The Other Side of Middleware: Working with Policy Makers, Data Owners and Campus Constituents
description
Transcript of The Other Side of Middleware: Working with Policy Makers, Data Owners and Campus Constituents
April 24, 2023
The Other Side of Middleware:
Working with Policy Makers, Data Owners and Campus Constituents
28 October 2002 Internet2 Fall Member Meeting
Panelists
• Joseph Lazor Florida State University
• Lesley TolmanTufts University
• Dave TomcheckUniversity of California, Irvine
• Art VandenbergGeorgia State University
• Ann WestEDUCAUSE/Internet2/Michigan Tech
28 October 2002 Internet2 Fall Member Meeting
A Bit About Middleware
Middleware makes “transparent use” happen, providing consistency, security, privacy and capability
Identity - unique markers of who you (person, machine, service, group) are
Authentication - how you prove or establish that you are that identity
Authorization - what an identity is permitted to doDirectories - where an identity’s basic characteristics are kept
28 October 2002 Internet2 Fall Member Meeting
Map of Middleware Land
28 October 2002 Internet2 Fall Member Meeting
Topics Not Covered
Business CaseLong-term ValueTechnology details
28 October 2002 Internet2 Fall Member Meeting
Themes
Middleware is not just a technology project
Implementation challenges are a reflection of• Institutional culture and needs• Installed technology, requirements, and available resources
• Leadership
28 October 2002 Internet2 Fall Member Meeting
Middleware Politics
28 October 2002 Internet2 Fall Member Meeting
Topics
Project MethodologyStakeholdersChallengesLessons Learned
28 October 2002 Internet2 Fall Member Meeting
What’s unique about middleware?
It’s like an ERP project• Cross institutional impact and value• Changes the way business is done• Leverages the crown jewels, our data
It’s not like an ERP project• Rare for non-IT to lead the way• Costs less• Rare for the IT-data staff to implement it• Difficult to communicate the benefits• Transparent
28 October 2002 Internet2 Fall Member Meeting
Project Methodology
Three project approaches• Stealth • Application-based• Strategic
28 October 2002 Internet2 Fall Member Meeting
Stakeholders
Contributes to or benefits from implementation• IT (supplies/oversees data; offers services)
– Telecommunications– Campus-wide (email, calendaring, video, etc.)– Administrative– Academic
• Student Services (supplies/oversees data; offers services)– Registrar– Financial Aid– Advising– Admissions
• HR (supplies/oversees data; offers services)• Finance (supplies/oversees data; offers services)
– ebusiness (vendors)
28 October 2002 Internet2 Fall Member Meeting
Stakeholders
• Library (supplies/oversees data; offers services; consumers)• Research services (supplies/oversees data; offers services)• Advancement (supplies/oversees data; offers services)• Alumni (supplies/oversees data; offers services)• Athletics (supplies/oversees data; offers services)• Academia (faculty/departments)
• teaching (supplies data/consumer)– on-campus– distance ed
• research (supplies data/consumer)• Facilities management (supplies/oversees data; offers services)• Students (supplies/oversees data)
28 October 2002 Internet2 Fall Member Meeting
Challenges and Pitfalls
Misjudging readiness of environment• Business needs are not obvious• Aim, fire, ready• Going too slow is a problem too.
Lacking leadership and support• IT trusted?• IT on board?• Where are the weak spots?
Failing to plan up-front • What could go wrong/right?• Just-in-time opportunities• Not setting boundaries, short and long term
Leaving out key participants• Do they lose control?• Do they need control? Do you?
28 October 2002 Internet2 Fall Member Meeting
Challenges and Pitfalls (cont.)
Incurring legal or PR risks• Your president gets a call…
Educating campus• What have you done for me lately?• Why should I care again?• Best practices
– Passwords are like underwear…• We’re never done
Resourcing the project• Missing one or more function: architect, implementer,
project manager, communicator • Do this in your spare time…• Let’s go for the big bucks…• Moving the on-going cost to the infrastructure category• Moving the operations to data-knowledgeable staff
28 October 2002 Internet2 Fall Member Meeting
Suggestions
Plan up front• Educate IT well before the external campaign • Assess weak spots• Allocate resources
– Consultants, Training, Creative management?– What are the boundaries?
