CSG Fall 2014 – CRM workshop

Lisa (Georgetown) – The connected campus. Universities need to create 1:1 experiences, personalized to them. So do faculty and alumni. Students expect universities to know them. Do you know I’m on campus? We have data but it’s siloed. How do we reuse data in different contexts? What is the likelihood of student x with professor y for a course giving back to the university as an alum? Unifying data is what they’re trying to do so they can leverage it.

Salesforce can unify and connect data across the student lifecycle. Right now Salesforce does not do all the functions needed for advancement, but they are partnering with Blackbaud to build that out.

Connected campus: use cases – how do we use data to make better decisions, connect with people,.

Am I getting what I am paying for? Getting that question a lot. What is the ROI? Where is that data coming from? Advancement saw that they were missing data that others had that they could use for their work.

Challenges and Opportunities: Central IT can be the aggregator and integrator to achieve a unified data model. Leading and lifting CRM up out of localized, point solutions into an enterprise model: enabling school specific branding and innovation; breaking down the silos. Strategic timing – leveraging innovation in schools without getting out of synch; funding the next significant application domain.

Build heat map of where Salesforce is being used on campus, connecting the dots. Funding is a challenge, trying to create momentum.

Pressuring Salesforce for making their pricing more fitting to higher ed.

Data challenges at Georgetwon – data slipping through the cracks. Eg. communication preferences, first year roommate, course collaborations, # of visits to advisor, challenges, even attendance, survey data, study habits, favorite faculty, personal wellness, engagement with faculty, current interests, etc. There’s some discussion in the room about whether the use of data collected in transactional settings for other purposes is appropriate or not. Existing data policies are inadequate for expressing the contexts in which data can be combined and reused. There’s a huge “black market” in data already happening among campus units.

Salesforce@Georgetown – Goal is to seamlessly integrate data environments into one experience. Data collected from departmental spreadsheets and forms, departmental solutions, enterprise reporting, and two way flows to enterprise business applications. Moved a lot of cold fusion solutions into force.com.

One of the differentiators for Salesforce is a very intuitive UI for people working with the data. Takes away the need to pull data into Excel and do pivot tables, etc. Salesforce has granular security models.

Why use a CRM rather than dashboard reporting from the Data Warehouse? The data warehouse aggregated the four primary data sources into one place. There’s a difference between enterprise reporting and Salesforce daily and transactional reporting. Salesforce not good at longitudinal reporting. Dashboards and enterprise reporting answer larger and longer-based questions, but schools are using Salesforce to deal with current questions and problems – how is the response to this event?

Need to create some data rulesets before customizing objects and processes. GU hopes to be able to put a high level set of standards about that.

Bob Carozzoni – Cornell: Re-positioning enterpris IT’s role in CRM

Not doing typical enterprise IT model of owning the vendor relationship and acting as a reseller. Acting on the side as an advisor. The space is too fluid to take ownership. Consultant recommended consolidation of CRM tools, but CRM project closed without campus agreement on consolidation. Cloud activity allowing consumers to go directly to companies, and in activities like CRM there’s nothing forcing people to work together. What can IT add to CRM? With ERP the drive is to spend less, because it’s not differentiating. CRM is part of how you differentiate your brand and build business value, so it might make sense to spend more.  Do business leaders have a strategy? Does IT? It’s not just higher ed – most social and CRM activities in companies are not being led by IT.

Taking a soft organic approach which got campus talking to IT. Gentle engagements – contracts, distributed free MS Dynamics licenses, interviewed units and published results. Doing facilitation getting units to talk to each other – organized a Salesforce user group, but IT doesn’t lead it. Shine spotlight on campus leaders. Encouraged PaaS for CRM instead of just point solutions.

Enterprise IT funded a small architecture assessment to create some guidance documentation.

Shel – the current trend is the growth of small applets that get bolted on to cloud platforms as micro applications. In the future the lock-in may be to the bolt-ons more than the core application.

Andy Newman – Yale: Value proposition of Salesforce & Force.com at Yale

Problem: had a large number of one-off applications with enterprise data. Had two ways to address it – provide lightweight environmental a low cost (e.g. Filemaker). Requires local knowledge, and degrades over time; or sit down with BAs and build a custom app. Time consuming and expensive, hard to iterate.

Looked at using Salesforce for rapid development of inexpensive customized apps. Performance, reliability, availability are someone else’s problem. Zero capital footprint.

Early explorations – totally custom small footprint app; tailored sales/service (CRM-ish) business need. The rise of the “citizen developer”.

Should optimizing subscription costs unduly influence application design and architecture?

