Summer 2014 update from the CIO

beanoWhen I was a kid growing up in Ireland, I loved reading the Beano and the Dandy.  Every summer, they would announce a “bumper edition”, which was packed with extra stuff for those long summer days out of school.  This is the bumper edition of updates from the CIO!

Infrastructure
The summer was a very busy one in the realm of IT infrastructure. We oversaw a major rewiring of the Parsons structure; which set the building up to host a modern wired and wireless network that should serve us well for the foreseeable future.  The major points of emphasis in the architecture of the new network are:

  • Assume an increase in the use of wireless devices (to support this we increased the number of wireless access points from nine to sixty seven).
  • Build a high capacity wired network that requires fewer physical cables (cat 6A throughout the building, fewer physical ports, but higher capacity)
  • Improve switching closets and reduce their number (from six to two).

I am very grateful to our partners in Facilities and Maintenance who worked with us to make the wiring project a success, and were supportive of our idea of carrying out our project in parallel with the vacated space project.  The new Clinic space in the basement is just beautiful!

We planned the new dorm wired and wireless network and, taking advantage of the construction work, have laid the groundwork for a “north campus loop” that will enhance the resilience of The Claremont Colleges network by providing alternate (redundant and diverse) networking routes to the second CINE core switch.

We bought new switches for east and south dorms, as well as the Linde Activity Center. We placed a new UPS in Kingston and new wireless access points in the LAC.

A new fiber run from Claremont to downtown Los Angeles is about to be completed, connecting with the Claremont network at the CUC building on First Street. This will increase the resilience of our connections to the internet.  As you can imagine, this is ever more important with the increased use of software services that are hosted elsewhere.

IAM@HMC (Identity and Access management)
We worked closely and intensely with our project partners from Fischer Identity during the summer, meeting every day for many weeks.  This let us push through to get several big wins:

  • We eliminated the distinction between LDAP passwords and Active Directory passwords — it’s all HMC Credentials from now on.
  • Automatic Account Creation (“provisioning”) went live. This meant that we could bring all the new students on board in record time, without manual account creation.
  • We brought the portal (portal.hmc.edu) into the Single Sign On environment. It uses HMC credentials now and you won’t be challenged to log in if you have already logged in and established a session in another application that is part of Single Sign On.
  • We added payors to the HMC portal so that they can view and pay bills on line.
  • We worked with other consortium members to bring up CAS, which will provide single sign on for other systems and, in our case, increases the usefulness of your HMC Credentials. In a new phase of the IAM@HMC project we hope to integrate CAS with Fischer Identity and get even more single sign on in place.

IT Assessment by BerryDunn
During the summer, representatives from consulting firm BerryDunn were in Claremont working on a Claremont-wide IT Assessment at the request of the Presidents Council. Some of you took the opportunity to meet or talk with them and give your views on the quality of IT overall at the Colleges.  I understand that the BerryDunn folk will be coming back again in the Fall, so there will be additional opportunities to meet with them.  I will try to send a bit more advanced notice, so please keep an eye out.  If you are particularly keen on talking with them, please just get in touch with me and we can set up a telephone call. They are very eager to provide the Colleges with a high quality actionable report and would greatly appreciate your input.

IT Policy
During the summer, I completed updates to the HMC Password Policy and finalized the policy on incidental personal use of IT, both of which are now linked on our IT policies page on the HMC website.  Both are the result of extensive discussion with various instances of the Computing Committee, the Presidents Cabinet and other stakeholders.  I believe that policies should be realistic and should interfere as little as possible with your day to day experience, while at the same time achieving institutional goals.  I have found that a good way to achieve that is to have extensive discussion with stakeholders, including college counsel and to be willing to wait until the policy is well cooked before releasing it.

Next up is a policy on safeguarding confidential and sensitive information.