• Be flexible and allow for opportunities – Overall architecture and tenets– Go for the easy wins to set up a track record
• Include ability to iterate, pilot, and fail; iterate, pilot, and succeed
• Identify ways to measure benefits ahead of time for later flag waving
– Consider opportunities taken, productivity gains through self-service
28 October 2002 Internet2 Fall Member Meeting
Suggestions (cont.)
Include key stakeholders early• Don’t promise what they want; offer reality instead• Bring them inside and develop strategy together
Develop your story early• Decide if middleware should even be mentioned• Tie the implementation to culture and business needs• Use stories and words your audience can relate to
On-going communication is critical• Find IT staff who can talk to the campus constituents• Include web/hard copy/personal communications• Consistency and constancy of message• Use the informal network
Don’t do what you shouldn’t do
28 October 2002 Internet2 Fall Member Meeting
If you build it…
They will:1. Want it before you know they want it.2. Want it before the pilot is done.3. Want it right after it’s done because
department A wants it.4. Wait and see until department A &B weigh
in and then want it.5. Wait until they are required to want it and
still not want it.
28 October 2002 Internet2 Fall Member Meeting
Case Studies
28 October 2002 Internet2 Fall Member Meeting
Enterprise Directory Service:A Case Study
Florida State University
Joseph A. LazorOffice of Technology Integration
28 October 2002 Internet2 Fall Member Meeting
Florida State UniversityHighlights
58,000 students, faculty, staff.Main Campus, London, Puerto Rico, Panama City
Campuses.10th largest in research royalties.17th most wired –1st in Florida.1200+ Distance Learning courses. Largest University owned supercomputer
configuration in the U.S. Bobby Bowden
28 October 2002 Internet2 Fall Member Meeting
Highlights
Centralized Finance & Administration.Centralized Information Technology – Office
of Technology Integration.AVP-CIO – Provost & VP F&A
• Administrative: human resources, financial, student, administrative services. • Academic: Network, Labs, E-mail. • User: Helpdesk, CBT training.• Office of Distributed Distance Learning – Blackboard.• Data Center
Colleges, Schools operate with great deal of autonomy.
28 October 2002 Internet2 Fall Member Meeting
Enterprise Directory Service
MissionProvide FSU and Our Constituents With Secure Web Delivered Information Services that are:
• Personalized• Access to Many System Services with ONE Password• Easy to Use• Easy to Support• Available World-wide • Based on Progressive Industry Standard Technology
Positioning FSU for Integrated Systems with a Single Login.
28 October 2002 Internet2 Fall Member Meeting
Enterprise Directory Service
Expanding Community of Constituents
Expanding with “Lifelong Relationships”, Distance Learning, and Enrollment Management, etc.
• Students on Our Four Campuses plus • Remote Learning Centers and Distance Learners Worldwide• Special Education Relationships (e.g.. Navy, Army, IRS)
• Faculty and Staff
• Prospective Students
28 October 2002 Internet2 Fall Member Meeting
Enterprise Directory Service
A Complex Community of Constituents• Students and Alumni sharing information
• Family, Friends and Potential Employers – Delegation of Access• Alumni Access to Services after they leave FSU
• Academic• Business Partners i. e. Technology Transfer Partners• Research Partners i. e. Mag Lab, Internet 2, JA-SIG, Weather Service
• Administrative• Potential FSU Employees • Oversight Relationships i.e. Purchasing, Accounting, Travel• Vendor for Business Services i e. Bookstore, Food Services
• Complexity - Invisible to people using Integrated Web Security
28 October 2002 Internet2 Fall Member Meeting
Enterprise Directory Service
Security with an LDAPA technical word for - Progressive Industry Standard Technology
• Strong Password Encryption Worldwide• Reliable 7/24 Access to Services• Selective Access Control with User Roles • Limit Number of Invalid Login Attempts • Password Change + Lost Password Processes • No Password Retrieval• Position Ourselves to Phase out the SSN and Move to Self-
selected Webname for Web Identification
28 October 2002 Internet2 Fall Member Meeting
Usability/Drivers• Single Login to Individualized Set of FSU’s Systems• Privacy & Security • Ease of Use, Familiar Look • Personal Choice of Favored Login Method • User Friendly Procedures (e.g. Lost Password, Secure
Q/A) Help Desk Relieve • Personalized Services Environment (Real Name)• Fast and Easy Setup for First Time Users • Scalable to Larger Communities (Roles!)
