Data Privacy Month (with a painful story about the students-l list)

Today is Data Privacy Day. See http://www.staysafeonline.org/data-privacy-day/

To celebrate, here is a true story culled from the vaults of HMC server administrator lore. Read it, weep… and then change your passwords.

Once upon a time there was a moderator of the students-l list. She was diligent and hard-working, devoted to the task of saving other students time by only approving messages that she judged to be of interest to students, and collecting together announcements about events at the other Colleges so they could all be included in one message. She worked on this most days, using the students-l list software.

The students-l list system is very old and resides on a Linux machine called Odin. The list system is so old that it may have been created when “GUI” was only a railway code for a station on the Glossop Line and graphical user interfaces were figments of fevered imaginations at Xerox PARC.

Now one day our diligent moderator (let’s call her Agnes) logged in to the system and noticed it was really slow, slower than usual.  At first, Agnes thought that maybe the list system was on the blink or even that Odin was finally giving up the ghost.  She couldn’t moderate messages or send anything out to students-l. Agnes quickly reported it to the CIS Help Desk.

The server admins were soon busy examining Odin as it lay there on its sheets of Irish linen. Little did they know that they were entering their very own long dark teatime of the soul, not working on high priority HMC projects, but just trying to figure out what was going on.

Bit by bit (was that pun intended?), they discovered that Odin was sending out tons of spam and then getting back tons of bounce messages.  So many that poor Odin was choking, unable to give any attention to Agnes’ plaintive login requests. Even worse, Odin was failing to recognize Agnes’ user name and trying to send error messages about that.

“But why?” said the server admins, pulling at their hair (long dark teatimes can have that effect).  “Why Odin?  Why now?  Why spam?  …Why us?”.

Now you just have to sit there and imagine time passing. Slowly.  No students-l messages are getting through.  Spam is spewing.  The server admins are ignoring other things. “Educational Technology?…no time for that”.   Are you imagining that?

OK. In the end, they figured it out.  Another user account on Odin  had been hacked and the hackers were using it to send their spam. And how did they hack it?  You guessed it. A weak password on the user account….  Sigh. Once they figured that out, the server admins had to spend several hours cleaning up the mess and then let Agnes know she was back up and moderating.  Lots of time lost and all because of a weak password.

Data Privacy Day. It’s everyone’s responsibility to ensure data privacy. And it can start with a better password. For tips on creating a better one, maybe even creating one that meets HMC requirements, take a quick look at the HMC Password Policy.

Held annually on January 28, Data Privacy Day encourages everyone to make protecting privacy and data a greater priority. DPD is an international effort to empower and educate people to protect their privacy and control their digital footprint. It kicks off Data Privacy Month (http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/community-engagement/data-privacy-month).

Thanks for reading. Now go forth and change your passwords.

Update on Portal Advisory Group

Screenshot from 2013-03-14 17:30:10I’ve written about the Portal Advisory Group before.  Affectionately known as PAG, it’s a group that will assist us with setting priorities for the Portal, starting from the premise that the portal is a tool which we know HMC has not used to its full capacity. The group will guide CIS and the College in improving and expanding use of the portal.

The following people have all agreed to participate and I am grateful to them.

Mark Ashley (Registrar, Chair)
Lauren Kim (Assoc Registrar)
Susan Selhorst (CIS)
Cindy Abercrombie (CIS)
Paul Steinberg (HSA)
Vatche Sahakian (Physics)
Tim Hussey (OCA Communications)
Jennifer Greene (OCA Communications)
Guy Gerbick (DOS)
Scott Martin (BAO)

We are also seeking one or two students to help with this initiative.

The first meeting is being scheduled for just after Spring break.

I look forward to good outcomes!

Faculty Computing Survey Results

survey-300x224In late Fall 2012 the computing committee ran a survey of faculty, asking three questions about information technology at HMC.

About 50 faculty responded to the questions, and almost everyone wrote a few lines of comments in response to each question – in addition to giving scores.