Are we ok with “citizen data architects”? with institutional data?

About a year ago started to get serious. Hired Bluewolf to help mature environment. Recommendations for “Org” structure. IT wrote recommendations for development platforms (use the technology that the anchor product uses or use the technology that the anchor product recommends… so with Workday that would be ???). Decided that force.com would be the development environment for Workday.

Analysis – Examining three models – Pure configuration of service desk or CRM app; greenfield force.com application; hybrid model – professional engineer partners with citizen developer. Need case studies for hybrid model.

What’s the role of central IT? Traditionally business data stewards partner with IT in standing up technical access to data – there might be an analogous process in Salesforce with a common core org with institutional data to feed to satellite orbs. Each satellite supports applications common to a constituent group.

What about Workday? Is force.com ultimately the extension platform for Workday? Workday’s vision is the cloud dominated as workday for ERP, Salesforce for CRM, Service Now, and Google, Microsoft, etc, with APIs for interop.

Georgetown – Beyond CRM: Platform VS application

Salesforce – not your grandmother’s CRM – engagement platform beyond traditional CRM: integrates and collects data at multiple touch points not just one transactional domain; engages the target and expanded functionality to them – mobile collaborative and cool; goes beyond CRM with workflow/triggers/reporting/DB.

Force.com – build bridge apps to stay aligned with ERP roadmaps: Workday – tuition benefits example (intent not to keep forever once workday makes functionality available); Address the “gap” and reduce proliferation of point solutions apps: student housing selection (future); Difference in experience is not just in reducing length and complexity, but UI and reporting were right through reuse of standard UI dashboards and objects. Emergent database/workflow/reporting needs; reduce security risks via visibility.

App Exchange – community and commercial market place; broad range of app capabilities, plug and play; speed to launch, easy integration, scalable. Is this the new direction for innovation and cohesive services? Admissions apps would be a natural to develop in Salesforce.

Imagine a triangle with Identity and data management at one point, CRM at another, and enterprise data warehouse and reporting at the other. There’s a disconnect with the organic growth of Salesforce and how the connections to enterprise data are managed.


CSG Fall 2014 – IT’s Role in Supporting Evolving Teaching and Learning Landscapes

We’re at Cornell University for the Fall CSG meeting. The morning workshop was all about cloud strategy, presenting the results of our summer working group workshop. I was heavily involved in that workshop, so couldn’t blog it, but I’ll post a link to the document that grew out of the summer meeting when it’s made public.

The afternoon workshop is on the evolving teaching and learning landscapes at our institutions and what IT’s role is in supporting that.

Global Learning Council conference – attended by EdX, Coursera, Khan Academy, Google, as well as universities.

Comments on survey results:

  • Local culture plays an important role.
  • Need to align mission of academic tech and teaching centers. Libraries are also participating in these conversations.  On one hand we can’t have the technology tail wagging the dog, on the other hand we can’t have teaching center staff promoting inappropriate technology.
  • Definitely getting sense that campus leadership is paying more attention to academic technology, who are expecting results.

Use cases:

  • Tom Lewis, Washington: Until recently never had an academic tech organization as part of central IT, but it existed as a separate organization. With Canvas got a chance to get out in front – what can we do to successfully implement this LMS on camps. What do faculty, local IT, students, need? What’s the vendor like? Tom has a team that can actually do formal assessment – helps with making data backed decisions and communicating them. Unit is seen as good collaborators by the campus, allowing them to innovate. Need a culture of experimentation among their staff – can try things and throw them away.
  • Ben Maddox, NYU: How many universities have a published teaching and learning with technology
  • strategy? Three-ish in the room. Something is changing in higher education, mostly around new revenue, lower costs, reaching new audiences, and actually helping students learn. NYU is at a point where they remove barriers – deans won’t start strategy without knowing capacity for support from IT, so now they’ve demonstrated capacity. Provost has tasked deans to produce strategies that associate teaching & learning technology with concrete goals. How can the CIO assure that the right parties are in the room to help reach those goals?
  • Linda Jorn, Wisconsin: Provost pushing initiative for empowering faculty to innovate in teaching and learning. Enabled the CIO to push for a Vice-Provost title for the Director of Academic Technology. Three goals: leverage technology for more active learning; Increase online professional masters and capstone classes; increase global learning experiences. Have been increasing staff in online learning and video production and PhD level learning consultants to work with faculty. Faculty need evidence that new environments work before making efforts. Focusing on efforts that scale and can be sustained.
  • Maggie Jesse, Iowa: Evolved into an organizational change. CIO has very strong relationship with provost’s office, and have created partnerships to push active learning ahead. That has helped the campus see IT as a partner in learning. 150 faculty have been through an active learning program, developed in partnership with the center for teaching, but that was only one person. A retirement offered an opportunity to look at organization. IT has a good track record, so the responsibility moved into the IT organization. Faculty have shown some resistance to losing center for teaching, assuming that integration with IT will lose focus on pedagogy. 

