CSG Winter 2017 – Cloud ERP Workshop

Stanford University – Cloud Transformations – Bruce Vincent

Why Cloud and Why now? Earthquake danger; campus space; quick provisioning; easy scalability; new features and functions more quickly

Vision for Stanford UIT cloud transformation program: Starting to behave like an enterprise. Shift most of service portfolio to cloud. A lot of self-examination – assessment of organization and staff. Refactoring of skills.

Trends and areas of importance: Cloud  – requires standards, process changes, amended roles; Automation – not just for efficiency – requires API integration; IAM – federated and social identities, post-password era nearing for SSO; Security – stop using address based access control; Strategic placement of strong tech staff in key positions; timescale of cloud ignores our annual cycles.

Challenges regarding cloud deployments: Business processes tightly coupled within SaaS products, e.g. ServiceNow and Salesforce; Tracking our assets which increasingly exist in disparate XaaS products; Representing the interrelationships between cloud assets; Not using our own domain namespace in URLs.

Trying to make ServiceNow the system of record about assets – need to integrate it with the automation of spinning instances up and down in the cloud.

Cloud ERP – Governance and Cloud ERP – Jim Phelps, Washington

UW going live with Workday in July. Migrating from old mainframe system and distributed business processes and systems. Business process change is difficult. Built an integrated service center (ISC) with 4 tiers of help.

Integrated Governance Model:  across business domains; equal voice from campus; linking business and technology; strategic, transformative, efficient…

Governance Design: Approach – set strategic direction; build roadmap; govern change – built out RACI diagram.

“Central” vs “Campus” change requests – set up a rubric for evaluating: governance should review and approve major changes.

Need for a common structured change request: help desk requests and structured change requests should be easily rerouted to each others’ queues.

Governance seats (proposed): 7 people – small and nimble, but representative of campus diversity.

Focus of governance group needs to be delivering greatest value for the whole university and leading transformational change of HR/P domains. Members must bring a transformational and strategic vision to the table. They must drive continuous change and improvements over time.

Next challenge: transition planning and execution – balancing implementation governance with ISC governance throughout transition – need to have a clear definition of stabilization.

Next steps: determine role of new EVP in RACI; Align with vision of executive director of ISC; provost to formally instantiate ISC governance; develop and implement transition plan; turn into operational processes

UMN ERP Governance – Sharon Ramallo

Went live with 9.2 Peoplesoft on 4/20/2015 – no issues at go-live!

Implemented governance process and continue to operate governance

Process: Planning, Budgeting; Refine; Execution; Refine

  • Executive Oversight Committee – Chair: VP Finance. Members: VP OIT, HR, Vice Provost
  • Operational Administrative Steering Committee: Char: Sr. Dir App Dev;
  • Administrative Computing Steering Committee – people who run the operational teams
  • Change Approval Board

Their CAB process builds a calendar in ServiceNow.

USC Experience in the Cloud – Steve O’Donnell

Current admin systems  – Kuali KFS/Coeus, custom SIS (Mainframe), Lawson, Workday, Cognos

Staffing and skill modernization: Burden of support shifts from an IT knowledge base to more of a business knowledge base – in terms of accountability and knowledge.  IT skill still required for integrations, complex reporting, etc. USC staffing and skill requirements disrupted.

Challenges: Who drives the roadmap and support? IT Ownership vs. business ownership; Central vs. Decentralized; Attrition in legacy system support staff. At risk skills: legacy programmers, data center, platform support, analysts supporting individual areas.

Mitigation: establishing clear vision for system ownership and support; restructure existing support org; repurpose by offering re-tooling/training; Opportunity for less experienced resources – leverage recent grads, get fresh thinking; fellowship/internships to help augment teams.

Business Process Engineering – USC Use cases

Kuali Deployment: Don’t disrupt campus operations. No business process changes. Easier to implement, but no big bang.

Workday HCM/Payroll: Use delivered business process as starting point. Engaged folks from central business, without enough input from campus at large. Frustrating for academics. Workday as a design partner was challenging. Make change management core from beginning – real lever is conversations with campus partners. Sketch future state impact early and consult with individual areas.

Current Approach – FIN pre-implementation investment

Demonstrations & Data gathering (requirements gathering): Sep – Nov. Led by Deloitte consultants; cover each administrative area; work team identifies USC requirements; Community reviews and provides feedback. Use the services folks, not the sales folks.