Question 1: How satisfied are you with the current teaching services provided by the CIS (e.g. Sakai, portal, classroom support, labs, etc…)?

- Average letter grade: B- (2.57/4.00, 54 respondents)

Question 2: How satisfied are you with the other services offered by the CIS (email, research related services, laptop/desktop support, etc)?

- Average letter grade: B- (2.69/4.00, 55 respondents)

Question 3: How satisfied are you with the current computing services offered by your own department (e.g. email, website, lab, course support, etc)?

- Average letter grade: C+ (2.35/4.00, 49 respondents)

The spread of each score was roughly 0.50/4.00, with a bigger spread for the third question.

The committee summarized by saying that things have improved and are going in the right direction, but that there is still work to be done.

The computing committee members this year are:

Vatche Sahakian (Chair)
Alfonso Castro
Weiqing Gu
Jacob Bandes-Storch ’14
Joseph Vaughan

The committee made four recommendations of its own and added more recommendations coming from the Faculty Executive Committee. You can read the full report, with my responses to each recommendation at the following URL (HMC Credentials required to access the document):
http://goo.gl/oqxiF

Portal Advisory Group

I have been discussing the portal with a number of people around campus over the last few months. Improvement and expansion of the portal will be a key initiative for the next two years.

There are several reasons for this:

  1. The portal plays a key role in many important areas of the College’s activities.  Grades, Registration, Advising, Student Billing and Alumni Directory are just some examples.
  2. We know that other institutions have more attractive and functional installations of the same portal software (JICS), so our instance of the portal can be made better too.
  3. Because of the fact that we collaborate with the other Claremont Colleges to provide cross-registration for students, moving to a completely different portal is not a simple proposition.
  4. Both Jenzabar, the company that provides the portal software, and AISO, the Pomona College unit that manages the underlying student information system, are committed to making improvements to the system, and we can build upon those.  For instance, Pomona recently informed us that the back end database was handling 60 million transactions per day during the Fall pre-registration period.  They have recently migrated the system from HP Unix to Linux, and are anticipating improvements in response times.

We have already taken the first steps in the portal improvement initiative. We are planning to create a Portal Advisory Group, with the following vision statement:

The portal is a tool which we know HMC has not used to its full capacity. This group will guide CIS and the College in improving and expanding use of the portal.

Registrar Mark Ashley has agreed to chair this group, which will include representation from the many areas that use the portal, as well as faculty and students.  Among the tasks we will ask the group to undertake is to advise on the queuing of CIS projects related to the portal. They currently include:

      • HSA Advising application
      • 40+ Portal improvements suggested by Registrar
      • Electronic Billing
      • OCA requests
      • Student research portlet and forms
      • Single Sign On
      • Adding a staff tab to the portal

John Trafecanty has recently taken over responsibility for the portal, as his duties related to Sakai were much reduced when we moved the Sakai service to Pomona College.  John always bring talent and persistence to programming tasks, so we anticipate great work on the portal.

Watch for more updates on this initiative and do get in touch if you’d like to be involved.

Sakai Service changes coming

Harvey Mudd College has been the “Lead College” for the Sakai service since its inception in 2006.  This means that we provide the service to all the Claremont Colleges and receive some funding from the other Colleges to do so.

About two years ago I began to explore the option of contracting with rSmart for Sakai hosting.  rSmart is a company dedicated to hosting Sakai and other Higher Ed applications for a long list of higher education customers.  Hosting the service with them would take advantage of their expertise and the scale of their operation, which is based in Arizona and housed in one of the largest data centers in the country. On almost all dimensions of the comparison — cost, architecture, functionality, infrastructure, expertise — rSmart looked to be an improvement over what HMC could provide alone. Exploration of this option took many months, and then in August 2011 I made a formal proposal to the Information Technology Committee (ITC) that we should host Sakai with rSmart.  A series of monthly discussions took place, including a visit by the rSmart team in December.   However, I did not manage to persuade my CIO colleagues from the other Claremont Colleges and so the ITC voted to accept an offer from Pomona College to host the service.  The ITC is now moving forward to bring that recommendation to two other Intercollegiate committees, the Business and Financial Affairs Committee (BFAC) and the Academic Deans Commitee (ADC).  Assuming those committees endorse the idea, the Sakai service will be provided by Pomona College effective July 1, 2012.