With advent of MOOCs teaching centers have had to respond to demand for being a production shop.

At NYU have new staff: eight instructional technologists and eight programmers, within IT. There are new resources at the schools with conformance with standards and architecture as part of their jobs. Every course tracked like project with costs tracked. If demand really rises, none of these models will scale.

At Washington just started online degree completion program in Arts & Sciences. Will be able to correlate student satisfaction with different production costs for each course.

At Berkeley Extension builds courses and hands them to faculty, which generate little interest from deans and faculty.

Wisconsin has faculty training programs ranging from workshops to full year courses focusing on leadership in blended and online learning. Now IT is invited to discussions in the departments with the deans.

Who provides data for learning analytics from MOOCs or LMS? Can chairs and deans see data for individual courses? At Washington have a hierarchy of permissions from dean, through department chair, curriculum owner, individual faculty. Tom just hired an anthropologist to work with analytics.

Has anybody figured out what data makes a difference? Within academic arena there has not yet been a conversation about analytics. Is it the faculty member’s data or the institution’s? Educause has been working with Gates Foundation on research in this area – identified 36 colleges and universities trying to build up planning and advising using data. Gates gave them seed money to accelerate adoption. Community Colleges are looking a lot at this. There are lots of change management issues in this area. 

At Wisconsin looking at learning analytics at the course level. There are lots of things that have to change to bring learning analytics to bear – IT, policy, culture, etc.

The use of analytics is different at highly selective private institutions (who don’t need to increase enrollment) vs. publics.

We measure numbers like who’s graduating because we can – but we don’t know globally what we want students to know or achieve, so we can’t measure that.



CSG Spring 2014 – Analytics Discussion

ECAR Analytics Maturity Index – could use it to assess which group to partner with to judge feasibility. 

NYU started analytics several years ago and chose certain kinds of data. 

Dave Vernon – Cornell
Hopes and dreams for the Cornell Office of Data Architecture and Analytics (ODAA)
Curent state fof data usability at Cornell: like a library system with hundreds of libraries, each with unique catalog systems (if any), each requiring esoteric knowledge, each dependent on specialists who don’t talk to each other.

Traditional “BI” -not analytics but report generation. Aging data governance.

ODAA – to support Cornell’s mission by maximizing the value of data resources. Act as a catalyst/focal point to enable access to teaching, research, and admin data. Acknowledge limited resource, but will attempt to maximize value of existing resources.

Rethink governance: success as the norm, restrictions only as needed? Broad campus involvement in data management – “freeing” of structured / unstructured data. Stop arguing over tools: OBIEE vs Tableau, etc. Form user groups – get the analysts talking. 

Service Strategy: Expand Institutional Intelligence initiative: create focused value from a select corpus of admin data (metadata, data provenance, governance, and sustainable funding). Cost recovered reporting and analytics services. User groups, consultants, catalog and promulgate admin and research data resources. 

Resource strategy: What do you put together in this office? Oracle people, reporting people. Re-aloacate savings. Add skilled data and analytics professionals. Modest investment in legacy tool refresh. People are getting stuck in that discussions of tools.

Measures of Success: ODAA becomes a known and trusted resource. Cultural evolution – open not insular. Data becomes actionable, self-service. Broad campus involvement data management, “freeing” of data – have to work on data stewards to convince them that they have to make a compelling argument to keep data private. Continued success of legacy services.

At NYU IR owns the data stewardship and governance, but there is a group in a functional unit (not IT) that acts as the front door for data access. Currently just admin data focus, but growing out of that. Two recent challenges – student access to data (pressing governance structure), and learning analytics (people want access to LMS click streams – what about privacy concerns?).

Stanford – IR group reports to provost (like 15 people) do admin data. Group reports to dean of research for research data. Teaching & learning under another VP. Groups specialize, reducing conflict. Data scientists are part of those groups. 

Washington spinning up data science studio with research people, IT, library people as a physical space for people to collocate. 

Jim Phelps – can we use the opportunity of replacing ERPs to have the larger discussion about data access and analytics?