Workshops (develop requirements)- Nov – Feb. Led by USC business analysts, supported by Deloitte; Work teams further clarify requirements and identify how USC will use Workday; Community reviews draft and provides feedback

Playbacks (configure): March – May. Co-led by consultants and business analysts; Workday configured to execute high-level USC business requirements; Audience includes central and department-level users

Outcomes: Requirements catalog; application fit-gap; blueprint for new chart of accounts; future business process concepts; impacts on other enterprise systems; data conversation requirements; deployment scope, support model

CIO Panel – John Board; Bill Clebsch; Virginia Evans; Ron Kraemer; Kelli Trosvig

Cloud – ready for prime time ERP or not? Bill – approaching cautiously, we don’t know if these are the ultimate golden handcuffs. How do we get out of the SaaS vendors when we need to? Peoplesoft HR implementation has 6,000 customizations and a user community that is very used to being coddled to keep their processes. ERP is towards the bottom of the list for cloud.

Virginia – ERP was at the bottom of list, but business transformation and merger of medical center and physicians with university HR drove reconsideration. Eventually everything will be in the cloud.

John – ERP firmly at the bottom of the list.

Kelli – at Washington were not ready for the implementation they took on – trusted that they could keep quirky business processes, but that wasn’t the case. Took a lot of expenditure of political capital. Everyone around the table thought it was all about other people changing. Very difficult to get large institutions onto SaaS solutions because the business processes are so inflexible. Natural tendency is to stick with what you know – many people in our institutions have never worked anywhere else. Probably easier at smaller or more top-down institutions.

Ron – Should ask is higher-ed ready for prime time ERP or not? We keep trying to fix the flower when it fails to bloom. People changing ERPs are doing it because they have to – data center might be dying, cobol programmers might be done. Try to spend time fixing the ecosystem. Stop fixing the damn flower.

Kelli – it’s about how you do systemic change, not at a theoretical level.

Bill – what problem are we trying to solve? Need to be clear when we go into implementations. At Stanford want to get rid of data centers -space at too much of a premium, too hard to get permits, etc.

John – there’s an opportunity to be trusted to advise on system issues, integration, etc.

Kelli & Ron – The financial models of cap-ex vs. op-ex is a critical success factor.

Ron – separating pre-sales versions from reality is critical. That’s where we can play an important role.

John – we have massive intellectual expertise on campus, but we’ve done a terrible job of leveraging our information to help make the campus work better. We’ve got the data, but we haven’t been using it well.

Bernie – we need to start with rationalizing our university businesses before we tackle the ERP.

Ron – incumbent on us to tell a story to the Presidents. When ND looks at moving Ellucian they think what if they can stop running things that require infrastructure and licenses on campus? Positions us better than we are today. Epiphany over the last 6 months: We have to start telling stories – we can’t just pretend we know the right things to do. Let’s start gathering stories and sharing them.

Kitty – Part of the story is about the junk we have right now. The leaders don’t necessarily know how bad the business processes and proliferation of services are.

CSG Winter 2017 – New Models for Supporting the Academic Enterprise

How do we tie IT Strategic Plan to Teaching & Learning Mission?

Can IT move beyond its traditional role to expand its presence in and support for the academic enterprise?

Marin Stanek – UC Boulder

New IT strategic plan – the first one to focus on the academic mission.

Evolving role of IT – from being the fixer to a focuser. Creating new systems and services. Evolving to listening to campus, leading to further evolution to competence. We have the capacity to understand multiple agendas, and focus on overarching mission.

Focus on students – analytics, retention, etc. A rising rhetoric. Chancellor goal – increase grad rate from 68% to 80% in four years.

Went from a strategic plan with 20-some chapters to one that has the meat in four pages – it’s all about students. Small changes turn into larger results. Utilized LMS to put content first for student welcome. Brought innovative classroom techniques to administrative purpose.

Retention: Large Lecture redesign. Packed lecture hall with mediocre technology experiences. Identified 30 gateway courses that are strong predictor of student success. IT redesign team is engaged. Look at analysis and data to enhance the learning experience and student engagement. E-Bio class – 20% of students take this class. Held a design thinking challenge to understand student behaviors. Discovered that the TA plays a pivotal role in student success. How quickly TAs responded to student questions was the critical issue.

