CSG Winter 2017 – Cloud ERP Workshop

Stanford University – Cloud Transformations – Bruce Vincent

Why Cloud and Why now? Earthquake danger; campus space; quick provisioning; easy scalability; new features and functions more quickly

Vision for Stanford UIT cloud transformation program: Starting to behave like an enterprise. Shift most of service portfolio to cloud. A lot of self-examination – assessment of organization and staff. Refactoring of skills.

Trends and areas of importance: Cloud  – requires standards, process changes, amended roles; Automation – not just for efficiency – requires API integration; IAM – federated and social identities, post-password era nearing for SSO; Security – stop using address based access control; Strategic placement of strong tech staff in key positions; timescale of cloud ignores our annual cycles.

Challenges regarding cloud deployments: Business processes tightly coupled within SaaS products, e.g. ServiceNow and Salesforce; Tracking our assets which increasingly exist in disparate XaaS products; Representing the interrelationships between cloud assets; Not using our own domain namespace in URLs.

Trying to make ServiceNow the system of record about assets – need to integrate it with the automation of spinning instances up and down in the cloud.

Cloud ERP – Governance and Cloud ERP – Jim Phelps, Washington

UW going live with Workday in July. Migrating from old mainframe system and distributed business processes and systems. Business process change is difficult. Built an integrated service center (ISC) with 4 tiers of help.

Integrated Governance Model:  across business domains; equal voice from campus; linking business and technology; strategic, transformative, efficient…

Governance Design: Approach – set strategic direction; build roadmap; govern change – built out RACI diagram.

“Central” vs “Campus” change requests – set up a rubric for evaluating: governance should review and approve major changes.

Need for a common structured change request: help desk requests and structured change requests should be easily rerouted to each others’ queues.

Governance seats (proposed): 7 people – small and nimble, but representative of campus diversity.

Focus of governance group needs to be delivering greatest value for the whole university and leading transformational change of HR/P domains. Members must bring a transformational and strategic vision to the table. They must drive continuous change and improvements over time.

Next challenge: transition planning and execution – balancing implementation governance with ISC governance throughout transition – need to have a clear definition of stabilization.

Next steps: determine role of new EVP in RACI; Align with vision of executive director of ISC; provost to formally instantiate ISC governance; develop and implement transition plan; turn into operational processes

UMN ERP Governance – Sharon Ramallo

Went live with 9.2 Peoplesoft on 4/20/2015 – no issues at go-live!

Implemented governance process and continue to operate governance

Process: Planning, Budgeting; Refine; Execution; Refine

  • Executive Oversight Committee – Chair: VP Finance. Members: VP OIT, HR, Vice Provost
  • Operational Administrative Steering Committee: Char: Sr. Dir App Dev;
  • Administrative Computing Steering Committee – people who run the operational teams
  • Change Approval Board

Their CAB process builds a calendar in ServiceNow.

USC Experience in the Cloud – Steve O’Donnell

Current admin systems  – Kuali KFS/Coeus, custom SIS (Mainframe), Lawson, Workday, Cognos

Staffing and skill modernization: Burden of support shifts from an IT knowledge base to more of a business knowledge base – in terms of accountability and knowledge.  IT skill still required for integrations, complex reporting, etc. USC staffing and skill requirements disrupted.

Challenges: Who drives the roadmap and support? IT Ownership vs. business ownership; Central vs. Decentralized; Attrition in legacy system support staff. At risk skills: legacy programmers, data center, platform support, analysts supporting individual areas.

Mitigation: establishing clear vision for system ownership and support; restructure existing support org; repurpose by offering re-tooling/training; Opportunity for less experienced resources – leverage recent grads, get fresh thinking; fellowship/internships to help augment teams.

Business Process Engineering – USC Use cases

Kuali Deployment: Don’t disrupt campus operations. No business process changes. Easier to implement, but no big bang.

Workday HCM/Payroll: Use delivered business process as starting point. Engaged folks from central business, without enough input from campus at large. Frustrating for academics. Workday as a design partner was challenging. Make change management core from beginning – real lever is conversations with campus partners. Sketch future state impact early and consult with individual areas.

Current Approach – FIN pre-implementation investment

Demonstrations & Data gathering (requirements gathering): Sep – Nov. Led by Deloitte consultants; cover each administrative area; work team identifies USC requirements; Community reviews and provides feedback. Use the services folks, not the sales folks.

Workshops (develop requirements)- Nov – Feb. Led by USC business analysts, supported by Deloitte; Work teams further clarify requirements and identify how USC will use Workday; Community reviews draft and provides feedback

Playbacks (configure): March – May. Co-led by consultants and business analysts; Workday configured to execute high-level USC business requirements; Audience includes central and department-level users

Outcomes: Requirements catalog; application fit-gap; blueprint for new chart of accounts; future business process concepts; impacts on other enterprise systems; data conversation requirements; deployment scope, support model

CIO Panel – John Board; Bill Clebsch; Virginia Evans; Ron Kraemer; Kelli Trosvig

Cloud – ready for prime time ERP or not? Bill – approaching cautiously, we don’t know if these are the ultimate golden handcuffs. How do we get out of the SaaS vendors when we need to? Peoplesoft HR implementation has 6,000 customizations and a user community that is very used to being coddled to keep their processes. ERP is towards the bottom of the list for cloud.

Virginia – ERP was at the bottom of list, but business transformation and merger of medical center and physicians with university HR drove reconsideration. Eventually everything will be in the cloud.

John – ERP firmly at the bottom of the list.

Kelli – at Washington were not ready for the implementation they took on – trusted that they could keep quirky business processes, but that wasn’t the case. Took a lot of expenditure of political capital. Everyone around the table thought it was all about other people changing. Very difficult to get large institutions onto SaaS solutions because the business processes are so inflexible. Natural tendency is to stick with what you know – many people in our institutions have never worked anywhere else. Probably easier at smaller or more top-down institutions.

Ron – Should ask is higher-ed ready for prime time ERP or not? We keep trying to fix the flower when it fails to bloom. People changing ERPs are doing it because they have to – data center might be dying, cobol programmers might be done. Try to spend time fixing the ecosystem. Stop fixing the damn flower.