Enterprise Directory Service
28 October 2002 Internet2 Fall Member Meeting
Rollout
Step One – Business needs – Campus wide. Web enabling legacy systems as foundation for Integrated Web Security was Implemented for Faculty and Staff Fall 2000.
Personalized Web names
Enterprise Directory Service
28 October 2002 Internet2 Fall Member Meeting
Rollout – ContinuedStep Two – Personalized User Account Service and the Integrated Authentication Process
• Conduct training Sessions for Key Business Offices. • Implement the User Account Service and the Integrated Authentication Process (using LDAP) for Faculty and Staff; while Retaining the Current Menu and Applications.
Enterprise Directory Service
28 October 2002 Internet2 Fall Member Meeting
Rollout – Continued
Step Three – Students get Personalized Web services
• Implement the New User Friendly Menu of Services including the Services for Enrolled Students.
• Add Enrolled Students
Step Four - Implement Common Security and Password for ACNS and AIS Services - using LDAP
Enterprise Directory Service
28 October 2002 Internet2 Fall Member Meeting
Rollout – ContinuedProceed to Integrate Additional Services and Communities:
• Blackboard’s “Teaching and Learning Services”
• FSU’s Web Based E-Mail
• Alumni and Foundation - with our Shared Login
• “Admitted but not Enrolled” Students
• People applying for jobs at FSU
• Student Support Service Toolkits for Staff
• Student’s Delegation of Access - Family & Employers
Enterprise Directory Service
28 October 2002 Internet2 Fall Member Meeting
Enterprise Directory Service Outputs/Results
Integrated Web Security, and the Services Accessed through it, will Position FSU as an Integrated Web Services Leader in Higher Education.
FSU will be Positioned to Continue that Leadership with the Future Implementation of Digital Certificates which will Provide a technique for electronic signatures - an even Higher Level of Security.
28 October 2002 Internet2 Fall Member Meeting
Enterprise Directory ServiceCase Study
This concludes my first presentationand now Art!
28 October 2002 Internet2 Fall Member Meeting
Georgia State University – Case Study 1 Middleware:
Working with Policy Makers, Data Owners, and Campus Constituents
Art VandenbergDirector, Advanced Campus ServicesInformation Systems & Technology
Georgia State [email protected]
28 October 2002 Internet2 Fall Member Meeting
Culture, Business Needs& Project Methodology
CIO - top level sponsor of eUniversityAnalogous to eCommerce, higher ed needs:
• Directory services (not limited point solutions) for id, authN, authZ per application
• Seamless interfaces to applications: libraries, email, calendaring, eLearning, room/resource access, etc.
• Reduction of multiple electronic identities
Specific commitment, assignment & charge for Advanced Campus Services - broad coordination
28 October 2002 Internet2 Fall Member Meeting
Specific Direction& Action Plans
Feb 2000, ACS charged with: • University-wide directory, metadirectory• Universal account creation (namespace)• Universal email solutions• Interface to other electronic domains (one card, library…)• Public-private key infrastructure
NOTE: Georgia State’s ERP domain:• Peoplesoft financials, Student SCT begun, WebCT…
28 October 2002 Internet2 Fall Member Meeting
Stakeholders
CIO and IT directors• Steering Group, scope doc, charter
Data Stewards for Person Working Group:• registrar, hr, financials, card office, person registry
LDAP Technical Working GroupApplication domains
• WebCT, student email, Rec Center, one card office
University System - discussion, promotion• CIOs, Vice Chancellor, Technical staff
28 October 2002 Internet2 Fall Member Meeting
Pitfalls/Missed Opportunities?
Misjudging readiness• Competing ERP deployments• “Not ready for prime time” PKI
Business needs not obvious• Hard to engage ERP teams focused on their core tasks• “But we can already do that!” (finding a killer app…)• “We’ll do that later, as soon as finished with priorities.”
Lack of trust from data custodians?• Not really, but challenges with“technical” custodians
28 October 2002 Internet2 Fall Member Meeting
… Opportunities?…
Re: Bringing in key stakeholders• Deference to ERP teams (hindsight is 20/20… but)• However…aircraft carriers need room (time) to turn
Changes the way we do business• Easier for new applications to embrace change?
– WebCT, student email, Rec Center• Major event horizon (inevitable…)
– First stop is person registry, then HR– Change process, not business
University System - a necessary engagement
28 October 2002 Internet2 Fall Member Meeting
Legal Risks with Data
Limit initial issues (but be aware)• If risky, leave data behind ERP wall (cf. bank accounts)
Person registry actually inserts level of protection• Publishing/provisioning can have appropriate limits• Registry remains behind access controls
White pages: “print” directory (Registrar/HR)Core principles:
• Authoritative sources remain ERP systems• Data Stewardship & Access Policy governs all data
28 October 2002 Internet2 Fall Member Meeting
Silos and Fortresses?
What about aircraft carriers?• Major ERP implementations already underway• Production and operations culture vs. R&D• Technical debates can be: <invigorating/debilitating>
Tactical versus strategic• Just do it (works well initially)• Iterative process, that keeps focusing on strategy• Remember, we’re part of a state system• Keeping one eye on national initiatives in middleware
28 October 2002 Internet2 Fall Member Meeting
Communication Model
Enterprise Directory Infrastructure Steering Group• CIO and IT directors
– Start biweekly, phase toward monthly end year 2– Level setting, resource identification, priorities
University System• Burton Group directory/PKI seminars (1999-2000)• Directory Working Group (3 research, system office)
– Establish vocabulary, concepts, general consensus– Recommendation to ACIT (CIOs & V.Chancellor)– Directory of directories/system-wide id/ERP integration
28 October 2002 Internet2 Fall Member Meeting
Communication…
Conferences• University System Rock Eagle, CUMREC
Focus-IT newsletter, campus contactsSystem Committee on policy for SSNInternet2 Middleware working groups
• Support group, sanity check, best practices• Consider as “retreat & renewal” for more evangelism
Technical staff (listen, be patient, leverage)Work it until it’s part of the IT vocabulary
28 October 2002 Internet2 Fall Member Meeting
The Sales Pitch…
Focus on application areas• Middleware may be too arcane, except for “initiates”
“Printed Directory” as a metaphorProvisioning - as it impacts colleges/depts:
• Automatic course rolls for WebCT• Universal email(and for admitted students)• New staff hires (get them online “day one”)
Account management - as it impacts technical• User X has what accounts? Who is in application Y?
28 October 2002 Internet2 Fall Member Meeting
Hot Buttons – Internal Pressures
Doesn’t everyone use same email? (No!)President: Why can’t I send email to all faculty?“I want to choose my own unique ID”New hire online “day one”Group email, paperless office, email check
adviceToo many ids, too little managementOperational/production missions take priorityResources: staff, time, money (in that order)
28 October 2002 Internet2 Fall Member Meeting
Wormholes…Strategic Goals
Goose & gander (student email policy… staff too)
Aha! (Metamerge & NMI-R1 for dynamic groups)Just do it! (Forgiveness negotiable)Involve faculty & students (competitive edge)Support teaching & learning missionIntegrate with ERP systems (Campus
Pipeline…)3 years… but directory services on VC’s plan!
28 October 2002 Internet2 Fall Member Meeting
Carrots & Sticks
We’ll do this app for you if… vsWe can do this app better if…Involve from beginning?
• Advantage sometimes, sometimes not• Good for us: research faculty & students• Find customer app that sells: WebCT, demographics
The problem you want: middleware advisors!• You’ve really arrived!
28 October 2002 Internet2 Fall Member Meeting
Policy and Data
28 October 2002 Internet2 Fall Member Meeting
Overview
Technical Implementation of Institutional PolicyPitfallsSuggestions
28 October 2002 Internet2 Fall Member Meeting
Defining and Maintaining Policy, e.g. Parking PermitsBusiness Rules Derived from PolicyImplementing Technical Triggers of Policy
• Applications enforce business rules and policy definition, e.g. SAA
Middleware glues applications via messaging and transaction services
Institutional Policy
28 October 2002 Internet2 Fall Member Meeting
Challenges
Data Owners and Control IssuesPolicy Framework out of Sync with Reality
• New Culture of Staff/Faculty/Students• New Mobility• Increased Regulatory Environment• Greater Concern over Privacy
28 October 2002 Internet2 Fall Member Meeting
Managing Policy Change Implementing Technical Triggers
• Policy Conflicts with Stakeholders, e.g. password expiration
Directory Management with Middleware• Role Definition – data comes from disparate systems and
can overlap• Need Group Role Management e.g. LDAP
Challenges (cont.)
28 October 2002 Internet2 Fall Member Meeting
Data Access • FERPA for Students• Application Level Security• New Concern for Privacy e.g. SB1386• New Definition and Role for Data Owners
Challenges (cont.)
28 October 2002 Internet2 Fall Member Meeting
Security Issues• Level of Granularity• Build vs Buy - Software that scales to Enterprise-wide Implementation.
• Non-repudiation • Risk vs Cost e.g. Ph vs Payroll
–Robustness, Redundancy for Business Continuity
Challenges (cont.)
28 October 2002 Internet2 Fall Member Meeting
Communication
Understand the policy process well Have executive management support Develop a cross-functional campus committee for resolution of conflicts
• Include annual review of process and applications/data use
Suggestions
28 October 2002 Internet2 Fall Member Meeting
Applications have to be owned by a stakeholderData integrity responsibility owned by appropriate stakeholderProcess for identity reconciliation, e.g. married name vs professional nameSpend time getting educated about middleware
Suggestions (cont.)
28 October 2002 Internet2 Fall Member Meeting
Case Studies
28 October 2002 Internet2 Fall Member Meeting
Enterprise Directory Service:A Case Study (Continued)
Florida State University
Joseph A. LazorOffice of Technology Integration
28 October 2002 Internet2 Fall Member Meeting
Coke or Pepsi Recipe(Lessons Learned)
Understanding “authentication versus authorization.” Ldap is not a security protocol. Solid, Comprehensive communication plan.Two (2) ldaps – “There can be more than one” – Joseph LazorNetwork ldap – Directory services (e-mail, phone book). (Academic)Application ldap – directory enabled applications. (Administrative)Distance Learning Application. Data sources – multiples db’s.Costs – mainframe legacy versus client server.Enterprise – reach consensus on design summary early on, multiple ldaps with different functions/services.No Bridges/interfaces inherent in design methodology
28 October 2002 Internet2 Fall Member Meeting
People – single project manager, dedicated resources, project design.
Policy - Common schema – eduPerson 1.0/1.5, fsueduPerson 1.0
Policy - Common user account generation and naming conventions.
Policy - Common security standards.Policy - Enterprise - Unique user IDPolicy - Open standards solution – Active Directory,
Metadirectory
Coke or Pepsi Recipe(Lessons Learned)
28 October 2002 Internet2 Fall Member Meeting
National Science Foundation Middleware Initiative (NMI) Integration Testbed
Eight (8) Higher Education Institutions working together with SURA, EDUCAUSE, Internet2, and the GRIDS Center to share and solve research and education technology initiatives - integration with middleware.
Coke or Pepsi Recipe(Lessons Learned)
28 October 2002 Internet2 Fall Member Meeting
And so – where are we?NMIERPEnterprise LDAP/Active Directory Integration.Better design and integration/bridge efforts.Metadirectory Portal
Enterprise Directory Service
28 October 2002 Internet2 Fall Member Meeting
This concludes my presentationand now Art!