If the service does move to Pomona, end users will not see any real difference in how the service is delivered. Pomona has offered to continue to subsidize the service and to augment and strengthen the infrastructure, which are good things.  Over time, they may install the rSmart version of Sakai which would provide some nice additional functionality over the “vanilla” version of Sakai that we have been running.

User support for Sakai questions will continue in the same way as it does now.  You can contact the Help Desk for help with issues and if you need advice on how to use a particular tool, you could contact Elizabeth Hodas.

For CIS, the change means a return of time and resources that were being dedicated to supporting the intercollegiate service.  During the analysis of the rSmart option, I discovered that we were subsidizing the service by about $50k per year. We were indeed investing time and resources in an important service and received praise from the other Colleges for our work.  But we are now looking forward to investing time and energy in other projects that will benefit the College, while confident that the Sakai service will be delivered in the ways we were familiar with.

 

Google’s new privacy policy and Google Apps for Education

On March 1, 2012 Google introduced a new privacy policy that applies to their consumer products (gmail, picasa, youtube etc).   There was a huge amount of coverage of this in the media.

Discussion with the HMC Computing Committee made it clear that we should remind you that the HMC contract with Google is for the Google Apps for Education (GAE) service, which is a separate suite of products, covered by a separate contract.  The new privacy policy does not apply to the core GAE service.

Among the key differences between GAE and the consumer service is that GAE includes a FERPA clause.  This clause stipulates that Google is subject to FERPA in the same way as the college is, and must process educational records (such as emails to students) accordingly.

In our discussions within CIS, we were struck by the fact that what Google is doing seems so much part and parcel of the tracking we are all subject to, both on and off line.  Retailers have been doing it for decades, as we learned from a NY Times article about how companies learn your secrets. I find it fascinating which practices and policy changes get noticed, and which don’t.

So, again, the GAE contract is separate from the Google’s consumer product privacy policy. If you have concerns or want to learn more, you should read the Google Apps for Education contract.

You may also find these Chronicle, Educause and Campus Technologies posts of interest.

Presentation to PPCPC on Campus Network Infrastructure

At the September Board of Trustee meetings, Cindy Abercrombie, Mitch Shacklett and I presented some information about our work in the area of network infrastructure review.  We are working toward a long term plan for the network infrastructure and wanted the Physical Plant and Campus Planning Committee (PPCPC) to be aware of the issues we are seeking to address.

Below is a reconstruction of the presentation, which I recorded afterward. If you want to look at the full size screen cast, you will find it here.

CIS presents at faculty meeting

On April 21, 2011 the CIS management team presented a report on the state of Information Technology to the faculty. Joseph began the presentation with a review of our four strategic directions and our customer service initiative. The four strategic directions are IT Decision Making (Governance), IT Infrastructure, Central IT (CIS), and Innovation. Before presenting examples of projects in each of these four strategic initiatives, Susan Selhorst described the iterative process we went through with the management team and the CIS staff to create our service vision statement.

  • CIS is dedicated to providing excellent client-centered services to the HMC community.
  • We promote the mission of HMC with reliable, innovative, and convenient technology.
  • We provide customer support that is friendly, knowledgeable, and responsive while working collaboratively with clients to develop effective and relevant solutions.
A Bite of Learning

A Bite of Learning

Joseph talked about the gap between what we espouse and what is actual, and how we approach that gap. As an example of initiatives in the area of Central IT, Calvin Tong spoke about the DTA program and introduced the two new staff on the User Support team. In the DTA (Department Technical Analyst) program individual staff in the User Support group are assigned to specific departments. This allows the DTAs to become very familiar with the needs of each department.  Elizabeth Hodas talked about the A Bite of Learning series as an example of innovation. The series focuses on introducing new and emerging technology to the HMC community in an informal lunch setting. Joseph continued with a discussion of how IT decisions are being made and some examples of the different sourcing models we are using. He concluded with a description of the planned email and calendar migration. Questions after the presentation focused mostly on the email and calendar migration.