Speaking of passwords, on October 27th we plan to turn on the password expiration function in the Fischer system.  If your password is over 365 days old, you will need to reset it. The prompt at login will just say “invalid credentials”, as we don’t want to give hackers any clues.  But you will receive a notice via email when your password is seven days away from expiring. When we first released the HMC Password Policy, the advice of the Computing Committee at the time was that August would be a good time to remind people to reset passwords, since everyone is coming back and doing housekeeping tasks for the new year.  The timing of your annual reset is up to you though, since you can change your password at any time by visiting the Password and Account Management Kiosk.  If your password is getting old, now might be a good time to change it.

Websites
When we moved to the new HMC website last January, we vowed that we would work hard to ensure that only accurate and relevant information would appear on our pages. We continue to work on that goal and have been enhancing our Service Catalog page and keeping on top of updates to the IT Projects page.  Our goal is to make it valuable and effective to turn to the CIS web page whenever you are looking for a solution or are curious to know what we’re up to.

We have also set up pages.hmc.edu for people who wish to host static html pages outside of any of our content or learning management systems.  I wrote about this in the April update, but it is worth mentioning again as we work towards decommissioning older systems such as thuban (www2), odin (www3) and www5.  www4 has already been decommissioned and replaced by pages.hmc.edu

Educational Technology
Thanks to our restructuring that placed AV operations under the wing of User Support,  Educational Technology Services had become even more focused and productive under Elizabeth Hodas’  leadership. Elizabeth is paying special attention to the question of how to relate technology tools to the goals of faculty and students.  I hope you will notice this emphasis in the roster of workshops available during our Week of Workshops, which started on Monday.

Over the summer, there was a surprising amount of interest in trying out Google Glass. Jeho Park described our experiments in his article OK Glass,shoot a laser beam!.  I found the star mapping app really compelling, even though the night on which I had Glass was a cloudy one!  It was the first time I really felt for myself the potential of augmented reality applications and I will never forget my daughter’s exclamation “oh wow” when she donned the Glass and went outside to conquer her fear of the dark.

Also over the summer, Deb Mashek set up a Google Apps Learning Community that several of us participated in.  It was a quiet success and I heard from a number of the participants about how they liked the hands on and interactive approach of these sessions, so we’re thinking of other possibilities.   We are also exploring the possibility of subscribing to lynda.com campus edition through a Claremont wide agreement. This would give faculty, students and staff a large number of online professional development and learning opportunities.

People
Unfortunately, Corey LeBlanc left us for Pomona College, where he is now the Computer Science Dept System Administrator. We wish him the best of luck, and were very sorry to see him leave us.

Taylor Calderone will be helping to fill in as we search for a new DTA. Taylor has been with us for a while in a temporary capacity, particularly with AV support for events, so he knows the ropes.

In other hiring news, we are having more success in the search for a Sr. Network Engineer and have interviewed a couple of really promising candidates in recent weeks.  Stay tuned for news on that front.

As I completed writing this update, I had a feeling of exhilaration.  It is just so pleasing to see so much progress in so many areas!  And, once again, my hat is off to the hardworking staff at CIS who just keep on working at a very high level.

Welcome back every one (and welcome, first years).  At CIS, we missed you and are looking forward to supporting you for yet another great year at Mudd.

 

 

 

CINE wireless signal is going away

When you are on the HMC campus and look at the wireless signals (SSID) available, you will normally see at least the following:

CINE
Claremont
Claremont-WPA
Claremont-ETC

As I mentioned in the September 2012 Update from the CIO, the Claremont Colleges have agreed to remove the CINE wireless signal from service. There are a number of reasons for this:

* The CINE network is open (anyone can access it).
* The CINE network is unencrypted and therefore insecure (network traffic may be visible to third parties).
* The Library licenses electronic content that requires authentication.
* The Library was subject to some overcrowding due to the “free wireless”.

The Library and some of the other Claremont Colleges have already stopped broadcasting the CINE signal.

What should you do? The next time you need wireless access on campus, you should configure your laptop or other wireless device to connect to Claremont-WPA . This is a one time configuration as most laptops will remember the wireless network and can also be configured to give Claremont-WPA priority over other networks on campus. You will not have to enter your HMC Credentials every time you connect to Claremont-WPA. For details about how to do this visit the following link:

http://www.hmc.edu/about1/administrativeoffices/cis1/faq1.html

We do not yet have a fixed date on which the CINE signal will go away. We need to design a guest access solution that will work for the HMC community and allows access for many types of devices. Our target to get this done is the end of 2012.

