Duke ITAC - October 14, 2010 Minutes
October 14, 2010, 4:00-5:30
Allen Board Room
- Announcements and Meeting Minutes
- High-Bandwidth Uses on Duke’s Network (Bob Johnson)
- Identity Management and Authentication Lifecycle (Amy Brooks)
- Arts & Sciences Web Content Management System (Ed Gomes)
Announcements and Meeting Minutes
Alvy Lebeck called the meeting to order and asked for objections to the meeting minutes distributed with the agenda. Noting none, he opened the floor to announcements.
Kevin Davis announced two network interruptions that occurred this week, for about 15 minutes around 3:15pm on Monday and a few minutes around 10:15 Wednesday morning. According to Kevin, only networks with private addressing were affected, and OIT is working with Microsoft to address some problems with Exchange associated with these interruptions. Bob Johnson offered a suspicion that a software bug is responsible for these network interruptions, and assured the council that his team is making progress on identifying the triggering event, in order to mitigate future impact on the Duke network.
High-Bandwidth Uses on Duke’s Network (Bob Johnson)
Bob Johnson introduced his presentation by saying that CIO Tracy Futhey has asked his team for a roadmap of networking at Duke, as the networking situation on campus has not been formally surveyed since 2006. Bob said that this presentation would be the first in a series detailing this effort.
According to Bob, recent network upgrades have put us significantly ahead of where we were, but his group is collecting information as to where it could still be improved. Bob would like to consider specific needs within buildings or departments in the context of the overall network refresh plan, in order to accommodate large datasets or low latency requirements by researchers using the network. Overall, he said, OIT needs to consider the impact that less-than-optimal network performance may have on the user community.
Bob then provided an overview of the evolution of the Duke campus network. The 4-router, 2-gigabit core of past years has been upgraded to a 13-router, 20-gigabit core, which at maximum load hits about 30% utilization. Routing throughput has increased, congestion has decreased, and some locations (such as Physics, Smith, Perkins, Engineering, and LSRC) have seen as much as a tenfold increase in bandwidth. Additionally, a multiprotocol label switching (MPLS) mechanism has been implemented to allow for better segmentation of the network.
One major area that Bob hopes to improve in the near future is monitoring. Currently, the network is monitored via Nagios and Spectrum, supplemented with Cacti historical performance monitoring and utilization tracking. Bob says that his team is currently evaluating and piloting additional tools with the hopes of improving real-time views, more accurately forecasting usage peaks, and gaining the ability to better monitor network layers 4-7. With proper monitoring tools, Bob hopes to be able to more accurately pinpoint potential bottlenecks in order to address those points pro-actively before any problems occur.
Bob then discussed service metrics and OIT’s commitment to network upgrades. When average peak utilization reaches 50%, he said, the network would be upgraded as needed. Intra-building and departmental LAN switching will be evaluated and installed on a request basis. Wired ports will also be upgraded as needed.
Bob then opened the floor to questions. John Board mentioned calling OIT any time he experiences a hiccup in the network in order to ensure documentation of the event. Ed Gomes offered to forward results gathered from a page his team has published for university use. Users are encouraged to visit this page when experiencing a latency issue; the page in turn collects information about the event and machine experiencing the incident.
Bob reiterated that this was the first of several presentations on the network; he will return to ITAC soon to discuss related developments with the network.
Identity Management and Authentication Lifecycle (Amy Brooks)
John Board introduced Amy’s talk by giving some background on conflicting pressures that university identity management experts typically face. According to John, security officials generally push for identity information to be cleared when a user departs from the university community, whereas other groups (such as alumni associations, who offer programs for former students) make a case for maintaining this information indefinitely. The trend, he continued, is moving toward identifying past affiliates for life, but embracing this paradigm requires quite a bit of technical consideration, as it vastly increases the number of identities being maintained.
Amy Brooks then took over, beginning with an emphasis on the distinction between authentication (verifying a person’s identity) and authorization (provisioning specific services based on a user’s identity/affiliation). According to Amy, Duke currently has 16,000 total students, 30,300 total staff, 6,700 total faculty members, and 13,000 total affiliates. Affiliates, she explained, are members of the Duke community who no longer qualify for any of the other statuses, but have been approved for long-term inclusion in Duke’s records anyway. In total, Amy said, Duke’s identity management group maintains around 50,000 users.
Alvy Lebeck asked whether excessively liberal authorization/permission rules presented a problem that was any different than an authentication failure that does not properly identify a user. John Board noted that a major difference is that Internal Audit is responsible for regular testing of application security, while the duty of responsibly authorizing authenticated services falls to Amy’s team.
Amy then provided a simple overview of how identities are maintained at Duke. When a user joins the Duke community, he or she is issued a NetID, and entitlement services are provisioned based on affiliation. The user is also associated with specific affiliations and roles, allowing role-based services to be provisioned. If a user changes status or role, provisioned services are modified accordingly, some of which is done manually. When a user leaves Duke, role-based services may be removed or retained, and his or her identity may be deactivated. Many edge cases complicate this process, explained Amy, such as temporary affiliations for summer campers, email for off-campus affiliates, special access for contractors and collaborators, and door access for visiting nurses or conference attendees.
Brian Eder asked whether the identity management group considered it important not to have duplicate records for users who may have more than one edge affiliation. Amy responded that her group aims to have only one record for users with a strong affiliation, such as faculty members, students, and staff, but that the rules are a bit more flexible for users with weaker affiliations, such as a contractor who was also a summer camp attendee. The group makes every effort to disambiguate identities of campus affiliates, but the focus is really on users with strong affiliations.