Notes on Cloud Computing

Cloud

Despite the hype, I  find cloud computing challenging to think about and full of interesting opportunities.  I am beginning to suspect that claims that it is a game-changer are not so far fetched.

So far, our notes on cloud computing have focused on cloud offerings as alternatives for things we can do ourselves. So, for example, Jeho wrote about ODE Architect in the Cloud and I wrote about things like Formstack and Google Mail.  These are all things we either could run locally or are already running locally.   Many discussions of cloud computing focus on the pros and cons of doing things “on premise” vs “in the cloud”.  But there’s another dimension that I have recently been thinking about: cloud offerings for which there is no local alternative.

There are huge incentives for a vendor to work with a Software as a Service (SaaS) model.  To name a few

  • Every customer has the same version of the program (the only one!)
  • No need to provide different versions for different operating systems (although there are still browser compatability questions)
  • Licensing is much easier to manage (because it boils down to managing accounts) and no one can make pirate copies of the software

So it is not suprising that we are seeing vendors starting to offer SaaS only options. I am convinced that we will see more, and that this requires a central IT organization like CIS to develop some new skills.

Here’s an example.  The HMC Office of Admission was notified last Spring that the College Board is terminating its Recruitment Plus software.  This application is used by Admission to manage the process of finding students, taking applications and making admission offers.  So it is vital to the College.  Other vendors are all attempting to get the business of soon to be former Recruitment Plus users.   An offering that our Office of Admission is interested in is delivered in a SaaS only model by Admissions Lab.  So clearly there’s nothing for central IT to do, right?  No servers to install, no software to test, no support resources to provide.  As it happens, there was plenty for CIS to do, at two levels.   At a technical level, the output of the Admissions Lab software will still need to be fed into CX, so the technical folk needed to take a look at integration options.  And, at a policy and risk management level, we sent Admissions Lab a set of questions aimed at finding out about privacy, security and data management practices at the company.  This process resulted in a much better contract for the College than would have been the case if we’d accepted the first draft.

In consultation with the Cabinet and the Computing Committee, I’ve been evolving an IT Decision making model (aka IT Governance) that will help us with these kinds of decisions. A central tenet of the model is that not all IT decisions are made by the CIO, nor should they be.  The Admissions Lab software decision is a perfect case study: it’s one where the IT decision is made by the VP for Admission, and the CIO plays a “decision support” role.  The Admission office was one of the first to make use of this model, and I thank Thyra Briggs and Peter Osgood for their patience and engagement in the process.

Watch for more news as we get this governance model developed a little better.

Computing Committee for 2010-11 Convened

In May, the Faculty Executive Committee (FEC) appointed the Computing Committee for 2010-11:

Rachel Mayeri (11),
Eliot Bush (12),
Alfonso Castro (13),
Vatche Sahakian (13)
As CIO, I serve ex officio, as does a student member nominated by ASHMC.  This year, the student is Nick Card.
At our first meetings in the Fall semester we selected a chair, Eliot Bush, discussed the timing of meetings and laid out a schedule of topics.  We also had a fascinating and free-wheeling discussion of iTunesU, HMC on YouTube (http://www.youtube.com/harveymuddcollegeedu) and screencasts of problem solutions.
The topics for the rest of the semester are as follows:
Oct 6: Meet with CalvinTong. Start Email-Calendaring discussion

Oct 20: Email and Calendaring

Nov 3: Meet with Susan Selhorst.  Discussion of IT governance

Nov 17: Discussion of IT governance;  Student and faculty personal computer backups.

Dec 1: Teaching and technology