Joseph A. LazorOffice of Technology [email protected]
Enterprise Directory ServiceCase Study
28 October 2002 Internet2 Fall Member Meeting
Georgia State University – Case Study 2 Middleware:
Working with Policy Makers, Data Owners, and Campus Constituents
Art VandenbergDirector, Advanced Campus ServicesInformation Systems & Technology
Georgia State [email protected]
28 October 2002 Internet2 Fall Member Meeting
Technical implementationof institutional policy
Data owners and control issues• Data Stewardship & Access Policy. Very helpful• Consensus: source systems retain authority• There is control and there is control. Do
technical staff “know” functional needs? (Careful)
• Who drives project? (Remember: Organization is the winner… Strive for consensus)
• End users are data owners too!• Person registry has data steward
28 October 2002 Internet2 Fall Member Meeting
Implementing…policy
Policy Framework from the 1990s management• FERPA: Based on printed directory (annual,
static), not directory services (online, dynamic)• Was: Name, title, address, phone… Now:
email, uid, URL, pager, cell, mobile, jpeg…• Now: multiple roles overlaid with privacy issues• Now: lifetime CRM – pre- & post-relationship• Publication of employee info – We’re lucky (I
think) being public institution• Know your institutional policy process
28 October 2002 Internet2 Fall Member Meeting
Implementing… policy
Implementing triggers of institutional policy• ERP policy in person registry – be specific, be careful• “Current, active” student? 25,000 vs 61,000• If student elects FERPA suppress, what about
directory entry?• Definition of privileges: application by application• Do not ASSUME agreement on definitions (spell it
out)• Technical staff defer to functional – nothing is simple• Be careful how you change business process (cf.
payroll doesn’t/can’t/shouldn’t initiate identity)
28 October 2002 Internet2 Fall Member Meeting
Implementing… policy
Role definitions: faculty, staff, affiliate…• “Hey cool! I’m faculty at the Library!”• More student employees than faculty…• Are student employees covered by FERPA?• When does (can) an employee “start”?• Concept of “provisional hire” (need date triggers)• Hierarchy: “payments out” trumps “fees paid in”• Retirees, survivors & “passed away”• Vendors, affiliates – require sponsor, date limits
28 October 2002 Internet2 Fall Member Meeting
Suggestions
Communication is good, and builds buy-in• CIO, IT Directors, data stewards, technical staff, campus• System & peer institutions, Internet2 Middleware • Aim high,but focus on application specifics• Iterative development. Iterative review• Don’t underestimate group & organizational dynamics
Allow stewardship to work• Identity management is shared• Think metadirectory services (value add, not replace)
28 October 2002 Internet2 Fall Member Meeting
Questionsand Wrap-up
28 October 2002 Internet2 Fall Member Meeting
Wrap Up
Middleware is:• A strategic infrastructure• 50% technical and 100% political
Don’t reinvent the wheel • Each implementation is different• Big picture process and requirements are the same• There are resources that can help
Assess strengths and weaknesses • Plan accordingly
Communicate and manage relationships• This is key
28 October 2002 Internet2 Fall Member Meeting
Enterprise MiddlewareEducational Opportunities
Workshops• Pre-conference Seminars at EDUCAUSE Regional
Meetings• Campus Architectural Middleware Planning
Workshops• Base CAMP (Orientation) – 5-7 February 2003
– CIO and Technical staff– Getting started topics
• Advanced CAMP– July 2003– Highly technical– Research topics
28 October 2002 Internet2 Fall Member Meeting
On-line Resources Available
Introductory Documents• Sample Middleware Business Case and corresponding
Writer’s Guide
• Identifiers, Authentication, and Directories: Best Practices
for Higher Education
• Identifier Mapping Template and Campus Examples
• And more….
See resources page of www.nmi-edit.org
28 October 2002 Internet2 Fall Member Meeting
http://middleware.internet2.edu
http://www.nsf-middleware.orghttp://www.nmi-edit.orghttp://www.grids-center.org
Middleware information/discussion listshttp://[email protected]://[email protected] lists (see websites)
Websites and Discussion Lists
Websites and Email Lists
28 October 2002 Internet2 Fall Member Meeting
Contacts
Joseph Lazor [email protected]
Lesley [email protected]
Dave [email protected]
Ann [email protected]@internet2.edu
28 October 2002 Internet2 Fall Member Meeting
www.internet2.edu