Kelli – it’s about how you do systemic change, not at a theoretical level.

Bill – what problem are we trying to solve? Need to be clear when we go into implementations. At Stanford want to get rid of data centers -space at too much of a premium, too hard to get permits, etc.

John – there’s an opportunity to be trusted to advise on system issues, integration, etc.

Kelli & Ron – The financial models of cap-ex vs. op-ex is a critical success factor.

Ron – separating pre-sales versions from reality is critical. That’s where we can play an important role.

John – we have massive intellectual expertise on campus, but we’ve done a terrible job of leveraging our information to help make the campus work better. We’ve got the data, but we haven’t been using it well.

Bernie – we need to start with rationalizing our university businesses before we tackle the ERP.

Ron – incumbent on us to tell a story to the Presidents. When ND looks at moving Ellucian they think what if they can stop running things that require infrastructure and licenses on campus? Positions us better than we are today. Epiphany over the last 6 months: We have to start telling stories – we can’t just pretend we know the right things to do. Let’s start gathering stories and sharing them.

Kitty – Part of the story is about the junk we have right now. The leaders don’t necessarily know how bad the business processes and proliferation of services are.

CSG Winter 2017 – New Models for Supporting the Academic Enterprise

How do we tie IT Strategic Plan to Teaching & Learning Mission?

Can IT move beyond its traditional role to expand its presence in and support for the academic enterprise?

Marin Stanek – UC Boulder

New IT strategic plan – the first one to focus on the academic mission.

Evolving role of IT – from being the fixer to a focuser. Creating new systems and services. Evolving to listening to campus, leading to further evolution to competence. We have the capacity to understand multiple agendas, and focus on overarching mission.

Focus on students – analytics, retention, etc. A rising rhetoric. Chancellor goal – increase grad rate from 68% to 80% in four years.

Went from a strategic plan with 20-some chapters to one that has the meat in four pages – it’s all about students. Small changes turn into larger results. Utilized LMS to put content first for student welcome. Brought innovative classroom techniques to administrative purpose.

Retention: Large Lecture redesign. Packed lecture hall with mediocre technology experiences. Identified 30 gateway courses that are strong predictor of student success. IT redesign team is engaged. Look at analysis and data to enhance the learning experience and student engagement. E-Bio class – 20% of students take this class. Held a design thinking challenge to understand student behaviors. Discovered that the TA plays a pivotal role in student success. How quickly TAs responded to student questions was the critical issue.

Strategy on a Page / Strategy, It’s Personal – Tom Lewis & Phil Reid, University of Washington

Example: When things go sideways – initiatives get started with no clear goals or clear points of contact. End result – still planning for the plan after 1.5 years. (names scrubbed to protect the innocent).

Strategic goal – strategy on a page. A way to articulate value and for partners to understand and align. Three columns: Change drivers; Initiatives; Outcomes.

Ideas –

Supporting the Academic Enterprise in New Ways: Ben Maddox, NYU

The teaching & learning mission is rife with … opportunity

Case Study 1: all politics are local – learning analytics exploration:

context: Hosted university-wide event to gauge interest (standing room only); distributed instructional technology team; no learning analytics data steward; new leadership (president, provost, CIO)

Identified willing partner to build vocabulary around learning analytics that make sense to faculty; Developed working group and business case; built a site.

Challenge: learning analytics is a sprawling, undefined space. Sudden moves in the space freak people out. Local interests may not transfer to broader needs.

Merits: academic sponsorship; justification for dedicated FTE; credibility through local partnership; leverages standing governance structure to define broader needs.

Strategic Support for Education from IT at Duke – John Board

25% of all Duke students take assembly language-based intro to computer architecture. 40% of all students take intermediate programming (and over half are women). Falure to persuade many under-represented students to go further. Teaching very large classes of 220 a semester is not in the ethos of ECE and CompSci. The Modest Disagreement: Programming should fun to draw people into field, vs. programming classes should train people to be “real” programmers. Standard curriculum instills almost no practical systems knowledge. Faculty are looking to IT to help remedy this. Most of the knowledge of real computing is in IT! Can be used to improve skill set of students who are going to be in the field in the real world. IT developed courses for students to take extra-curricularly in developing code.

Advice: don’t have separate advisory groups for admin and academic IT – it’s all connected.

Strategic planning process: 25 faculty and even more staff from central and distributed IT units) populating 7 working groups: living and learning; research computing support; communications and infrastructure; IT security; administrative and business systems; support models, procurement and licensing; mobile and web

Many recommendations: help people use tech more effectively; prov; support innovation in research and education

Under innovation, relevant points: support the evolving computing needs of our researchers; improve Duke’s competency in data analytics;

Technology engagement center: Windowless telephone with bunker has been transformed into bank of 3d printers. Co-lab with app developers, creating APIs, video production operations; mini courses in many topics; hardware hacking (arduino, sensors, IoT); research computing – led to graduates who wanted to donate specifically to IT

What are the merits and challenges of integrated models, where IT partners with units that support instructional spaces, pedagogy, and assessment, to provide unified instructional support to campus?

Phil Reid: Why unified T&L support, and why IT?

Goal – promote and support innovation in teaching and learning

Barrier: faculty motivation to change (and you can’t blame them – incentives aren’t aligned)

Ideas to overcome barrier:

  • inspirational leaders in novel pedagogy
  • better student learning outcomes
  • improved efficiency
  • disruptive technology

Instructional systems are the “ERP” of teaching and learning

Improving the student experience

Improving the faculty experience

What faculty want is one stop shopping – pedagogy, technology, classrooms, assessment/measurement – they want the Genius Bar

Marin Stanek – How do we bring people together?

There are simple tools that seem like magic to campus. Eg. tap into IT project management discipline for transformative academic projects. Advantages: creates structure; sets expectations for timelines, resources and responsibilities of the partnering department; executive sponsorship help momentum, buy-in and hand-off of initiatives. The IT project portfolio now has a preponderance of initiatives for teaching and learning.

Example – Pathway to Space (a new minor in Aerospace, designed to pull in non-engineering majors). Utilized project portfolio process: project definitions/charter doc; schedule, budget, timeline; exec sponsorship, watch warning signs; change management process; communicate! transparency & updates; crossing the chasm – handing off the creating or build it into the team

Ben Maddox: Running the Governance Gauntlet

Context: university-wide service pilot for instructional tech support; added 10 new instructional technologists based at the schools (“a distributed model, centrally convened”); added instructional tech committee to standing governance structure; new role (joint to IT & Provost) convenes monthly meeting; group sets and recommends shared service model.

Challenge: requires increased coordination and strong sponsorship. For schools that were less resourced, there was Provost support, with management from central IT.

Deans had to write proposals to Provost to ask for the instructional support.

Jenn Stringer (Berkeley) – Academic Innovation Studio (AIS): A Collaborative Service Model

Faculty was getting “no, but” instead of “yes, and”

Space + Partners + Commitment + Trust = AIS (no unit names included). Open to every faculty, instructor, etc.

2k sq ft of space. 4 partners deliver service: research IT; Ed Tech Services; Center for Teaching & Learning; Library; Collaborative Services (google, box, etc).

Commitment is key – part was not branding as IT space. It’s faculty space. Everybody was at table to design space. f2f time – built trust.

Oren Sreebny – Central IT and the University Innovation Sector

https://drive.google.com/open?id=1L1LNLrwq72jyqWvcAgqn_y9NOl3vJhFho_0HrMSpCcQ

Marin –

Challenge: No clear career path for research computing profesiionals

No formal educational track; reward system missing; lmited career path

Solution: Create MA in research computing and a formal collaboration between Research Computing & the Libraries. Develop and advance data science and digital scholarship through discovery & reuse

Certificate in Cybersecurity

Challenge: further develop Cybersecurity track utilizing existing interdisciplinary telecom program. Use existing grad school structure to minimize admin hurdles. Tap into existing courses to create certificate program.

Staff member was teaching a course at another university – there was no clear reward program for him to teach on campus. Story in unfolding, requires tenacity from professionals, but requires incentive structure, and need to happen at speed to keep momentum.

Ben – Supporting Teaching & Learning by TEaching

Consultations for teaching and learning with technology increased by 60%-plus. Center for Advancement of Teaching had no tech curriculum. New Inst. Tech Groups that had lots of instructional experience. Faculty Collaborators value team members with teaching experience. Appetite for Share.

Created online interactive tutorials for T&L Services. Center for Advancement of Teaching uses Instructional Tech Teams to new Tech-oriented curriculum; Provost agreed to sponsor 2 University-wide events per year. Made schools aware that staff were interested in teaching opportunities.

Evan – Duke – Technology classes at Co-Lab

Co-Lab is a technology innovation incubator to encourage students. Started with challenges, but weren’t as effective as they’d hoped. Flipped it around to ask for ideas first. Turned it into more of a grants program, but a persistent problem is that they didn’t have as many students with development skills as they thought. Roots program – teach Python, HTML, Web Development, etc. https://colab.duke.edu/roots – Taught by IT professionals. Faculty began to notice – told them that students were less technical than they used to be. Worked with faculty to develop an intro to Linux course that they use as an informal prerequisite. Going to do a git class for a Physics course.

Duke Digital Initiative – innovation funding for faculty. Over 20 proposals from faculty, funded 10 of them. Why IT? Who else knows how to program a drone, take 360 degree video, and put it on a web site?

A Day in the life of Rob Fatland, Cloud Czar – Tom Lewis

Cloud and Data Research Computing – originated out of UW E-Science institute. Out and about on campus every day, looking for researchers to help. Build – Test – Share
http://cloudmaven.org

Success stories: ORCA Transit Data – patterns of how people commute. Digital curation at the library – LIDAR data. Genomics – cut cost per genome from $60 – $15 w/help from AWS. Democratizing data and software: cloud plus GitHub plus software carpentry workshops.

Supporting the continuum of research computing – Oren

https://drive.google.com/open?id=1L1LNLrwq72jyqWvcAgqn_y9NOl3vJhFho_0HrMSpCcQ

Data for Researchers – Jenn

Providing learning data to researchers from learning records store. Data warehouse for the interactivity data from your learning systems. Things you mine to get information on student success. Berkeley has a billion records from 2.5 years of data from LMS. Researchers want to mine the data to get insights into how people learn. Most data governance organizations are not thinking about this kind of data at all. There are standards around this data – two competing: xAPI, Caliper.

Take log data and convert into standardized statements – pushing for vendors to hand data over in that format. Canvas doesn’t  (yet) so UCB has to convert.

Learning Record Store: AWS based Learning Record Store; Multi-tenant LRS that can support multiple institutions; Scalability and cost; Faster deployments – lower dev/ops overhead; Lambda architecture which encompasses both Batch and real-time interaction. Have an API for researchers who go through proper approval process to get de-identified data.

Are we telling students what we do with their data? They’ve created an agency dashboard for students (not in production yet). Allows students to opt-in or out of use of their data (where appropriate). Lots of discussion of data ownership, but regardless, they want transparency and agency.

UC Learning Data Privacy Principles: pulled together leaders from across the UC system. Working to draft principles. Something to point procurement and vendors to.

Learning Data Recommended Practices – been circulating them, taking to committees, etc to socialize and increase awareness.

John – Using infrastructure for faculty researh

There are faculty who want to use the infrastructure for research. NSF did us a favor with the first round of CCNIE proposals – thinking about SDN in particular. Insisted PI had to be the University CIO. Unexpected benefit was to have regular meetings on progress. Regular conversation on new opportunities for cyber infrastructure grants. IT staff get opportunities to have time bought out to work on interesting problems. Faculty develop respect for the expertise of IT. OIT thinking about hiring a full-time grant writer on the staff.

CSG Fall 2016 – ITIL and DevOps

Why is this important?

  • Does ITIL make sense in an era of continuous delivery and integration?
  • Will the volume of applications and sites overwhelm the management methodology?
  • Distributed IT is not well versed in ITIL
  • Does DevOps include formal review? Shouldn’t Tier 0 sites and apps get reviewed for changes?

Survey results

  • Almost all respondents have a formal Change process and board
  • Divided on if PaaS/SaaS need formal change reviews
  • Some said that changes are only managed for major changes
  • Most respondents not mature yet with DevOps practices
  • Some groups doing agile development, but not all

Harvard working on trying to reinvent ITIL in the cloud environment – since it’s all software now, release management practices are more appropriate than change management.

Would be good to have changes (even pre-approved ones) logged in ServiceNow so incidents could be correlated with changes.

In new cloud deployments people aren’t patching, but blowing machines away and deploying new ones. How does change process handle that?

Notre Dame trying to eliminate human access to the cloud console for production systems

Nobody in the room is doing continuous deployments to ERP systems

Cornell – with self-healing infrastructure they may not even know there’s an outage.

Tom Vachon, Harvard

Harvard’s cloud at a glance

  • 684 applications targeted for migration by 7/18, 300+ migrated already
    • Shutting down one on-prem data center
  • 1 VPC per account on average
    • Centrally Billed: 131 Accounts
    • 45 Accounts/VPCs on Direct Connect
    • Looking to make Cloud a University-wide strategic program
  • Cloud Shield – physical firewall
    • Kicked off 7/15 in response to a security breach
    • POC – 11/15 – 2/16
    • Started automation code 3/16
    • 15,000 lines of code
    • Production ready 7/16
    • Design goals
      • provide highly available and highly redundant AWS network access
      • Provide visibility of traffic into, out of, and between cloud applications
      • Provide next-gen firewall protections
      • Inline web filtering to simplify server configuration
      • Provide multicloud connectivity
    • Tech details
      • Diverse paths and POPs – Boston has 2 direct connects, and a POP in Equinix in Virginia with private network connection to campus
      • Primarily done for visibility
    • Actively discourage host-based firewalls
      • Use security groups instead
      • Don’t use Network ACLs
  • Will provision services with public IPs
    • They have overlapping private address spaces
  • Design manager of managers in Python
    • Create an ops & maintenance free architecture in Lambda
    • Provide REST API through AWS API Gateway
    • Isolate changes by segregating integrations in AWS Lambda
  • Leverage AWS DynamoDB for
    • Schemaless session cache
    • Dynamic reconfiguration
  • Challenges
    • Static DNS names
      • use ELB or ALB for applications
    • Everyone needs to be on Harvard IP space
      • Delegates six /16s for AWS
    • Legacy application stacks
      • Java has a “mostly hate” relationship with DNS
        • Lots of apps cache DNS forever
    • Reduced S3 visibility
    • Inability to do app-by-app identification
      • Grouping by data classifications
    • Items which are unknowingly locked down to AWS IP space
      • eg doing a yum update to AWS Linux from a non-AWS ip space
  • Virtual firewalls per VPC were going to cost >$4 million over three years, this model costs $1.6 million over five years
  • Most applications got faster when distributed across this model
    • Less switching in the way

Panel Discussion

  • Biggest technical challenges so far?
    • Georgetown  – have to run virtual firewalls in HA. Looking at replacing with TrendMicro
    • Harvard – lack of visibility in AWS
    • UNL – Vast offerings from vendors – how to wrap heads around it?
    • How to support on prem and burst out, especially for research instruments?
    • Cornell – Keeping up with the technology. Having people to manage and implement solutions. Encouraging lack of consistency in an effort to use the best new technology to solve problems.
    • Wisconsin – Have to worry about security a whole new paradigm in the cloud.
    • Notre Dame – pace of innovation. Do we prepare for a more rapid pace of change (and those costs) or learn to live with not implementing the latest?

 

 

CSG Fall 2016 – Security and Configuration in the Cloud, pt 1

Sarah Christen is introduces the workshop.

Bob Winding and Sharif Nijim – Notre Dame

  • Cloud first – even distributed groups going cloud first
  • VPCs: Share Services VPC with peering to Central Applications or Departmental VPCs; VPN Tunnels over I2 to campus; Be wary of implicit peering through campus routers.
  • 80% central IT, 20% distributed
  • Pauses to assess progress are built into the plan, with sprints to address issues. Inviting Mandian to campus to help establish 5 year security roadmap.
  • Export controlled data
    • 22 projects on campus dealing with this kind of data
    • Gov Cloud new initiative to support research
    • NIST 800-171 DFAR-7012 – looks a lot like PCI DSS
      • AWS covers 1/3 of security controls in GovCloud
      • Talked to a half-dozen PIs – experiments generate lots of data, then they move data to a local spot for analysis, or design work that happens locally with specific apps.
      • Developed a compliance matrix and quick start template in Cloud Formation
        • Quick start builds shared services and multi-tenant project VPC
      • Want to create an environment in GovCloud that is cloistered for the work until it goes back to the sponsor.
  • VDI – Using graphics intensive applications in the cloud
    • Looked at frame – delivers screen from remote desktop over video streams. Running pilot in US East
  • Look at the RDP gateway as the audit boundary – doesn’t include the end user device
  • Least privileges in IAM
  • Working with Purdue to look at SaaS providers for security monitoring and log analysis
  • AWS Security
    • Flipped IAM from least privilege to explicit deny of dangerous operations
      • Separation of control on IAM policy creation and application
      • Writing Lambda functions to undo changes that aren’t permitted
  • Organizing security groups
    • Setting standards for common functions, like sysadmin access
    • Engineers have a hard time keeping things simple
    • Databases use security groups for access control, which simplifies auditing
  • `Data security
    • Using Tripwire tuned precisely on systems with confidential information
    • Encryption at rest and backups
    • Replication of backups/snapshots to a separate account and region. If a credential is compromised can’t destroy both operational data and backup
  • Future
    • Cloudfront WAF
      • Want to fully leverage Amazon’s tools to gain advantage
      • Realize that this increases lock-in with the vendor
    • Host IDS for selected sensitive systems – looking for things that don’t cause choke points
    • Comment from Bruce – “we’re on the verge of a post-firewall world”
      • At AWS have to use IP-address based controls across VPCs and shared services
  • https://oit.nd.edu/cloud-first

Bob Turner – Wisconsin

  • Somewhere between cloud experimentation and cloud aware.
  • Trying to not yet deal with sensitive and restricted data in the cloud
  • security requirements for accounts and VPCs
    • Working off script based on risk management framework
    • Using it for onboarding people into cloud environments
    • Working on audits and attestations
  • Enforcing cloud controls (will also use for on campus environments)
    • Provisioning/De-provisioning
    • Going to try to use FEDRAMP checklist as a guide
    • Approval of risk by Executive able to accept on behalf of University
  • Automated Templates (consultancy model)
    • Create a new account or migrate existing account under master
    • Pre-provisioned equipment templates with logging enabled
    • Configured for Shibboleth
    • Moving towards Duo for MFA
    • Activate AWS Config
    • Use (future) cloud security tool for initial verification and continuous monitoring
  • Things to be concerned about
    • Holding on to root accounts and credentials
    • Challenges of CDM
    • Usual tools are not necessarily available
    • AWS tools have charges
    • Challenge of cloud vendors that don’t support SAML or federation
  • Account management
    • Group email per department, including Office of Cybersecurity Rep
  • Researcher accounts
    • must know their expected data (at present no Restricted or Sensitive data)
      • Google as a government service that has been pretty well vetted by US agencies

Sarah Christen – Cornell

  • Cloud first according to IT Strategic plan written in 2013
  • 54 accounts under master contract, hundreds outside
  • Cloudification services has been an opportunity for central IT to partner with campus
  • Requirements for being on master contract
    • Onboarding discussion
      • How billing works; unit responsibilities – how is this different than the data center?; Security and configuration requirements; Benefits; Discussion about joining tech community; central services available – Container service (will containerize and run code for fee), DevOps service
    • Attestation
      • Explicit agreement to policies
    • Shibboleth
    • Duo for MFA for console access
    • Activation for AWS Config and CloudTrail
    • CloudTrail logs sent to Security Office
  • Onboarding – create account, configure Shib and Duo, lockdown root account, standard AD groups (admin, cloud group, security), activate Config and CloudTrail and configure CloudTrail logs to be sent to Security office as well as the VPC owner; activate Cloudcheckr and schedule review of how to use.
  • CloudCheckr – allows those with accounts to see usage data; makes recommendations on how to save money; sends monthly invoices; runs continuous vulnerability scan; gives Security a view into all accounts
  • Standard VPC setup – blogs.cornell.edu/cloudification/2016/04/08
  • What about reseaerch accounts?
    • Easy onboarding without a lot of steps or complication
    • No intereference with research, no cost of performance overhead
    • Solutions for export controlled data and othe rcompliance requirements
    • Standard network config not always a good fit
    • Consultation and services – Docker, Data Storage, Training, Devops support

Mark Debonis – VaTech

  • Cloud Aware -> Moving into CLoud Experiment
  • One production VPC in AWS, five pre-production
  • Moving towards both AWS and Azure offerings
  • Manual provisioning process
    • Customer contacts CCS via Service Catalog for Cloud brokerage discussion
    • Difference in Azure (upfront) and AWS billing models – In Azure if you don’t use your commitment in a year you lose it
  • Logins to Azure portal with VT AD account, Redirect to VT ADFS, Login and use Duo, Primary contact manages other users through Azure Admin portal with VT AD accounts

Kevin Murphy – UNL Lincoln

  • Cloud first for SaaS
  • Experimentation for PaaS and IaaS: Rackspace, Azure, AWS
  • On VPC in Azure for disaster recovery (domain controllers, ADFS)
  • VPC in progress for AWS
  • Central IT is pushing cloud strategies, very little departmental participation. Research computing run by CS faculty, not interested in cloud computing.
  • Security requirements: Federated logins (ADFS with Duo) for Azure. Shipping everything from IaaS to Splunk on campus
  • Security requirements – manually creating accounts; No PII data in the cloud
  • Been doing Azure StoreSimple device – hybrid solution.
  • Moving PCI environment to the cloud with a managed service provider who will take the liability and run on AWS. “not extremely expensive”
  • Challenges: Moving current architecture to IaaS can be prohibitively expensive – people build for peak loads, need to use elastic capabilities. Exploring PaaS options such as Azure Web Apps and DB services. Billing is a challenge.

Bereket Amdemichael, Daniel Tamiru, Georgetown

  • Based their AWS cloud architecture on the work done at the CSG Cloud Architecture Working Group
  • Added a proxy layer.
  • IPSec VPN – Cisco
  • Users only have access to specific VMs – have to access across the VPN
  • VPC and group architecture is a “spirited discussion”
  • When do they (security) need to be alerted when something isn’t right?
  • Using Equinix for high speed transfer to AWS

Internet2 Tech Exchange 2015 – RESTful APIs and Resource Definitions for Higher Ed

Keith Hazelton – UWisc

TIER work growing out of CIFER – Not just RESTful APIs. The goal is to make identity infrastructure developer and integrator friendly.

Considering use of RAML API designer and raml.org tools for API design and documentation.

Data structures – the win is to get a canonical representation that can be shared across vertical silos. Looking at messaging approaches. Want to make sure that messaging and API approaches are using the same representations. Looking at JSON space.

DSAWG – the TiER Data Structures and APIs Working Group – just forming, not yet officially launched. Will be openly announced.

Ben Oshrin, Spherical Cow

CIFER APIs – Quite a few proposed, some more mature than others.

More Mature: (Core schema – attributes that show up across multiple APIs); ID Match (creates a representation for asking “do I know this person already, and do I have an identifier?”); SOR to Registry (create a new role for a person); Authorization (standard ways of representing authorization queries).

Less mature: Registry extraction (way to pull or push data from registry – overlap with provisioning); Credential management (do we really need to have multiple password reset apps?)’

Not even itemized: Management APIs; Monitoring APIs. Have come up in TIER discussions.

Non CIFER  APIs / Protocols of interest: CAS, LDAP, OAuth, OIDC, ORCID, SAML2, SCIM, VOOT2

Use cases:

  • Intra-component: e.g. person registry queries group registry for authorization; group registry receives person subject records from person registry.
  • Enterprise to component: System or Record provisions student or employee data in Person Registry
  • Enterprise APIs: Homw grown person registry exposes person data to campus apps.

#TODO

API Docs; Implementations

CSG Spring 2015 – The Data Driven University, part 2

Tom Lewis, Washington

Who are the traditional players? Institutional Research; Office of Educational Assessment; Data Warehouse Team (do good work, saw their client as being Finance).

Modern players & practices – Sources of Change: From Above (President, Provost, VPs, AVPs, Chancellors); From the middle (Deans, chairs, heads of admin units (especially those focused on undergrads); From below (staff doing work, faculty); From the outside (BI and analytics vendors).

Becoming Modern –

Course Demand Dashboards – Notify.uw. Enterprising students screen scraping registration system for notifying about openings in courses, charging other students. So built notify.uw – can notify when openings occur in class via email or SMS. Almost 25k subscribers. What else can be done with the data? Understanding course demand: Notify.UW knows what classes students want; student system knows about course offerings and utilization of capacity. Mashed them up to see where demand exceeded capacity.

The Cool stuff: Central IT BA’s and engineers pulled in a like minded colleague from the DW to do innovation work with data. Provost, deans, and chairs got excited; built out dashboards using Tableau.

The Great Civitas Pilot – Why Student Success Analytics? People don’t understand much about their students, when to do interventions, longtitudinal views of program efficacy and impacts. Tried to use Civitas – take data from student system, LMS, and data warehouse. Illume: Analyze key institution metrics, starting with persistence; view historical results and predictions of future. Inspire for Advisors

The Cool stuff: Admin heads looked to IT to help solve problem because of success of course dashboard. Faculty, teaching and program support staff are eager to get started.

Show Me the Data!

Assessment folks didn’t understand the value of giving access to data that hasn’t been analyzed. IT team interviewed people for data needs, then involved assessment people in building dashboards with Tableau to realize those needs.

Data Warehouse folks have gotten the religion – look at the UW Data & Analytics page.

Central IT is the instigator and change agent, but needs BAs with deep data analysis skills.

We all need to be hiring data scientists with deep curiosity – can’t keep having technical folks with answers of it takes too long to go through the data. Should partner with existing data science centers on campus. If we’re really going to data-driven universities IT will be at the center – we touch all the parts of the institution, we have the tools, and we know more about how data interacts.

Mark Chiang – UC Berkeley

Used to have to go to separate offices to get data, mash up into spreadsheets, do pivot tables, for every request.

Data Warehouse: Cal Answers – Students (applicants, curriculum, demographics, financials); Alumni; Finance; Research; HR; Facilities.

Built out high level dashboard for deans and chairs – answer questions about curricula. Enrollments, Offerings, instructor data, etc.  Facilitates discussions between deans and faculty and administrators. Effort was driven by CFO. Makes job much easier. Added substantial additional investment.

Can build out prototypes in a couple of weeks on top of live data to prove concepts before building the real enterprise work.

Discussion

Will the data warehouse look significantly different in a few years? We don’t do a good job of understanding the way data security needs to change as data ages. There’s a place to incorporate new types of data like sentiment analysis on social media. Instructure is working on making Canvas data available via AWS Redshift. Much of the new thinking and activity about data is not coming from the traditional BI/DW teams, but those folks are more willing to partner now than they used to be.

CSG Spring 2015 – The Data-Driven University – part 1

DKelly Doney – Changing the Conversation at Georgetown

Getting lots of questions around data not collected in traditional ERP – how many times did you visit your advisor? What volunteer opportunities did you do? Who was your favorite professor?

Advancement needs to follow alumni every step of the way.

Provost asking question – process efficiency, quality of instruction, but also outcomes – what happens to graduates in first five years and beyond, relating those data back to experiences on campus.

Vice Provost for education sponsoring an effort – wants to measure cultural impact of Georgetown on students: learning to learn, well-being, empathy, etc. Creating embedded cultural practices to track that.

Using Enterprise BI + CRM for data analysis

Trying go break down silos of data ownership. Workday enabled some of this as shadow system owners realized they weren’t getting feeds from the new system. Went live with Finance and Student data warehouse this year.

Been partnering with Advancement to bring enterprise CRM to campus. Need to think about other sources too. Just finished first part of playbook project with Deloitte and Salesforce to create a playbook for higher ed institutions that want to take a look at CRM at an enterprise level. Talked to 20 different offices, identified 150 use cases for CRM. Have a high level Salesforce object model. Going to take on a pilot.  Needs to be refined by the community.

Phase 1 – Advancement and Requirements. Phase 2: Advancement and CRM Core. Future phases: CRM and larger engagement.

Salesforce licensing model is cost prohibitive for higher education – they’ve agreed to come to the table to discuss this.

User community always asks for lots of control and flexibility in reporting, but doesn’t make time to learn tools.

Debbie Fulton – VA Tech – Role of BI tool at VT

It’s not how you get there… unless you can’t get there. The perfect BI tool is not the goal and will not create a data-driven university. But if you have no viable tool, your goals may be unattainable.

VT’s journey – Any tool will do (almost). Needed to figure out what mattered to VT. They had Brio since the early 2000s, had a lot of limitations. Licensing, required desktop installation, browser problems, etc. Had a lot of standardized reports that required developers to create. Put out a RFP.

Was important that sponsors realized that getting a tool did not create the data-driven university. Brought in EAB to make recommendations on creating the data-driven university which added credibility.

Goals: Replace soon-to-be obsolete technology; leverage data warehouse (didn’t want to rebuild); position VT for future (unstructured data, mobile access, diversity of data sources); Address issues with current environment (inconsistent distribution and management of information; report development cycle is lengthy and process varies; lack of modern presentation and analytical functionality; inadequate licensing of legacy tools and product obsolescence).

RFP Requirements: Pixel Perfect Enterprise Reporting (not just SQR reports); Ad hoc reporting; analytics, visualization, and predictive modeling; scheduling and distribution; dashboards; mobile implementation; common data model (virtual data model, supporting a common data model regardless of reporting tool used).

Two vendors supported the data model concept: Attivio (search based), and denodo (which actually builds a data model). Both add a layer complexity that would’ve added to the timeline, and expensive. MicroStrategy added ability to build model that other tools could look at. That layer isn’t as robust as the dedicated tools, but was good enough.

Purchased Microstrategy.

Benefits realized and next steps: Site license for Microstrategy including admin and academic usage; have a tool with full functionality to support BIT; opportunity to jumpstart BI dialogue – questions have changed beyond complaining about lack of good tools; BI sponsorship and steering committee; data governance – beyond data stewards; BI leadership and evangelism.

Questions for consideration in achieving a data-driven university: How do we progress with all aspects of a BI implementation (data governance, evangelism, anlytics, etc.) that need to come together? Where does IT fit? could we learn from the evolution of learning systems for how we might create data analytics services, partnerships, and direction between IT and the university?

Business Intelligence Pain Points – Todd HIll, Notre Dame

Finding and acquiring BI talent – can’t pay what industry does. Some places use staff who were gradate assistants. Some use offshore resources, but that presents some challenges. 1 excellent BI person is worth 3 mediocre ones – invest wisely. Build your own BI skills internally. Develop BI competency center.

Tools – Notre Dame historically used Business Objects, but now moving towards Microsoft stack + Tableau. Found that over half of what they built didn’t get used, so needed to change the model. Build Personal BI, Team BI, Enterprise BI. Find what works in a less costly way before moving up the maturity level. Can’t go right from zero to enterprise. 1 month personal BI solutions – 1-2 customers, non refreshing data. Then add data governance, build for the team, then after that build in security at an enterprise level.

Assessment Framework: How well do your customers know what they want? How clean is the data? How clearly defined are the data elements’ How well understood ae data access and security; How technically savvy are your customers?

Create a data steward position; involve constituencies, show a RACI matrix; publish data definitions – BI portal. Notre Dame has a data governance seal of approval for data that’s been defined by the process.

Addressing Organizational Silos – co-locate when possible to promote teaming; have cross-departmental user stories; use sponsors to clear organizational silos. Deans are asking for dashboards that cross those silos – e.g. research, finance, HR.

Sometimes you can take advantage of new ERP implementations to change the model of (for example) data access.

Addressing BI Project Demand – Agile methodologies can help. Partner with app development teams; partner with tech savvy customers; build BI competency center.

Information, Interaction, and Influence – Research networking and profile platforms

Research networking and profile platforms: design, technology and adoption of 
networking tools 

Tanu Malik, UChicago CI – treating science as an object. Need to record inputs and outputs, which is difficult, but some things are relatively easy to document: publications, patents, people, institutions, grants. Some of this has been taking place, documenting metadata associated with science. How can we integrate this data and establish relationships in order to get meaningful knowledge out of it? There have been a few success stories: VIVO, Harvard Profiles. This panel will discuss the data integration challenges and the deployment challenges. Computational methods exist but still need to be implemented in easy to use ways.

Simon Porter – University of Melbourne

Implemented VIVO as Find an Expert – oriented towards students and industry. Now gets around 19k unique visitors per week.

Serendipity as research activity – the maximum number of research opportunities are possible when we can maximize the number of people discovering or engaging with our research. Enabled by policy, enabled by search, enabled by standards, enabled by syndication. 

At Australian universities have had to collect the information on research activity all along. Some of it is private, but some is public and the University can assert publication of it.  Most universities have something, but lots of different systems.

Only a small number of people will use the search in your system. Most will come from Google. 

Syndicating information within the university – VIVO – gateway to information – departments take information from VIVO to publish their own web pages. Different brands for different departments. 

Syndication beyond the University – Want to plug into international research profiling efforts. 

New possibilities: Building capability maps. How to support research initiatives. Start from people being appointed to start the effort. Use Find An Expert to identify potential academics. Can put together multiple searches to outline capability sets. Graphing interactions of search results. 

Leslie Yuan – Clinical and Translational Science Institute – UCSF

The Profiles team all came from industry – highly oriented towards execution. When she started they wanted lots of people to use, so how to get adoption? If you build it, they probably won’t come. Use your data and analyses to drive success with a very lean budget. In four years went to over 90k visits per month. Gets 20% of the traffic of the main UCSF web page.

Tactics:

1. Use Google (both inside and outside the institution).  Used SEO on site. 88% of researcher profiles have been viewed 10+ times. Goal was to get every one of researchers to come up in top 3 results when they type the name in. Partnered with University Relations – any article that the press office writes about a researcher links to their profile.

2. Share the data. APIs provide data to 27 UCSF sites and apps. Has made life easier for IT people across the university, leading to evangelization in the departments. Personalized stats are sent to profile owners – how many times your profile was viewed within the institution, from other universities, from major pharmas. People wanted specifics. Nobody unsubscribed. Vanity trumps all.  Research analytics shared with leadership. Helped epidemiology and biostatistics show that they are the most collaborative unit on campus.

3. Keep looking at the data – monthly traffic reporting, engagement stats (by school, by department, who’s edited profile, who’s got pictures), Network visualizations of co-authorships.

4. Researcher engagement – automated onboarding emails – automatically creating profiles, then letting people know about them as they come on board. Added websites, videos, tweets and more inline. Batch loaded all UCTV videos onto people’s profiles, then got UCTV to send email to researchers letting them now. Changed URLS – profiles.ucsf.edu/leslie.yuan 

5. Partnerships – University Relations, Development & Alumni, Library, UC TV, Directory,  School of Medicine, Center for AIDS research, Dept. of Radiology. Was able to give data back to Univ Relations on articles by department or specialty, which they weren’t tracking. Automatic email that goes out if people get an article added. 

