 and then open to campus. Timeline was July-November 2011. Asked Microsoft for a test tenant – they didn’t understand why one was needed. September-October 2011 – Uh-oh. Dogfood tenant finally provisioned by Microsoft. Not a true Edu tenant or XL size. November-December 2011 – Eyes opening widely. Deep dive with Microsoft on O365 and US environment. Contracted with Premier Deployment team – more discovery on how bad the migration for Live@edu would be. Microsoft’s support for O365 was poor. Came up with Strawman for migration. January-February 2012 – Holding. Couldn’t get right tenant. UW Medicine wanted to move to O365. March – May 2012 – More holding. Decided to freeze live@edu tenant (with change of domain name) and create new O365 tenant. Problems with DirSync, problems with FIM. Lots of false steps. June-August 2012 – More holding. Contract should be ready to go by July 1st. Another strawman for migration finalized. Septemebr-December 2012 – 1 of many stages of grief. Microsoft switched contract. Major outage of live@edu. Finally got right contract signed in November. Talks with Microsoft to confirm proper support for O365. January-April 2013 – Grief dminishes. Scrapped Wave 14 and go to Wave 15. Microsfot provisions WAVE 15 tenants. May-August 2013- Change of direction. Started with migrating live@edu users and opening open access. Moved local Exchange users from phase 2 to phase 1. Migrating local Exchange to online Exchange was problematic. Spun up SkyDrive Pro and Lync Online. September – December 2013 – Progress finally. Contract with Cloudbearing to migrate live@edu. January 2014 – April 2014 – Migrating mass amounts of users. Exchange online seems to work well, OneDrive works well, Lync works well for Windows users, not so much for Macs. 

Lessons learned – Microsoft O365 technologies and support are not mature, so continued engagement required. O365 Teams still working at cross purposes. Many things are not so enterprise with licensing and otherwise. They will often release things to your tenant that will enable things that bust your HIPAA compliance. Verify and then trust with Microsoft and their partners. NET+ helps. 

Campus Change Management – Email costs will not diminish for a while (if ever). Communicate the timelines, communicate the details – lots of community meetings, public product backlog, talk up the value. Work closely in pilot mode with department IT, early adopters. Pilot early pilot for looooong time. Creat a public and open communication channel

Policy Implications – Account lifecycle management is a beast in the cloud. WHen to deprovision? Whither Alumni? Employee separation process is messy. Public product backlog. Prepare for lots of discussion on e-discovery. Engage early and often with your counsel. 

Alan Crosswell – Columbia

Big HIPAA settlement from data breach. Had previously worked on consolidating data classification and security policies, harmonizing across research, medical, education. Using Code Green for digital loss prevention. Have not turned on Google Drive for fears about sharing the wrong kinds of data. Piloting CloudLock for DLP on Google Drive. Also looked at CipherCloud, but didn’t biy.

DLP Challenges & benefits – Per user costs (about $9/user/year), added 1 FTE DLP admin, delayed roll out of Google Drive, had to increase CloudLock scanning to 3x daily to staisfy OGC, need to inform faculty tha ttheir stuff is being scanned, evidence that they are avoiding potential disclosures. 

Bob Carrozoni – Cornell

Cloud feels like the new normal, but there’s a lot more to figure out.

Seeing a lot of crowd-sourcing – piloting TopCoder. Crowd = Skilled staff as a Service. Metered payment, scalable, elastic.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: