ITS Strategy & Architecture

Ruminations and Reports

Image of Stanford Main Quad taken from Stanford Oval http://www.flickr.com/photos/rao_anirudh/5653979270

April 22, 2011
by Bruce Vincent
Comments Off

Internet2 MemberMeeting, April 2011

Day 1, April 18th

Grouper Working Group

  • Demonstration of improvements in latest version
  • Details of RESTful interface
  • Grouper has a history of group members for audit purposes!
  • uApprove demo given by Russ Beale of USC; metadata driven

InCommon Tech

  • Extensive discussion regarding attribute release policies
  • Default release policies for ePPN

CIO meeting on Cloud Services, specifically the HP cloud

  • IaaS,PaaS,SaaS using their cloud
  • HP also offers payment processing and product management
  • Larry Singer’s main thesis is that I2 institutions already have a contract and service provider framework to leverage
  • HP is pitching their manufacturer’s buying power/price point on capital investment of the cloud
  • Proposing PoC that tests whether existing contract framing of I2 will be adequate
  • PoC is a 2-6 month project that will require 
  • HP would like to move immediately with the easiest to provision services
  • PoC is all VMware based
  • We need to generate list of “things we are trying to discover from the PoC”
  • Follow on discussions with Bill C., Shel Waggener (Berkeley) and Brad Wheeler (Indiana).  I explained my position that I didn’t see HP present anything that addressed what we have found to be the most difficult aspects of VMware as multi-tenant platform, namely, console access, automated provisioning, I/O, metrics per apportioned instance, etc.  Shel was still keen on Stanford offering up some VM’s to try out the pilot.

Day 2, April 19th

InCommon Policy Forum

  • Assurance update – InCommon Silver and mapping against NIST spec
  • InCommon membership update, believe InC will be at 400 by 2013
  • Federations internationally growing even faster; UK and Swiss are leaders with thousands of subscribers
  • Pilot of Research.gov and onto FastLane using InCommon; requests to feedback@research.gov; requirement is LOA1
  • Certificate service overview, up to 102 subscribers since launch in Fall 2010
  • Personal certs are seen as potential game changer by enabling VPN, signing, etc.
  • uApprove demo given again by Russ of USC
  • Steven Carmody of Brown gave a round up of their release policies; uApprove used for InC SPs, not using uApprove for contracted SP services

The Emerging Infrastructure of Identity and Federation

  • Great session which brought together Identity and Access Management strategies for: UCBerkeley, Lafayette, Penn State Univ., Skidmore College
  • UCBerkeley emphasized reaching out to the developer community. Shel Waggener pointed to the current alignment of cost savings and attribute release.
  • Skidmore spoke to all the small schools where these IAM issues aren’t generally even on the radar
  • Lafayette said that the fear in IT communities over “the cloud” is obscuring the value of native IAM at our institutions. 
  • PennStateUniv. gave an excellent overview of the business value (or lack there of) to would be SPs. Kevin Morooney also spoke to the need for Higher Ed to get over its pride and update privacy policies that may be out of date/touch. Attribute release needs to be streamlined for FIdM to advance more effectively.

InCommon Certificate Service – Experiences from Deployers

  • Service scope SSL,Client (at Standard signing, encryption and dual use initially), Key Escrow for client certs, Extended Validation)
  • Paul at UTexas system is extremely pleased.  Since Sept. 2010 they have saved over $320,000 in certs. relative to the Verisign service they had before. They are also making extensive use of the API and of client certs.  UTexas has 16 different campuses and delegates some issuance.
  • Jim Jokl of UVA is similarly happy with the subscription and has been using since early on.

PKI BoF

  • Most of the focus of this session was on InCommon LoA (Levels of Assurance) and various uses of digital certs in the context of the InCommon Comodo subscription service.
  • Jim Jokl (U of Virginia) walked through the InCommon Client Certificate Deployment Roadmap on the wiki
  • I took the action item of reporting back on Stanford’s investigations of SCEP for our Mobile Device Management project w.r.t. iOS.

February 7, 2011
by Bruce Vincent
Comments Off

Common Solutions Group – Winter 2011, Duke University

January 12-14, 2011

Agenda

Day 1

Morning

IT Governance (Jim Phelps, UWisc, Bernie G., UMinnesota)

  • No way to gain efficiencies w/o governance and alignment
  • Selection of who work on what efforts more strategically
  • Working harder to “not to compete with ourselves” in terms of duplicative support or in opposite directions
  • Focusing on plan rather than firefighting
  • Project selection criteria (strategic and operational)
  • Debate commenced…Duke perspective was to say that he didn’t want alignment in some cases…”lemmings are in perfect alignment as they go over the cliff”

IT Governance and IT Audit (Mike Pickett, Brown)

  • Brown just went through a central IT audit (see slides for findings)
  • M. Pickett’s main message was the 99% was obvious. Will be rewritten to get more specificity on the reasons that, for example, lack of IT funding is a risk
  • Summary was that it was of use as an external leverage point for certain needs to be addressed, but not necessarily to find anything new

IT Strategic Planning

  • Yale has just published 44 page strategic plan, based loosely on Indiana’s format/approach
  • Did a systemic planning process last year
  • Arrived at deliverable to upper management
  • Very thoughtful planning process (see slides)
  • Discussion of reorg which includes “Relationship Manager” role
  • Huge
  • Some governance which includes avoiding PHI risks and consider IT architecture impacts

Afternoon

InCommon Silver

  • Overview by ( )…all CIC adopting this year

Panel with Tom B., Matt Kolb (MSU.edu),

  • Info on IAP and gap with existing processes (identity assurance profile)
  • Looking for Killer App to motivate InC silver….not there yet
  • Need to limit the scope of RA user base
  • Creating ID office…still working to setup
  • Investigating second cred
  • Reasons for hope, passing silver attrib

Mary Dunker, VT.edu

  • setting up eToken personal cert container
  • VASCO Digipass one time password devices

(Chris Pruess) Univer of Iowa

  • Active directory assessment…they are standardized on it across campuses
  • “Will we need to us multi-factor auth to meet Silver?”
  •  

Univ. of Wash (rlbob)

  • new approach to controls on InC Silver
  • lower bar to support adoption, ease overhead,
  • looking to negotiate with Fed on USG, ICAM, TFPAP
  • InC Id Assurance Program, Summer 2011
  • Bruce discussion on InC silver and why charge for it
  • Bruce appeal for ePPN being released by default

Day 2

Unified Communications…went around the room, each saying where they are. Summary by Mike Pickett

Voice RFP and in-building antenna service (Jim Jokl, UVA)

Report out – perMIT access management system code release

DAS at UCSF, Michigan, others. Subsequent conversation about funding of internal coverage. Bill raised the Crown Castle experience and suggesting that CSG get together and

Replacement of IdM Infrastructure (John Spadaro)

November 8, 2010
by Scotty Logan
Comments Off

Atlassian AtlasCamp 2010

Atlassian held their 3rd annual developer conference on Oct 11 through the 13 in Half Moon Bay, CA. About 100 plugin developers attended, and Atlassian brought over many of their Australian employees (including the CEO). Most of the session presentations are available on Atlassian’s website.

The conference reinforced my belief that Atlassian has a strong, active and well supported developer community. Not only does Atlassian work with them to improve their APIs and documentation; some have helped Atlassian improve their plugin development tools. While most of the presentations were given by Atlassian employees, and were intended to provide updates on the new and upcoming features, many of the demos and lightning talks were given by plugin developers.

Other than the “State of Atlassian” presentation by the CEO, Scott Farqhar, and a session on marketing commercial plugins, all the talks were technical, with code and demos. The big non-technical news items from the “State” presentation were the $60M investment by Accel Partners (for a minority stake), the aquisition of BitBucket, and the donation of $650K to Room to Read – raised from the sales of $10 starter (10 user) licenses for most of the Atlassian products (and some commercial plugins).

I even met some other authentication plugin developers who are facing the same issues with the Seraph authentication framework. Atlassian are aware of the issues (none of the automated deployment methods work for authentication plugins; they always require some manual changes to config files), but don’t have an alternative at this time.

November 8, 2010
by Scotty Logan
Comments Off

IIW XI

The 11th unconference formerly known as the Internet Identity Workshop (and now known simply as IIW) was held at the Computer History Museum, Nov 2-4. Most of the session notes or presentations are available online.

The main topics for sessions I attended at this IIW were

Stanford’s Monica Lam presented her groups’ ideas for using email as the infrastructure for social networking. This spawned a few sessions, notably Email is not Dead Yet, where we tried to meld together Webfinger, Monica’s ideas about email + social networking, and the rich email clients (Xobni, <Zimbra Zimlets and Google Contextual Gadgets. Concerns were raised about

  • the spoof-ability of email, unless one uses S/MIME or PGP/GnuPG
  • email servers’ ability to search on attachment types or headers, or whether we have to rely on subject tags
  • whether this email traffic would be trapped as SPAM
  • firewall traversal (HTTP is usually allowed, but SMTP is often blocked)
  • if we have Webfinger, and various other distributed protocols, is this still required?

Google’s Eric Sachs led an interesting discussion on Cloud Directory Standards, with one of the goals being that customers using multiple SaaS providers could choose one as the user directory for the others.

Other popular topics included Personal Data Stores (a secure service where users can store their data and control which services have access to it) and Vendor Relationship Management (a user centric version of CRM).

Signing HTTP headers, especially for OAuth, also returned, prompted by the FireSheep news.

August 9, 2010
by Scotty Logan
Comments Off

Initial iPad Testing – the Good, the Bad and the Ugly

Today I started testing an iPad with some tools at Stanford, by trying to use it instead of my laptop. The first few hours have been promising… I decided to work through some issues on my todo list.

The Ugly

First up was setting up SUNAC access for the IT Lab networks. I’d just received an email from the workgroup team letting me know that the itlab stem had been created, so I went to Workgroup Manager to set up a group. Workgroup Manager worked, but the UI uses popup windows (real windows, not ones “faked” via HTML and CSS), so it was an annoying experience as Safari switched between browser windows the selector screen.

The Good

Once the workgroup was created, I went to the SUNAC service page to find the HelpSU link so that I could submit a ticket to a get the process started. HelpSU worked exactly as it does on my laptop.

Next, I went to JIRA to update the SUNAC issue; like HelpSU, JIRA worked as expected – the iPad did not trigger the iPhone UI.

The only flaw with apps like HelpSU and JIRA is the lack of a control key on the iPad keyboard for editing text (I’ve been using Emacs and Emacs-like editors for 22 years;those shortcuts are embedded muscle memories now; the full Safari supports those shortcuts for editing text fields).

The Bad

Looking at my JIRA issues list I saw a reminder to change my WebEx password. I went to our WebEx site, but it only shows the basic mobile interface listing my meetings, with no option to change passwords or any other account settings.

The Non-Browser Good

I created (and now updated) this post using the WordPress client, which also worked as expected.

June 13, 2010
by Bruce Vincent
Comments Off

Service Alert Log

Got page just before 4pm on Sunday 6-13-2010 that AMCOM HL7 was down. Called IT Operations center, talked to Chauncy to see which shc list I should send to. It wasn’t clear to either of us which so I decided to use the it-client-alerts-shc@lists.stanford.edu which looked like a broader communication.

“Title: AMCOM HL7 Feed Down
Service: Other
Type: service interruption
Start time: not specified
Stop time: ongoing
Who’s affected: Stanford Hospitals & Clinics
Incident id: 1791

Details & impact
—————-
The HL7 feed that interfaces with the Hospital integration engine was
reported down by the Hospital IT Staff. VAST Operations staff was notified
and the vendor notified. Ten minutes before this incident, the OSC reported
that all Operators were unable to login to Amcom.

Please contact the IT Operations Center at 650-723-1611 if you need additional information about this issue or experience any further service interruptions.

(IT Service Alerts version: 1.25.03)”

March 17, 2010
by Bruce Vincent
Comments Off

VMware Silicon Valley Users Group

First talk

Phil Starke, Senior Manager, Cloud Practice.   His presentation was VMware vCloud and Project Redwood.  This was an interesting session since I’d not heard of VMWare’s cloud offerings before.

Concepts coveredCloud Computing according to VWware

  • “Lightweight entry/exit service acquisition model”
  • Consumption based pricing (pay per drink)…requires activity based accounting
  • Accessible using standard internet protocols
  • Elastic computing resources
  • Improved economics due to shared infrastructure
  • Cloud value: Instead of having IT people to manage particular pieces of infrastructure, automation and standardization drives IT staff to increase capacity and value.
  • Compute resources (platform) as a service
  • Application as a service (e.g. Salesforce)

Continue Reading →

March 11, 2010
by Bruce Vincent
3 Comments

Burton Analyst Discussion on Hypervisor Security and Compliance Standards

I scheduled a one hour Analyst discussion with Trent Henry of Burton Group on the subject of trends in Hypervisor Security;  with respect to getting the apprprate balance of risk mitigation (i.e. threat vs. investment in threat response using technology and practice).

Specifically, my query to setup the discussion was:

“The costs associated with deploying and maintaining completely separate physical visualization infrastructures, for applications which access sensitive data, is making it extremely difficult to make a server virtualization service financially viable.  We are revisiting the risk assessment vs. systems design and administration criteria, to consider whether good (enough) security could be reasonably provided with less onerous and costly controls.”

Continue Reading →