Notre Dame halted BI effort to go deeply into a data governance process, and as part of that are getting a handle on all of the sets of data they have. Building a data portal that catalogs reports. More a collection of data definitions rather than a catalog of data. data.nd.edu A concept at this point, but moving in that direction. Registry of data – all data must be addressable by url. Catalog shows existing reports, showing shat roles are necessary to get access. Terms used in the data are defined. 

Duke – Not hearing demand for this on campus, but getting good information on IT activity using Splunk on data streams. Could get traction by showing competencies in analysis.

At NYU had a new VP for Enrollment Management who had lots of data analysis expertise, who wowed the Board with sophisticated analyses, driving demand for that in other applications. 

Data Science Venn diagram – http://drewconway.com/zia/2013/3/26/the-data-science-venn-diagram

Dave Vernon – There’s an opportunity to ride the big data wave to add value by bringing people together and getting the conversations going and make people feel included. 

How are these teams staffed? Can’t expect to hire someone who knows all the pieces, so you have to have cross-functional teams to bring skills together. Michigan State has a Master’s program in analytics, so bringing some good people in there. Last four hires at Notre Dame have been right off the campus. Now have 8 FTE in BI space. 

CSG Spring 2014 – Organizational and staff development, cont.

Bill Clebsch – Stanford – Focus on talent

Recruit, review, reward, renew

The only people on your campus who understand recruiting are athletics.

You don’t get good people by putting out job postings. You get talent from networks. Listen to headhunters.

Development – we can develop people. ITLP is important for creating a language and lexicon for how we do things. Developed STLP for individual contributors at Stanford. Includes central and distributed IT. 

Steve Fleagle – Iowa

IT staff don’t get formal training in soft skills, change management, project management. Participated in ITLP program and saw very good results. Can only send 5-6- people per year. Brought Mor on campus and put lots of people through it and that has been very successful. Has led to IT people being asked to lead in non-IT situations. 

Emily Deere – UCSD

Less permanent funding and more temporary funding. Leads to more contractor hiring and less permanent staff. Not accepting any more temporary money for contracts. Now campus is supporting more permanent funding for IT. Pushing contractors to not have buyouts so they can bring the contractors they want in on a permanent basis. At Stanford desktop support has been growing 20% per year, but only hire people as contractors to start. Cut rate is about 50% before hiring permanently. 

Marin Stanek, Colorado, Boulder

Brought in a faculty member who is a proponent of Hoshin Planning (Single point of compass). Started OIT empowerment survey in summer of 2012. Asses 5 elements – do I have the authority, accountability, responsibility, knowledge, tools, to do my job. Students take it too. Confidential but not anonymous. Goal is 100% response rate and full empowerment. Had to set up a separate Qualtrics instance outside of campus and hotline outside of IT to overcome staff distrust. 

Each manager only gets access to the reports from their employees. 

CSG Spring 2014 – Organizational and Staff Development for an Unpredictable Future

Bernie Gulacheck – Minnesota


  • Adjusting our Organizational Structures
  • Acquiring and Developing Talent
  • Understanding our Customers and our Staff 

Survey results 

Most people survey staff and customers annually, mostly through online surveys. 

15 out of 17 CIOs have been involved in an org analysis or redesign within the last year. Lot of people trying to flatten organization and/or redefining managerial roles. Some upswing in Matrix management and participatory management.

Lots of people are doing ITIL implementations. 

7 schools redesigning IT job classifications. 

Nobody said they’re decentralizing IT, but are trying more centralization and refocusing local IT on innovation, research, or curriculum. 

What’s driving change? Coalescence of technology-enhanced teaching and learning under the IT organization. Reducing layers of management. Efficiency, Rationalization, cost reduction. Or because of a new CIO.

3/4 of schools have a technical career path. Some track staff development in manager evaluations. 

Skills that have risen in importance in the last three years: Communication, cloud computing, IT architecture, project management, vendor management

What will rise in the next three years? Business analysis, cloud computing, consulting, data analysis, soft skills.

One person notes that some new hires lack curiosity about how the institution functions. 

Hard to hire positions: dbas, erp devs, info sec, java devs, network engineers, sys admins.

Post incident surveys for support cases are very popular with IT – are they popular with clients?

One campus comments about survey proliferation from different parts of IT. Some schools make every survey go through central communication for consistency. Some use institutional research office.

Stanford tries to make their survey so it can be finished in five minutes and they only include items that can be actionable. 

Forming IT Services: in 3 Acts Michigan State: Breandan Guenther & Tom Davis

Act 1: Cultures derives from two large sections of IT – academic and admin. lots of them/us language – didn’t feel like an organizational collaboration. Too many gaps. Spilled over to campus – not a lot of trust or desire to work together with central IT.