Strategy on a Page / Strategy, It’s Personal – Tom Lewis & Phil Reid, University of Washington

Example: When things go sideways – initiatives get started with no clear goals or clear points of contact. End result – still planning for the plan after 1.5 years. (names scrubbed to protect the innocent).

Strategic goal – strategy on a page. A way to articulate value and for partners to understand and align. Three columns: Change drivers; Initiatives; Outcomes.

Ideas –

Supporting the Academic Enterprise in New Ways: Ben Maddox, NYU

The teaching & learning mission is rife with … opportunity

Case Study 1: all politics are local – learning analytics exploration:

context: Hosted university-wide event to gauge interest (standing room only); distributed instructional technology team; no learning analytics data steward; new leadership (president, provost, CIO)

Identified willing partner to build vocabulary around learning analytics that make sense to faculty; Developed working group and business case; built a site.

Challenge: learning analytics is a sprawling, undefined space. Sudden moves in the space freak people out. Local interests may not transfer to broader needs.

Merits: academic sponsorship; justification for dedicated FTE; credibility through local partnership; leverages standing governance structure to define broader needs.

Strategic Support for Education from IT at Duke – John Board

25% of all Duke students take assembly language-based intro to computer architecture. 40% of all students take intermediate programming (and over half are women). Falure to persuade many under-represented students to go further. Teaching very large classes of 220 a semester is not in the ethos of ECE and CompSci. The Modest Disagreement: Programming should fun to draw people into field, vs. programming classes should train people to be “real” programmers. Standard curriculum instills almost no practical systems knowledge. Faculty are looking to IT to help remedy this. Most of the knowledge of real computing is in IT! Can be used to improve skill set of students who are going to be in the field in the real world. IT developed courses for students to take extra-curricularly in developing code.

Advice: don’t have separate advisory groups for admin and academic IT – it’s all connected.

Strategic planning process: 25 faculty and even more staff from central and distributed IT units) populating 7 working groups: living and learning; research computing support; communications and infrastructure; IT security; administrative and business systems; support models, procurement and licensing; mobile and web

Many recommendations: help people use tech more effectively; prov; support innovation in research and education

Under innovation, relevant points: support the evolving computing needs of our researchers; improve Duke’s competency in data analytics;

Technology engagement center: Windowless telephone with bunker has been transformed into bank of 3d printers. Co-lab with app developers, creating APIs, video production operations; mini courses in many topics; hardware hacking (arduino, sensors, IoT); research computing – led to graduates who wanted to donate specifically to IT

What are the merits and challenges of integrated models, where IT partners with units that support instructional spaces, pedagogy, and assessment, to provide unified instructional support to campus?

Phil Reid: Why unified T&L support, and why IT?

Goal – promote and support innovation in teaching and learning

Barrier: faculty motivation to change (and you can’t blame them – incentives aren’t aligned)

Ideas to overcome barrier:

  • inspirational leaders in novel pedagogy
  • better student learning outcomes
  • improved efficiency
  • disruptive technology

Instructional systems are the “ERP” of teaching and learning

Improving the student experience

Improving the faculty experience

What faculty want is one stop shopping – pedagogy, technology, classrooms, assessment/measurement – they want the Genius Bar

Marin Stanek – How do we bring people together?

There are simple tools that seem like magic to campus. Eg. tap into IT project management discipline for transformative academic projects. Advantages: creates structure; sets expectations for timelines, resources and responsibilities of the partnering department; executive sponsorship help momentum, buy-in and hand-off of initiatives. The IT project portfolio now has a preponderance of initiatives for teaching and learning.

Example – Pathway to Space (a new minor in Aerospace, designed to pull in non-engineering majors). Utilized project portfolio process: project definitions/charter doc; schedule, budget, timeline; exec sponsorship, watch warning signs; change management process; communicate! transparency & updates; crossing the chasm – handing off the creating or build it into the team

Ben Maddox: Running the Governance Gauntlet

Context: university-wide service pilot for instructional tech support; added 10 new instructional technologists based at the schools (“a distributed model, centrally convened”); added instructional tech committee to standing governance structure; new role (joint to IT & Provost) convenes monthly meeting; group sets and recommends shared service model.