If you have questions or need help configuring your laptop or other wi-fi device to connect with Claremont-WPA, please contact the Help Desk on the first floor of the Sprague Learning Center (helpdesk@hmc.edu or 909 607 7777).

Time to change your password!

As we move into Fall semester, some of the authentication systems managed by CIS will be configured to require password resets every 365 days.

This is a step in improving the overall security of HMC systems and bringing us into compliance with our password policy.

To reset your passwords please visit the HMC password and account management portal at:

https://iaas2idm.fischeridentity.com/identity/self-service/HMC/kiosk.jsf
(Nov 2012 edit: we have replaced this link with

https://iam.hmc.edu/identity/self-service/HMC/login.jsf

)
Using this portal, you will set up security questions and set the password for all of the following systems in one go:

Claremont WPA wireless (eg laptops, phones and other devices that connect to Claremont WPA wireless)
Alice and Charlie file servers
Cognos 10 reports
Google Apps for Education
Ultipro

If you have not reset your passwords in over 365 days, you should do so. We will be working with each department to ensure a smooth transition to this new system.  You can change your password any time you like using the password and account management portal.  Once we have worked directly with each department, we will turn on the feature that requires a password change every 365 days.

Thank you for your understanding and your efforts to increase the security of our systems.

Please don’t hesitate to send questions or concerns to us at helpdesk@hmc.edu

Room reservation software upgrade to EMS Campus

Guest author, Isabel Jordan, wrote for us about a recent upgrade to the Event Management System….

HMC’s reservation software, Event Management System (EMS), has been upgraded to the Campus 3.0 version. Virtual EMS was only changed in appearance but not use. There has been some feedback from Mac users who say they are having difficulty viewing Virtual EMS. The solution has been to use Google Chrome
as the browser rather than Mozilla Firefox.

Currently, CIS and the Facilities & Maintenance team are working together to
get the Integrated Authentication module up and running. This module will
integrate EMS with the directory server so that one can log in to EMS with
the same account log in/password that is used to log in to one’s computer
(HMC credentials).  There are over 600 users who have accounts in EMS so we
are trying to figure out the most efficient way to make this happen.

Moving forward the plan is to install an Academic Planning Module that will
assist the Registrar’s office to connect the academic schedule from CX to
EMS. Currently the 5C registrars are being trained to learn the
collaboration between CX and EMS.

IAM @ HMC journey begins

In my last update from the CIO  I gave a quick overview of Identity and Access Management (IAM).  We have now contracted with Fischer International for Identity and Access Management services.  Throughout 2012, this decision will have an increasing impact on all of our daily computing lives.  You will hear and read more and more references to your “HMC Credentials”, which will be a username and password derived from your current Charlie or Alice passwords (Active Directory).  We will stop referring to credentials that are specific to an application, such as “your Zimbra username and password”.   Eventually, your HMC Credentials will be the only credentials you need to access most services; moreover, you will see a “single sign on” ecology begin to emerge:  once you’ve logged in to one service, you typically will not have to provide credentials for the next service you visit.  For example, you would log on to your computer in the morning and then visit Sakai, which would recognize that you have already authenticated and not ask you for your credentials a second time. Ditto when you visit email (including Google Apps) after you’ve logged into Sakai or the Portal.  And so on.

The IAM @ HMC initiative will also bring you a web interface to reset your password for your HMC credentials.

There’s more: an important milestone along the IAM @ HMC journey will be our ability to join InCommon, which is an Internet2 initiative.  Two immediate benefits: you will be able to use your HMC Credentials to access online resources through the library, NSF resources and any other “federated” resources that work with InCommon.  We anticipate joining InCommon in the first six months of 2012. 

Presentation to PPCPC on Campus Network Infrastructure

At the September Board of Trustee meetings, Cindy Abercrombie, Mitch Shacklett and I presented some information about our work in the area of network infrastructure review.  We are working toward a long term plan for the network infrastructure and wanted the Physical Plant and Campus Planning Committee (PPCPC) to be aware of the issues we are seeking to address.

Below is a reconstruction of the presentation, which I recorded afterward. If you want to look at the full size screen cast, you will find it here.

CIS presents at faculty meeting

On April 21, 2011 the CIS management team presented a report on the state of Information Technology to the faculty. Joseph began the presentation with a review of our four strategic directions and our customer service initiative. The four strategic directions are IT Decision Making (Governance), IT Infrastructure, Central IT (CIS), and Innovation. Before presenting examples of projects in each of these four strategic initiatives, Susan Selhorst described the iterative process we went through with the management team and the CIS staff to create our service vision statement.

  • CIS is dedicated to providing excellent client-centered services to the HMC community.
  • We promote the mission of HMC with reliable, innovative, and convenient technology.
  • We provide customer support that is friendly, knowledgeable, and responsive while working collaboratively with clients to develop effective and relevant solutions.
A Bite of Learning

A Bite of Learning

Joseph talked about the gap between what we espouse and what is actual, and how we approach that gap. As an example of initiatives in the area of Central IT, Calvin Tong spoke about the DTA program and introduced the two new staff on the User Support team. In the DTA (Department Technical Analyst) program individual staff in the User Support group are assigned to specific departments. This allows the DTAs to become very familiar with the needs of each department.  Elizabeth Hodas talked about the A Bite of Learning series as an example of innovation. The series focuses on introducing new and emerging technology to the HMC community in an informal lunch setting. Joseph continued with a discussion of how IT decisions are being made and some examples of the different sourcing models we are using. He concluded with a description of the planned email and calendar migration. Questions after the presentation focused mostly on the email and calendar migration.

Notes on Cloud Computing

Cloud

Despite the hype, I  find cloud computing challenging to think about and full of interesting opportunities.  I am beginning to suspect that claims that it is a game-changer are not so far fetched.

So far, our notes on cloud computing have focused on cloud offerings as alternatives for things we can do ourselves. So, for example, Jeho wrote about ODE Architect in the Cloud and I wrote about things like Formstack and Google Mail.  These are all things we either could run locally or are already running locally.   Many discussions of cloud computing focus on the pros and cons of doing things “on premise” vs “in the cloud”.  But there’s another dimension that I have recently been thinking about: cloud offerings for which there is no local alternative.

There are huge incentives for a vendor to work with a Software as a Service (SaaS) model.  To name a few

  • Every customer has the same version of the program (the only one!)
  • No need to provide different versions for different operating systems (although there are still browser compatability questions)
  • Licensing is much easier to manage (because it boils down to managing accounts) and no one can make pirate copies of the software

So it is not suprising that we are seeing vendors starting to offer SaaS only options. I am convinced that we will see more, and that this requires a central IT organization like CIS to develop some new skills.

Here’s an example.  The HMC Office of Admission was notified last Spring that the College Board is terminating its Recruitment Plus software.  This application is used by Admission to manage the process of finding students, taking applications and making admission offers.  So it is vital to the College.  Other vendors are all attempting to get the business of soon to be former Recruitment Plus users.   An offering that our Office of Admission is interested in is delivered in a SaaS only model by Admissions Lab.  So clearly there’s nothing for central IT to do, right?  No servers to install, no software to test, no support resources to provide.  As it happens, there was plenty for CIS to do, at two levels.   At a technical level, the output of the Admissions Lab software will still need to be fed into CX, so the technical folk needed to take a look at integration options.  And, at a policy and risk management level, we sent Admissions Lab a set of questions aimed at finding out about privacy, security and data management practices at the company.  This process resulted in a much better contract for the College than would have been the case if we’d accepted the first draft.

In consultation with the Cabinet and the Computing Committee, I’ve been evolving an IT Decision making model (aka IT Governance) that will help us with these kinds of decisions. A central tenet of the model is that not all IT decisions are made by the CIO, nor should they be.  The Admissions Lab software decision is a perfect case study: it’s one where the IT decision is made by the VP for Admission, and the CIO plays a “decision support” role.  The Admission office was one of the first to make use of this model, and I thank Thyra Briggs and Peter Osgood for their patience and engagement in the process.