Act 2: Reorganizing – oriented IT towards customer constituencies. Service level at the top, with infrastructure at bottom and service units aligned vertically. Asked staff whether it should be a tune-up or an extreme makeover – staff wanted makeover. 

Moved to service centers & directors, one central HR team, centralized accounting, IT support, etc. 

Act 3: Recovering from resistance & rejection

Internal – resistance (Culture eats strategy for breakfast; Grieving; Insurgency; Orphans; Overload). 

Lessons from aftermath – ambivalence with central budgeting in CIO’s office; Financial management lag;  Accounting string ought to emphasize service portfolio equally with org structure. 

Matrix Organizational Model at Minnesota – Bernie Gulacheck

In spring of 2012 embarked on reorg of central IT shop. Moved towards more ITIL based framework. Explicitly calling out the demand side of IT – listening to the external community, governance, from the supply side provision of services.

Separated resource management from initiative and operational management. 

Complex part is understanding difference between service vs. function. Service = what we do. x-functional teams deliver customer facing services. Function – how we do it. Defined 23 business services that service the horizontals, each with has technical offerings (150-180). Security and Enterprise Architecture are off to the side – where resource manager is also the service directory. Line orgs: end user support, academic tech, infrastructure & production, application dev.

Challenge is to change staff perception that they look up for direction, but instead to look to the side. Resource manager is head coach. Service manager is quarterback – calls the plays.

Challenges & Benefits: Initially understanding the model; spans and layers (went from 72 managers to 20, some ended up as service directors); resource managers & evaluations; healthy tension (service directors are responsible for meeting budgets); duplication elimination; scalable. 

Formal communities of practice across the entire IT community – formal charge, beginning, and end. 

IT@Cornell – Job Family – Ted Dodds

It is 2nd largest job family – 755 people (Ithaca) 45/55 ration of center to units. CIT staffing reduced by 28% since 2009. Job family was reviewed and rationalized in 2011. 

Today IT expenditures are 90% on utilities, and10% on differentiators.  They aspire to a more equal balance. 

Skill Inventory/Assessment – by popular demand; self-assessment – technical and business, 80+% response, current state. Survey was not anonymous because want to give information to IT directors on campus. Now have a current state assessment, now developing direction on future skills needs. 

Next – Continue ITLP and ELP (Emerging Leaders Program); Drive other training programs by current/future gap; Actively manage attrition for whole IT job family.


CSG Spring 2014 – Cloud campfire stories, continued

Mark McCahill – Duke

Blackboard to Sakai – wanted to override Sakai’s group management with Grouper to keep Sakai from turning into a de-facto IDM system. Needed a development partner and a hosting partner. Two vendors joined forces – Unicon and Longsight. Doubling the testing does not double the fun. Business school wanted an even newer version of Sakai, so decided to run their own on premise. Started to see failure of course roster display for large courses. Errors in log that LDAP server was not responding. Server was up, but LDAP timeout was set too low for remote LDAP. 

Internet ate the course list! Course list communicated as automated batch upload from Duke’s student system. Turns out that the network was screwing up the file transfer – was hard to debug. Apps should be careful to check input data. 

Office 365 – After HIPAA BAA issues were negotiated, wanted to move Med Center and University. It was hard to explain the complex University setup to Microsoft. MS has improved support planned for “mergers and acquisitions”. You need Microsoft to code Forefront Identity Manager to glue things together. MS throttles migration traffic. Silent (and inconsistent) failure modes mean that you copy the mailbox, then check very carefully that everything made it. Failure modes change over time as new releases slosh through the cloud. 

For users, waves of user-visible upgrades wash through the cloud at seemingly unpredictable intervals. Your service desk has to deal with the fact that different users are on different versions. O365 IMAP was slow for Pine. Duke faculty member reported that to the Pine developer (Eduardo Chappa) who fixed the code. 

Cisco Cloud Connect – Cisco’s Cloud services IDM strategy. Syncs attributes from your AD into the cloud. You can select which OUs to sync, but have to do it from a chooser list. But it takes about 20 minutes to populate that list at Duke. Cisco changed to use email address for the identity, and tries to deduce institution from the address. 

Box: Duke has a Box agreement with a BAA. Medical people want tighter controls on accounts, but it has one set of enterprise controls. The REST API might offer a workaround, but the calls are slow, so a single threaded folder traversal is way too slow. Used Node.js script with non-blocking I/O allows too many concurrent REST calls, until Box throttles it. Will Box allow enough connections? Stay tuned. Maybe look at Box Events API.