Challenge: requires increased coordination and strong sponsorship. For schools that were less resourced, there was Provost support, with management from central IT.

Deans had to write proposals to Provost to ask for the instructional support.

Jenn Stringer (Berkeley) – Academic Innovation Studio (AIS): A Collaborative Service Model

Faculty was getting “no, but” instead of “yes, and”

Space + Partners + Commitment + Trust = AIS (no unit names included). Open to every faculty, instructor, etc.

2k sq ft of space. 4 partners deliver service: research IT; Ed Tech Services; Center for Teaching & Learning; Library; Collaborative Services (google, box, etc).

Commitment is key – part was not branding as IT space. It’s faculty space. Everybody was at table to design space. f2f time – built trust.

Oren Sreebny – Central IT and the University Innovation Sector

https://drive.google.com/open?id=1L1LNLrwq72jyqWvcAgqn_y9NOl3vJhFho_0HrMSpCcQ

Marin –

Challenge: No clear career path for research computing profesiionals

No formal educational track; reward system missing; lmited career path

Solution: Create MA in research computing and a formal collaboration between Research Computing & the Libraries. Develop and advance data science and digital scholarship through discovery & reuse

Certificate in Cybersecurity

Challenge: further develop Cybersecurity track utilizing existing interdisciplinary telecom program. Use existing grad school structure to minimize admin hurdles. Tap into existing courses to create certificate program.

Staff member was teaching a course at another university – there was no clear reward program for him to teach on campus. Story in unfolding, requires tenacity from professionals, but requires incentive structure, and need to happen at speed to keep momentum.

Ben – Supporting Teaching & Learning by TEaching

Consultations for teaching and learning with technology increased by 60%-plus. Center for Advancement of Teaching had no tech curriculum. New Inst. Tech Groups that had lots of instructional experience. Faculty Collaborators value team members with teaching experience. Appetite for Share.

Created online interactive tutorials for T&L Services. Center for Advancement of Teaching uses Instructional Tech Teams to new Tech-oriented curriculum; Provost agreed to sponsor 2 University-wide events per year. Made schools aware that staff were interested in teaching opportunities.

Evan – Duke – Technology classes at Co-Lab

Co-Lab is a technology innovation incubator to encourage students. Started with challenges, but weren’t as effective as they’d hoped. Flipped it around to ask for ideas first. Turned it into more of a grants program, but a persistent problem is that they didn’t have as many students with development skills as they thought. Roots program – teach Python, HTML, Web Development, etc. https://colab.duke.edu/roots – Taught by IT professionals. Faculty began to notice – told them that students were less technical than they used to be. Worked with faculty to develop an intro to Linux course that they use as an informal prerequisite. Going to do a git class for a Physics course.

Duke Digital Initiative – innovation funding for faculty. Over 20 proposals from faculty, funded 10 of them. Why IT? Who else knows how to program a drone, take 360 degree video, and put it on a web site?

A Day in the life of Rob Fatland, Cloud Czar – Tom Lewis

Cloud and Data Research Computing – originated out of UW E-Science institute. Out and about on campus every day, looking for researchers to help. Build – Test – Share
http://cloudmaven.org

Success stories: ORCA Transit Data – patterns of how people commute. Digital curation at the library – LIDAR data. Genomics – cut cost per genome from $60 – $15 w/help from AWS. Democratizing data and software: cloud plus GitHub plus software carpentry workshops.

Supporting the continuum of research computing – Oren

https://drive.google.com/open?id=1L1LNLrwq72jyqWvcAgqn_y9NOl3vJhFho_0HrMSpCcQ

Data for Researchers – Jenn

Providing learning data to researchers from learning records store. Data warehouse for the interactivity data from your learning systems. Things you mine to get information on student success. Berkeley has a billion records from 2.5 years of data from LMS. Researchers want to mine the data to get insights into how people learn. Most data governance organizations are not thinking about this kind of data at all. There are standards around this data – two competing: xAPI, Caliper.

Take log data and convert into standardized statements – pushing for vendors to hand data over in that format. Canvas doesn’t  (yet) so UCB has to convert.