Amy explained that the goal of her presentation was to discuss the process for managing staff identities and make a case for automation of the process. As she explained, Identity Management receives an SAP record indicating new staff records, and some services (such as NetID, Kerberos credentials, Active Directory entry, and AFS space for non-medical staff) are provisioned automatically, while others (PeopleSoft or SAP access, Learning Management System access, membership to groups, Microsoft Exchange or DukeMail account, entry in DHTS Active Directory) are provisioned if deemed necessary. When the staff member leaves Duke, his or her status change appears in a list (generated quarterly) for Identity Management workers to review and manually remove services as necessary. As of 2006, NetIDs are deactivated (rather than deleted) as part of this process.
Robert Wolpert asked what happens to a student’s identity if he or she graduates and immediately becomes an employee of the university. Rob Carter and Amy explained that the algorithm used to generate the list of status changes is sensitive to these kinds of scenarios and returns a list of changes needed for this transition.
Rafael Rodriguez asked about the timeliness of the response to an employee leaving Duke, and asked whether the standard procedure is to wait up to three months to remove services for users no longer affiliated with the university. Amy responded that this is the current procedure, but Identity Management is proposing an automation of the process in order to assure a faster response.
Amy then presented a proposal for an automated staff identity management process, explaining that the Fuqua School of Business has volunteered to pilot this change. With the new system, a SAP file will provide the last day an employee will be working, and sends an email notification to the staff member to indicate services to be removed. Twenty-four hours after the user’s last day at work, his or her NetID will be deactivated and Kerberos credentials are removed, which results in the user no longer having access to Duke services. Thirty days later, staff data such as email is deleted automatically from the system.
Amy explained that with these changes, Duke can anticipate questions from former staff members hoping to access pay stubs, tax records, retirement services, et cetera. She urged the council to consider the complexity that exists today with regard to identity and resource provisioning, and to support Identity Management in automating more of the provisioning and de-provisioning of services as well as developing a solution that works for Duke, not necessarily an all-or-nothing decision.
Amy also spoke of her experiences in identity management at the University of Michigan, her alma mater, former employer, and an institution that maintains approximately 500,000 identities. Because the institution has maintained her identity, she continues to have access to modify her basic directory information or review prior pay stubs or tax records. OIT AVP Billy Herndon commented that this is most of a policy concern than a technological one. Amy agreed.
Next steps presented in Amy’s Identity Management roadmap involve redesigning the NetID framework to merge it with Identity Management and transition from identity notification to identity claiming, from credential assignment to credential reenrollment, and from a periodic review of old NetIDs to a provisioning and de-provisioning system triggered by changes in SAP. Additionally, Amy’s group plans to redesign their affiliate management process in order to more clearly define affiliate sponsorship and sponsor responsibilities, and enhance affiliate identities with deeper classification than currently in place.
Arts & Sciences Web Content Management System (Ed Gomes)
Ed discussed Arts & Sciences’ recent implementation of Apostrophe, an open-source content management system (CMS) built to allow for maximum flexibility with a minimal learning curve.
According to Ed, a number of factors gave way to the Trinity web project’s selection of Apostrophe for use at Duke. An increased demand for online presence amid budget and resource constraints created a strong need for a tool that would allow different groups on campus to manage websites that reflected consistency across the Duke brand. Between the tools ergonomic, easy-to-use interface and impressive integration with enterprise data sources, Apostrophe stood out from the competition, and Duke became the first of a growing list of higher education institutions to deploy the tool for production use.
Since May of 2009, Ed continued, over 20 websites have been migrated into trinity.duke.edu, and 35 new department program sites have been implemented in the CMS. Ten design templates are available for customization by Duke users, making it realistic to have a website up and running within days. Ed demonstrated some of these websites, including the Trinity College of Arts Sciences site, and those for Duke Theater Studies, Program in Education, Romance Studies, German, Economics, Religion, Cultural Anthropology, and the Center for African & African American Research.
Ed also showed how Apostrophe allows website administrators to plug into other data sources, such as the FDS/FDR data feeds, Duke Event Calendar and Buzz, Duke OnDemand, Duke News, and various Duke list feeds. It also provides modules for importing content from YouTube, Vimeo, Vidler, and others, as well as blog and periodical feeds.
John Board asked what sets Apostrophe apart from other open-source CMS platforms such as Drupal. Ed responded that the team had looked at Drupal, but ultimately they were sold on Apostrophe thanks to its ease of use and ability to tie internal and external web services into a site. Ed saw no reason why Drupal couldn’t be used at Duke, but for their specific needs, Apostrophe was a better fit.
Ed then turned the floor over to Brett Walters and Emily Bahna, who demonstrated some of the back-end functionality of Apostrophe. Emily showed how users can move modular elements around a page and edit them on the fly, as well as pulling videos into your content. Emily also demonstrated the built-in WYSIWYG text editor, tagging architecture, and Tubes, a plugin for Apostrophe that allows an administrator to pull news and events into his or her website.
Brett then demonstrated how a group could manipulate the visual elements of a site or administer the content while bringing in a professional designer to work with the framework for a more customized effect. He also showed a site that was integrated with Duke’s Faculty Database System (FDS) that would allow users to edit their personal information on the site to be sent back to FDS for updating.
Going forward, Ed says his team is responding to user feedback, site analytics, and institutional goals in order to provide the most useful tool possible in Apostrophe. The team is working on improving management of people data, migrating legacy applications into the CMS (such as FormBuilder), and streamlining news and events handling via the Tubes plugin.
Alvy Lebeck thanked Ed, Emily, and Brett for their presentation, saying that Apostrophe is a great example of an application with a good API for pushing and pulling web service data.