Interesting thing now – how can we move arbitrary workloads from on-prem to cloud utiliities? Look at Docker.io – lightweight virtualization, no AWS lock-in, open source framework, gaining significant momentum in the DevOps world. 

Tom Lewis – Washington

Office 365 – Started three years ago – wanted to move live@edu users to O365 and then open to campus. Timeline was July-November 2011. Asked Microsoft for a test tenant – they didn’t understand why one was needed. September-October 2011 – Uh-oh. Dogfood tenant finally provisioned by Microsoft. Not a true Edu tenant or XL size. November-December 2011 – Eyes opening widely. Deep dive with Microsoft on O365 and US environment. Contracted with Premier Deployment team – more discovery on how bad the migration for Live@edu would be. Microsoft’s support for O365 was poor. Came up with Strawman for migration. January-February 2012 – Holding. Couldn’t get right tenant. UW Medicine wanted to move to O365. March – May 2012 – More holding. Decided to freeze live@edu tenant (with change of domain name) and create new O365 tenant. Problems with DirSync, problems with FIM. Lots of false steps. June-August 2012 – More holding. Contract should be ready to go by July 1st. Another strawman for migration finalized. Septemebr-December 2012 – 1 of many stages of grief. Microsoft switched contract. Major outage of live@edu. Finally got right contract signed in November. Talks with Microsoft to confirm proper support for O365. January-April 2013 – Grief dminishes. Scrapped Wave 14 and go to Wave 15. Microsfot provisions WAVE 15 tenants. May-August 2013- Change of direction. Started with migrating live@edu users and opening open access. Moved local Exchange users from phase 2 to phase 1. Migrating local Exchange to online Exchange was problematic. Spun up SkyDrive Pro and Lync Online. September – December 2013 – Progress finally. Contract with Cloudbearing to migrate live@edu. January 2014 – April 2014 – Migrating mass amounts of users. Exchange online seems to work well, OneDrive works well, Lync works well for Windows users, not so much for Macs. 

Lessons learned – Microsoft O365 technologies and support are not mature, so continued engagement required. O365 Teams still working at cross purposes. Many things are not so enterprise with licensing and otherwise. They will often release things to your tenant that will enable things that bust your HIPAA compliance. Verify and then trust with Microsoft and their partners. NET+ helps. 

Campus Change Management – Email costs will not diminish for a while (if ever). Communicate the timelines, communicate the details – lots of community meetings, public product backlog, talk up the value. Work closely in pilot mode with department IT, early adopters. Pilot early pilot for looooong time. Creat a public and open communication channel

Policy Implications – Account lifecycle management is a beast in the cloud. WHen to deprovision? Whither Alumni? Employee separation process is messy. Public product backlog. Prepare for lots of discussion on e-discovery. Engage early and often with your counsel. 

Alan Crosswell – Columbia

Big HIPAA settlement from data breach. Had previously worked on consolidating data classification and security policies, harmonizing across research, medical, education. Using Code Green for digital loss prevention. Have not turned on Google Drive for fears about sharing the wrong kinds of data. Piloting CloudLock for DLP on Google Drive. Also looked at CipherCloud, but didn’t biy.

DLP Challenges & benefits – Per user costs (about $9/user/year), added 1 FTE DLP admin, delayed roll out of Google Drive, had to increase CloudLock scanning to 3x daily to staisfy OGC, need to inform faculty tha ttheir stuff is being scanned, evidence that they are avoiding potential disclosures. 

Bob Carrozoni – Cornell

Cloud feels like the new normal, but there’s a lot more to figure out.

Seeing a lot of crowd-sourcing – piloting TopCoder. Crowd = Skilled staff as a Service. Metered payment, scalable, elastic.

CSG Spring 2014 – Cloud Campfire Stories

Stories from: Stanford, Notre Dame, Duke, UW, Columbia, Cornell, Harvard

Bruce Vincent – Stanford

Broad use of SaaS, lots of times came in through the back door. Some significant PaaS usage (Force, Acquia, Beanstalk), emerging IaaS deployments. 

Everybody’s a player – all you need is an email address and a credit card.SaaS for all vs. all for SaaS. IT provides some SaaS services for campus use. There are some products which are more niche, for a small population. Should we get involved? How they go about deploying and engaging the vendor is where we can help, if we don’t take too long or act overly bureaucratic. 

Not everyone wants to be a player – Vendor management, gnarly policy issues, system engineering complexities (opportunity to refactor what you’ve been doing before), integration complexities. 