Learning Record Store: AWS based Learning Record Store; Multi-tenant LRS that can support multiple institutions; Scalability and cost; Faster deployments – lower dev/ops overhead; Lambda architecture which encompasses both Batch and real-time interaction. Have an API for researchers who go through proper approval process to get de-identified data.

Are we telling students what we do with their data? They’ve created an agency dashboard for students (not in production yet). Allows students to opt-in or out of use of their data (where appropriate). Lots of discussion of data ownership, but regardless, they want transparency and agency.

UC Learning Data Privacy Principles: pulled together leaders from across the UC system. Working to draft principles. Something to point procurement and vendors to.

Learning Data Recommended Practices – been circulating them, taking to committees, etc to socialize and increase awareness.

John – Using infrastructure for faculty researh

There are faculty who want to use the infrastructure for research. NSF did us a favor with the first round of CCNIE proposals – thinking about SDN in particular. Insisted PI had to be the University CIO. Unexpected benefit was to have regular meetings on progress. Regular conversation on new opportunities for cyber infrastructure grants. IT staff get opportunities to have time bought out to work on interesting problems. Faculty develop respect for the expertise of IT. OIT thinking about hiring a full-time grant writer on the staff.

CSG Fall 2016 – ITIL and DevOps

Why is this important?

  • Does ITIL make sense in an era of continuous delivery and integration?
  • Will the volume of applications and sites overwhelm the management methodology?
  • Distributed IT is not well versed in ITIL
  • Does DevOps include formal review? Shouldn’t Tier 0 sites and apps get reviewed for changes?

Survey results

  • Almost all respondents have a formal Change process and board
  • Divided on if PaaS/SaaS need formal change reviews
  • Some said that changes are only managed for major changes
  • Most respondents not mature yet with DevOps practices
  • Some groups doing agile development, but not all

Harvard working on trying to reinvent ITIL in the cloud environment – since it’s all software now, release management practices are more appropriate than change management.

Would be good to have changes (even pre-approved ones) logged in ServiceNow so incidents could be correlated with changes.

In new cloud deployments people aren’t patching, but blowing machines away and deploying new ones. How does change process handle that?

Notre Dame trying to eliminate human access to the cloud console for production systems

Nobody in the room is doing continuous deployments to ERP systems

Cornell – with self-healing infrastructure they may not even know there’s an outage.

Tom Vachon, Harvard

Harvard’s cloud at a glance

  • 684 applications targeted for migration by 7/18, 300+ migrated already
    • Shutting down one on-prem data center
  • 1 VPC per account on average
    • Centrally Billed: 131 Accounts
    • 45 Accounts/VPCs on Direct Connect
    • Looking to make Cloud a University-wide strategic program
  • Cloud Shield – physical firewall
    • Kicked off 7/15 in response to a security breach
    • POC – 11/15 – 2/16
    • Started automation code 3/16
    • 15,000 lines of code
    • Production ready 7/16
    • Design goals
      • provide highly available and highly redundant AWS network access
      • Provide visibility of traffic into, out of, and between cloud applications
      • Provide next-gen firewall protections
      • Inline web filtering to simplify server configuration
      • Provide multicloud connectivity
    • Tech details
      • Diverse paths and POPs – Boston has 2 direct connects, and a POP in Equinix in Virginia with private network connection to campus
      • Primarily done for visibility
    • Actively discourage host-based firewalls
      • Use security groups instead
      • Don’t use Network ACLs
  • Will provision services with public IPs
    • They have overlapping private address spaces
  • Design manager of managers in Python
    • Create an ops & maintenance free architecture in Lambda
    • Provide REST API through AWS API Gateway
    • Isolate changes by segregating integrations in AWS Lambda
  • Leverage AWS DynamoDB for
    • Schemaless session cache
    • Dynamic reconfiguration
  • Challenges
    • Static DNS names
      • use ELB or ALB for applications
    • Everyone needs to be on Harvard IP space
      • Delegates six /16s for AWS
    • Legacy application stacks
      • Java has a “mostly hate” relationship with DNS
        • Lots of apps cache DNS forever
    • Reduced S3 visibility
    • Inability to do app-by-app identification
      • Grouping by data classifications
    • Items which are unknowingly locked down to AWS IP space
      • eg doing a yum update to AWS Linux from a non-AWS ip space
  • Virtual firewalls per VPC were going to cost >$4 million over three years, this model costs $1.6 million over five years
  • Most applications got faster when distributed across this model
    • Less switching in the way

Panel Discussion

  • Biggest technical challenges so far?
    • Georgetown  – have to run virtual firewalls in HA. Looking at replacing with TrendMicro
    • Harvard – lack of visibility in AWS
    • UNL – Vast offerings from vendors – how to wrap heads around it?
    • How to support on prem and burst out, especially for research instruments?
    • Cornell – Keeping up with the technology. Having people to manage and implement solutions. Encouraging lack of consistency in an effort to use the best new technology to solve problems.
    • Wisconsin – Have to worry about security a whole new paradigm in the cloud.
    • Notre Dame – pace of innovation. Do we prepare for a more rapid pace of change (and those costs) or learn to live with not implementing the latest?

 

 

CSG Fall 2016 – Security and Configuration in the Cloud, pt 1

Sarah Christen is introduces the workshop.

Bob Winding and Sharif Nijim – Notre Dame

  • Cloud first – even distributed groups going cloud first
  • VPCs: Share Services VPC with peering to Central Applications or Departmental VPCs; VPN Tunnels over I2 to campus; Be wary of implicit peering through campus routers.
  • 80% central IT, 20% distributed
  • Pauses to assess progress are built into the plan, with sprints to address issues. Inviting Mandian to campus to help establish 5 year security roadmap.
  • Export controlled data
    • 22 projects on campus dealing with this kind of data
    • Gov Cloud new initiative to support research
    • NIST 800-171 DFAR-7012 – looks a lot like PCI DSS
      • AWS covers 1/3 of security controls in GovCloud
      • Talked to a half-dozen PIs – experiments generate lots of data, then they move data to a local spot for analysis, or design work that happens locally with specific apps.
      • Developed a compliance matrix and quick start template in Cloud Formation
        • Quick start builds shared services and multi-tenant project VPC
      • Want to create an environment in GovCloud that is cloistered for the work until it goes back to the sponsor.
  • VDI – Using graphics intensive applications in the cloud
    • Looked at frame – delivers screen from remote desktop over video streams. Running pilot in US East
  • Look at the RDP gateway as the audit boundary – doesn’t include the end user device
  • Least privileges in IAM
  • Working with Purdue to look at SaaS providers for security monitoring and log analysis
  • AWS Security
    • Flipped IAM from least privilege to explicit deny of dangerous operations
      • Separation of control on IAM policy creation and application
      • Writing Lambda functions to undo changes that aren’t permitted
  • Organizing security groups
    • Setting standards for common functions, like sysadmin access
    • Engineers have a hard time keeping things simple
    • Databases use security groups for access control, which simplifies auditing
  • `Data security
    • Using Tripwire tuned precisely on systems with confidential information
    • Encryption at rest and backups
    • Replication of backups/snapshots to a separate account and region. If a credential is compromised can’t destroy both operational data and backup
  • Future
    • Cloudfront WAF
      • Want to fully leverage Amazon’s tools to gain advantage
      • Realize that this increases lock-in with the vendor
    • Host IDS for selected sensitive systems – looking for things that don’t cause choke points
    • Comment from Bruce – “we’re on the verge of a post-firewall world”
      • At AWS have to use IP-address based controls across VPCs and shared services
  • https://oit.nd.edu/cloud-first

Bob Turner – Wisconsin

  • Somewhere between cloud experimentation and cloud aware.
  • Trying to not yet deal with sensitive and restricted data in the cloud
  • security requirements for accounts and VPCs
    • Working off script based on risk management framework
    • Using it for onboarding people into cloud environments
    • Working on audits and attestations
  • Enforcing cloud controls (will also use for on campus environments)
    • Provisioning/De-provisioning
    • Going to try to use FEDRAMP checklist as a guide
    • Approval of risk by Executive able to accept on behalf of University
  • Automated Templates (consultancy model)
    • Create a new account or migrate existing account under master
    • Pre-provisioned equipment templates with logging enabled
    • Configured for Shibboleth
    • Moving towards Duo for MFA
    • Activate AWS Config
    • Use (future) cloud security tool for initial verification and continuous monitoring
  • Things to be concerned about
    • Holding on to root accounts and credentials
    • Challenges of CDM
    • Usual tools are not necessarily available
    • AWS tools have charges
    • Challenge of cloud vendors that don’t support SAML or federation
  • Account management
    • Group email per department, including Office of Cybersecurity Rep
  • Researcher accounts
    • must know their expected data (at present no Restricted or Sensitive data)
      • Google as a government service that has been pretty well vetted by US agencies

Sarah Christen – Cornell

  • Cloud first according to IT Strategic plan written in 2013
  • 54 accounts under master contract, hundreds outside
  • Cloudification services has been an opportunity for central IT to partner with campus
  • Requirements for being on master contract
    • Onboarding discussion
      • How billing works; unit responsibilities – how is this different than the data center?; Security and configuration requirements; Benefits; Discussion about joining tech community; central services available – Container service (will containerize and run code for fee), DevOps service
    • Attestation
      • Explicit agreement to policies
    • Shibboleth
    • Duo for MFA for console access
    • Activation for AWS Config and CloudTrail
    • CloudTrail logs sent to Security Office
  • Onboarding – create account, configure Shib and Duo, lockdown root account, standard AD groups (admin, cloud group, security), activate Config and CloudTrail and configure CloudTrail logs to be sent to Security office as well as the VPC owner; activate Cloudcheckr and schedule review of how to use.
  • CloudCheckr – allows those with accounts to see usage data; makes recommendations on how to save money; sends monthly invoices; runs continuous vulnerability scan; gives Security a view into all accounts
  • Standard VPC setup – blogs.cornell.edu/cloudification/2016/04/08
  • What about reseaerch accounts?
    • Easy onboarding without a lot of steps or complication
    • No intereference with research, no cost of performance overhead
    • Solutions for export controlled data and othe rcompliance requirements
    • Standard network config not always a good fit
    • Consultation and services – Docker, Data Storage, Training, Devops support

Mark Debonis – VaTech

  • Cloud Aware -> Moving into CLoud Experiment
  • One production VPC in AWS, five pre-production
  • Moving towards both AWS and Azure offerings
  • Manual provisioning process
    • Customer contacts CCS via Service Catalog for Cloud brokerage discussion
    • Difference in Azure (upfront) and AWS billing models – In Azure if you don’t use your commitment in a year you lose it
  • Logins to Azure portal with VT AD account, Redirect to VT ADFS, Login and use Duo, Primary contact manages other users through Azure Admin portal with VT AD accounts

Kevin Murphy – UNL Lincoln

  • Cloud first for SaaS
  • Experimentation for PaaS and IaaS: Rackspace, Azure, AWS
  • On VPC in Azure for disaster recovery (domain controllers, ADFS)
  • VPC in progress for AWS
  • Central IT is pushing cloud strategies, very little departmental participation. Research computing run by CS faculty, not interested in cloud computing.
  • Security requirements: Federated logins (ADFS with Duo) for Azure. Shipping everything from IaaS to Splunk on campus
  • Security requirements – manually creating accounts; No PII data in the cloud
  • Been doing Azure StoreSimple device – hybrid solution.
  • Moving PCI environment to the cloud with a managed service provider who will take the liability and run on AWS. “not extremely expensive”
  • Challenges: Moving current architecture to IaaS can be prohibitively expensive – people build for peak loads, need to use elastic capabilities. Exploring PaaS options such as Azure Web Apps and DB services. Billing is a challenge.

Bereket Amdemichael, Daniel Tamiru, Georgetown

  • Based their AWS cloud architecture on the work done at the CSG Cloud Architecture Working Group
  • Added a proxy layer.
  • IPSec VPN – Cisco
  • Users only have access to specific VMs – have to access across the VPN
  • VPC and group architecture is a “spirited discussion”
  • When do they (security) need to be alerted when something isn’t right?
  • Using Equinix for high speed transfer to AWS

Internet2 Tech Exchange 2015 – RESTful APIs and Resource Definitions for Higher Ed

Keith Hazelton – UWisc

TIER work growing out of CIFER – Not just RESTful APIs. The goal is to make identity infrastructure developer and integrator friendly.

Considering use of RAML API designer and raml.org tools for API design and documentation.

Data structures – the win is to get a canonical representation that can be shared across vertical silos. Looking at messaging approaches. Want to make sure that messaging and API approaches are using the same representations. Looking at JSON space.