Took 8 or 9 months of concentrated conversations with chairs, deans, etc to convince them that this was a good thing. Only 7 people asked to be taken off the system. Uptake was slow, but now people are seeing the benefit of having their work out there.  6 people on her team have touched the system in some way, but it’s nobody’s full-time job.

Griffin Weber, Harvard – Research Networking at the School, University, and Global Scale

Added passive and active networking to the profiles system. Passive network provided information that people hadn’t seen before, driving adoption, active networks allowed the site to grow over time. Passive network creates networks based on related concepts. Different ways of visualizing the concept maps – list, timeline, co-authors, geography (map), ego-centric radial graph (social network reach), list of similar people

Different kinds of data for Harvard Faculty Finder – comets and stars discovered, cases presented to the Supreme Court, classes taught, etc. Pulled in 500k publications from Web of Science. Derived ontologies in 250 disciplines across those publications using statistical methods. 

Direct2experts.org – federated search across 70 biomed institutions. 

Faculty affairs uses Profiles to form promotions committees, students using it to find mentors. 

Bart Trawick, NCBI – NLM – Easy come, easy go; SciENcv & my bibliography 

NIH give $15.5 in grants per year. Until 2007 didn’t have a way of seeing what they were getting from the investment. Public access to publications mandated by Congress in 2007. Started using MyBibliography to track. Over 61k grant applications coming in every year, just flat PDFs. 

About 125k US trained scientists in the workforce now. Many have been funded by training grants. Want to see how the scientists continue their career. Over 2500 unemployed PhDs in biomedical science.

My NCBI Overview – tools and preferences integrated with NCBI databases. Connected to PubMed, genomics, etc. Uses federated login (can link google accounts e.g.) Can link ERA commons account – pull in information about profiles, grants linked. 

My Bibliography – make it a tool to capture information and link grant data to publications. Set up to monitor many of the databases that information flows through. End result of public access policy is that all NIH-funded research publications get deposited in PubMed Central. MyBibliograhpy lets scientists know if they’re compliant with policy. Send structured data back out to PubMed, allowing searching by grant numbers, etc. 

SciENcv – released second version this week. Help scientists fill out profile – each agency has their own biosketch format. SciENcv is attempt to standardize that. NIH set up, working on others, NSF next on list. Wanted to make it easy for researchers who are already funded and using MyBibliography. Data exists out there – would like to get to a point of reuse of data for grant reporting. Added inputs – ORCID, eRA Commons (used to manage grants), MyBibliography. Grants.gov requires biosketches in PDF. Can export from SciENcv in pdf to grants.gov, with rich metadata attached.

CSG Spring 2014 – Analytics Discussion

ECAR Analytics Maturity Index – could use it to assess which group to partner with to judge feasibility. 

NYU started analytics several years ago and chose certain kinds of data. 

Dave Vernon – Cornell
Hopes and dreams for the Cornell Office of Data Architecture and Analytics (ODAA)
Curent state fof data usability at Cornell: like a library system with hundreds of libraries, each with unique catalog systems (if any), each requiring esoteric knowledge, each dependent on specialists who don’t talk to each other.

Traditional “BI” -not analytics but report generation. Aging data governance.

ODAA – to support Cornell’s mission by maximizing the value of data resources. Act as a catalyst/focal point to enable access to teaching, research, and admin data. Acknowledge limited resource, but will attempt to maximize value of existing resources.

Rethink governance: success as the norm, restrictions only as needed? Broad campus involvement in data management – “freeing” of structured / unstructured data. Stop arguing over tools: OBIEE vs Tableau, etc. Form user groups – get the analysts talking. 

Service Strategy: Expand Institutional Intelligence initiative: create focused value from a select corpus of admin data (metadata, data provenance, governance, and sustainable funding). Cost recovered reporting and analytics services. User groups, consultants, catalog and promulgate admin and research data resources. 

Resource strategy: What do you put together in this office? Oracle people, reporting people. Re-aloacate savings. Add skilled data and analytics professionals. Modest investment in legacy tool refresh. People are getting stuck in that discussions of tools.

Measures of Success: ODAA becomes a known and trusted resource. Cultural evolution – open not insular. Data becomes actionable, self-service. Broad campus involvement data management, “freeing” of data – have to work on data stewards to convince them that they have to make a compelling argument to keep data private. Continued success of legacy services.

At NYU IR owns the data stewardship and governance, but there is a group in a functional unit (not IT) that acts as the front door for data access. Currently just admin data focus, but growing out of that. Two recent challenges – student access to data (pressing governance structure), and learning analytics (people want access to LMS click streams – what about privacy concerns?).

Stanford – IR group reports to provost (like 15 people) do admin data. Group reports to dean of research for research data. Teaching & learning under another VP. Groups specialize, reducing conflict. Data scientists are part of those groups. 

Washington spinning up data science studio with research people, IT, library people as a physical space for people to collocate. 

Jim Phelps – can we use the opportunity of replacing ERPs to have the larger discussion about data access and analytics?

Notre Dame halted BI effort to go deeply into a data governance process, and as part of that are getting a handle on all of the sets of data they have. Building a data portal that catalogs reports. More a collection of data definitions rather than a catalog of data. data.nd.edu A concept at this point, but moving in that direction. Registry of data – all data must be addressable by url. Catalog shows existing reports, showing shat roles are necessary to get access. Terms used in the data are defined. 

Duke – Not hearing demand for this on campus, but getting good information on IT activity using Splunk on data streams. Could get traction by showing competencies in analysis.

At NYU had a new VP for Enrollment Management who had lots of data analysis expertise, who wowed the Board with sophisticated analyses, driving demand for that in other applications. 

Data Science Venn diagram – http://drewconway.com/zia/2013/3/26/the-data-science-venn-diagram

Dave Vernon – There’s an opportunity to ride the big data wave to add value by bringing people together and getting the conversations going and make people feel included. 

How are these teams staffed? Can’t expect to hire someone who knows all the pieces, so you have to have cross-functional teams to bring skills together. Michigan State has a Master’s program in analytics, so bringing some good people in there. Last four hires at Notre Dame have been right off the campus. Now have 8 FTE in BI space.