AWS deployments – The scale of MOOCs make IaaS a no-brainer. OpEx is starting to ramp up on the cloud side. Research groups using AWS. Deployed the Stanford emergency web site on AWS. Used Amazon Beanstalk to run a WordPress instance. Main Stanford home page moving to Amazon after commencement. Those kinds of moves lead to discussions with the distributed IT community, stirs up interest. 45 technical staff have taken three day “Architecting for AWS” course. 15 more in June. This has brought distributed interests out of the shadows/silos.  Challenges: Consolidation of accounts from people who are already using the service – can’t get lists of who’s using it within the enterprise. Data classification, compliance, and FUD – good people trying to protect the institution, but it can go to a level where the standard that’s put out there is so much higher than where the bar is for existing services makes you question the reasons.

Direct Connect – gives you a dedicated pipe into one of their availability zones. Implementation is pretty complicated, but Amazon is good at turning it around. Get cheaper egress rates – no tiered billing. Also allows you to segment your address space across campus and AWS. Every AWS master account translates to a VLAN and BGP pairing, which gets messy. 

Google Compute: Shiny but rough, lots of interest in/from research computing, Google willing to talk leveraging existing peering and SDN with us. 

Other IaaS and the “virtual datacenter”

Before doing more vendor specific work, it’s time for an abstraction layer. Consider all the process and expertise IT provides to deliver on datacenter services… much of that translates. 

More of everything – not fewere on campus computing instances,more service administration, seeing benefits of consolidation, automation, and virtualization; integration to infrastructure; integration between SaaS to ____

Sharif Nijim – Notre Dame

Moved campus web site to AWS. Brought in an external agitator to stir up selection of a preferred infrastructure provider. How to scale?

4 stages – 4 projects

#1 Conductor – custom engineered CMS, runs 400 sites on campus. Cut that over to Amazon – much better performance. 50% improvement over Rackspace, with a 50% reduction in cost. 

#2 Mobile ND – Kurogu framework running on AWS.

#3 – AuthN/Z – Using Box, Google, Sakai (hosted off-campus). How to authenticate if campus network is down? By end of month going live on AWS.

#4 – Backup – can backups be solved for less than the maintenance on existing equipment? Local devices do dedupe and compression, cloud becomes authoritative store of the backup. Looking at Panzura. Proof of concept in June. Amazon claiming 11 9s of reliability in S3. Starting with 300 TB. Company in Chicago put in 115 TB and saw 15 TB stored in AWS after global dedupe and compression. 

Cloud Fluency, Automation Fluency, DevOps. Organizational Tension – sysadmins need to work more closely with developers. 

Culture Change – How do you get people to the “oh my goodness” moment? One approach is to lead them through it – identify specific people to embed. Transparency – encourage people to be transparent about what they’re working on. Their Amazon architect is very responsive on Twitter. 

The Future –  Will embark this summer on reflection and strategy assessment about data center in the next five years. What does the future hold for the two data center facilities?

CSG Spring 2014 – Identity Workshop, continued

Harvard Catalyst and ORCID update

Catalyst – Profiles Research Networking Software – allows for network analysis and data visualization. Analyzes co-authoring patterns. 

Over 200 institutions have downloaded PRofiles. Estimate that about 30 universities using Profiles actively. Boston University adding ORCID support. 

Harvard Faculty Finder – doing deduplication with PubMed, Web of Science, DSpace, etc. 

Harvard adding ORCID to Peoplesoft to flow into directory

Steve Zoppe – TIER Objective

Primary objective to build upon community work that’s already been done. How to onboard services and providers? 

e.g. some providers use email address as primary identifier – annoying.

Putting together a sandbox, to show what works, and evolve over time: reference architecture and canonical implementation.

What’s the problem? To enable the community to consume and integrate with cloud services most efficiently. 

Most service providers are not clueful about identity and do not understand groups within or across enterprises.

The core needs are for AuthN and AuthZ for interrealm use. Lacking a common approach has led to a proliferation of approaches in the community – TIER is choosing a baseline of Shibboleth, Grouper, and CoManage.

Generalized design  – Facade design pattern. Give service providers a normalized end point. 

Will include lightweight workflow services.

Klara Jelinkova – TIER

InCommon is part of Internet2, a wholly owned subsidiary of Internet2. Most of the identity work has been done in Internet2. InCommon was spun off to be the trust framework for US R&E – not development efforts.

InCommon Steering – functions as a program subcommittee and external relations and governance. 