DSAWG – the TiER Data Structures and APIs Working Group – just forming, not yet officially launched. Will be openly announced.

Ben Oshrin, Spherical Cow

CIFER APIs – Quite a few proposed, some more mature than others.

More Mature: (Core schema – attributes that show up across multiple APIs); ID Match (creates a representation for asking “do I know this person already, and do I have an identifier?”); SOR to Registry (create a new role for a person); Authorization (standard ways of representing authorization queries).

Less mature: Registry extraction (way to pull or push data from registry – overlap with provisioning); Credential management (do we really need to have multiple password reset apps?)’

Not even itemized: Management APIs; Monitoring APIs. Have come up in TIER discussions.

Non CIFER  APIs / Protocols of interest: CAS, LDAP, OAuth, OIDC, ORCID, SAML2, SCIM, VOOT2

Use cases:

  • Intra-component: e.g. person registry queries group registry for authorization; group registry receives person subject records from person registry.
  • Enterprise to component: System or Record provisions student or employee data in Person Registry
  • Enterprise APIs: Homw grown person registry exposes person data to campus apps.

#TODO

API Docs; Implementations

CSG Spring 2015 – The Data Driven University, part 2

Tom Lewis, Washington

Who are the traditional players? Institutional Research; Office of Educational Assessment; Data Warehouse Team (do good work, saw their client as being Finance).

Modern players & practices – Sources of Change: From Above (President, Provost, VPs, AVPs, Chancellors); From the middle (Deans, chairs, heads of admin units (especially those focused on undergrads); From below (staff doing work, faculty); From the outside (BI and analytics vendors).

Becoming Modern –

Course Demand Dashboards – Notify.uw. Enterprising students screen scraping registration system for notifying about openings in courses, charging other students. So built notify.uw – can notify when openings occur in class via email or SMS. Almost 25k subscribers. What else can be done with the data? Understanding course demand: Notify.UW knows what classes students want; student system knows about course offerings and utilization of capacity. Mashed them up to see where demand exceeded capacity.

The Cool stuff: Central IT BA’s and engineers pulled in a like minded colleague from the DW to do innovation work with data. Provost, deans, and chairs got excited; built out dashboards using Tableau.

The Great Civitas Pilot – Why Student Success Analytics? People don’t understand much about their students, when to do interventions, longtitudinal views of program efficacy and impacts. Tried to use Civitas – take data from student system, LMS, and data warehouse. Illume: Analyze key institution metrics, starting with persistence; view historical results and predictions of future. Inspire for Advisors

The Cool stuff: Admin heads looked to IT to help solve problem because of success of course dashboard. Faculty, teaching and program support staff are eager to get started.

Show Me the Data!

Assessment folks didn’t understand the value of giving access to data that hasn’t been analyzed. IT team interviewed people for data needs, then involved assessment people in building dashboards with Tableau to realize those needs.

Data Warehouse folks have gotten the religion – look at the UW Data & Analytics page.

Central IT is the instigator and change agent, but needs BAs with deep data analysis skills.

We all need to be hiring data scientists with deep curiosity – can’t keep having technical folks with answers of it takes too long to go through the data. Should partner with existing data science centers on campus. If we’re really going to data-driven universities IT will be at the center – we touch all the parts of the institution, we have the tools, and we know more about how data interacts.

Mark Chiang – UC Berkeley

Used to have to go to separate offices to get data, mash up into spreadsheets, do pivot tables, for every request.

Data Warehouse: Cal Answers – Students (applicants, curriculum, demographics, financials); Alumni; Finance; Research; HR; Facilities.

Built out high level dashboard for deans and chairs – answer questions about curricula. Enrollments, Offerings, instructor data, etc.  Facilitates discussions between deans and faculty and administrators. Effort was driven by CFO. Makes job much easier. Added substantial additional investment.

Can build out prototypes in a couple of weeks on top of live data to prove concepts before building the real enterprise work.

Discussion

Will the data warehouse look significantly different in a few years? We don’t do a good job of understanding the way data security needs to change as data ages. There’s a place to incorporate new types of data like sentiment analysis on social media. Instructure is working on making Canvas data available via AWS Redshift. Much of the new thinking and activity about data is not coming from the traditional BI/DW teams, but those folks are more willing to partner now than they used to be.