InCommon next steps: New clearer charter (wholly owned subsidiary of Intenet2); New clearer bylaws: Internet2 runs InCommon; InCommon Steering is a Board that advises Internet2); Better/streamlined processes for day-to-day operations; Internet2 staff needs to run InCommon and get community feedback; Priority setting and communication: InCommon Steering program committee helps set priorities and advise on future plans; Work with Internet2/InCommon staff to fulfill FY14 objectives and set FY15 objectives.

TIER – was launched at recent Internet2 Global Summit. 

What is TIER – Trust and Identity in Education and Research.

Longstanding problem in separation of development efforts from mature, consumable services. 

Tier next steps: Set a TIER charter (governance structure, operating processes); Figure out a funding model for the items unfunded on operating lines. 

CSG Spring 2014- Identity Workshop: Ken Klingenstein

Federation today

Federated identity in private industry still tends to bilateral federation, but in government and R&E multilateral federation is becoming the norm.

US Government Efforts: FICAM (Classic identity services for government; slowly growing); NSTIC (Aimed at Next Gen services, privacy, etc. Has distinct governance and pilots efforts. Created by President Obama in 2009; Scoping is a finesse: affecting government identity interactions, but it wants to influence the commercial marketplace, but big commercial providers are not showing up. Idenity needs to be global, but post-Snowden is difficult.

What’s not working: Populating, releasing, and using attributes (attribute retentive instittuions); Social identity provdiers rules of engagement are very tricky – e.g. Yahoo reassigning email addresses. International layers fo rules (e.g. is IP address personally identifiable info?); New businesses without rules yet; The economics of higher LOA – Benefit to SP, cost to IdP. If you offer MFA on your campus, everybody in the federation benefits. 

Future of trust

Metadata growing rapidly and increasingly dynamic. Metadata needs fo cross federation boundaries and interoperate. Campus may want metadata from multiple aggregations. Interoperate includes syntactic and semantic meanings of tags.

– We’re leaving /etc/hosts and heading towards DNS

The future of technical trust – approaches: Metadata registries (Base level open source software (PEER), what is the trust model that allows me to deposit metadata about a third party? Metadata exchange protocls – MDX, moving through IETF standards processes; Several implementations exist for SAML and JSON metadata. Services instances that want to register and exchange metadata; developing a metadata aggregator for Shibboleth.

Policy – Implementing a trust for a COI requires addressing appropriate trust elements using two structures: Trust marks and trust frameworks. Work under way on an accessibility mark, a minor’s mark. Some marks may have a MUST/SHOUD/MAY format.

Now moving away from trust to the end user experience, provide privacy consent mechanisms.

Lifestyles of the Attribute Rich and Privacy Preserved (LARPP)

A tool for managing privacy attributes. Several CSG campuses participating. Tool cane out of the Swiss federation – over a third of the schools in Switzerland have adopted the tool. Work going on to describe accessibility attributes that can help software adapt. 

One interesting use case has to do with filtering out attributes released by social software (e.g. GMail). 

PrivacyLens – Open source privacy manager funded by NSTIC – available on GitHub.

Fulfilling the original federated vision

Scholarly Identity

CILogin – convets federated identity into grid credentials for national comput and data storcs

ORCID, SCienCV, etc.

 Currently space is disjointed – Federated identity, ORCID, Institutional scholarly record systems, Publishers and scholarly societies, Agencies, and Grant management systems. All use separate IDs. 

SciENCV = Science Experts Network Curriculum Vitae; SciENCV working group – lots of federal agencies participating. Voluntary researcher profile system. How do we get institutional attributes into SciEnCV? Each agency is doing things separately, want to link using ORCID. Need lines and flows in this scholarly identity space. Need to find leverage points and make it sustainable. Constituencies and economic interests are not well aligned.

CSG Spring 2014 – Identity Landscape Workshop – Survey Results

Goals: Identify higher level trends; data for campus practitioners; Marketing/Education.

26 schools responded. Average 1.3 million entries in person registry, but goes up to 16 million max. Average of over 4 systems of record for people, one school has 15. 

Everybody has Web SSO, everybody runs central directory services, but very little deployment of course information there (at least with eduCourse schema). Only 50% have self-service group deployment. Lots of people looking towards messaging queues and ESB, but not widespread yet. 

Provisioning is all over map – most do standard services (email, etc), and Active Directory, but less of other like provisioning of courses into LMS, ERP training tracking, etc.

Everybody is a member of InCommon, but release of attributes is not consistent. 

Lots of people think they will be using social identities in the future. 

Most schools have MFA for sysadmins, but not yet for all employees to access sensitive information.