Watch for more news as we get this governance model developed a little better.

Security Breach

There are moments that every CIO and IT administrator dreads.  One of them, possibly highest on the list of dreaded moments, is when a system administrator comes to you and says “one of our servers has been compromised”.    When that happens, you must immediately start thinking about technological, legal and social issues all at once.  If possible, you also have to try to keep track of what you are learning as the situation unfolds. And these situations always unfold — you never have all the information right at the outset.

At CIS, we had one of those dreaded moments on the afternoon of January 5th.  That’s when we discovered that unauthorized attempts to log in to several of our servers had been successful earlier in the day (at 2:15am).  It was the vigilance of an IT administrator at the Claremont Consortium that first drew our attention to a problem: he had noticed a number of unsuccessful login attempts, all coming from one machine on our network.

The Sakai server was one that had been compromised.  You will remember that HMC is the “lead college” for Sakai; we provide the Sakai service to all the other Claremont Colleges.  And people keep a lot of data on Sakai. So this was potentially a very serious security breach.  If data had been accessed then we would have to notify everyone in Claremont and possibly much further afield. Reluctantly, we made the decision to take Sakai off-line for a full investigation.  A team of six people from HMC and CUC spent most of January 6th working on this issue, and on creating a new Sakai server for use in case it was needed.  We determined that the intrusion had been minimal (a six second login, probably automated and designed to establish the fact that the account had been compromised). By the evening of January 6th we were able to bring Sakai back on line.

The machine (a desktop) that was attempting to reach other systems had been compromised, but that the starting point of this attack was a departmental web server, which had been compromised some time in December. The departmental web server had been subject to a “SQL injection attack”,  a way of sending queries to a server that end up allowing a hacker to gain control of the machine. Once the hackers had gained control of the web server, they waited and captured some usernames and passwords that allowed them to move on to another machine.

I am glad to say that we got the attack under control very quickly and that no data was exposed. We learned many lessons in the process.

Changes we’ve since made  include:

  • reviewed all production servers for signs of compromise
  • locked down production servers
  • changed all system administrator passwords
  • introduced better password management policies for our system administrators
  • solicited information from security firms for vulnerability scanning

We will be performing vulnerability scanning on servers managed by CIS and are interested in working with departments to provide the service to them too.

We were fortunate this time.

Please keep in mind that your own security practices contribute to the overall security of the network to which all of our systems are connected.  Make sure your system is kept up to date with security patches, you are running anti-virus software and you are running only the services you need to run (eg. don’t run a web server if you don’t need to).  You’ll find a (flash based) tutorial on digital self-defense from the Rochester Institute of Technology at http://security.rit.edu/contest/dsdsite.html. If you have any questions or concerns, please make sure to contact the CIS Help Desk  at helpdesk@hmc.edu or (909) 607-7777.

LabSTOR update

Harvey Mudd College is a member of a consortium called LabSTOR.  In fact, we helped set it up, along with Allegheny, Middlebury and Occidental.  LabSTOR uses Apache software called VCL (Virtual Computing Lab) that was originally created at North Carolina State University.  It is designed to allow remote access to computing environments that include applications usually found only in campus computing labs, hence the “virtual computing lab” moniker. It also allows for high performance computing (HPC) on the same infrastructure as used for the Virtual Labs.  The advantage of doing this through a consortium include reduced costs and, potentially, more bargaining power when it comes to negotiating license agreements. It also allows one to rethink how physical space is used.

LabSTOR

In early January, Longsight, the company that we have contracted with through NITLE, brought the system up and began arranging training for the people on each campus who will be creating “images” (virtual environments that contain an operating system and applications) that can be run through LabSTOR.  It was very exciting and gratifying to see this happen, since it seems so long ago that I had the first conversations with Rick Holmgren (CIO, Allegheny).  Throughout the Spring Semester LabSTOR will be in pilot mode.  At the end of the semester each institution will be deciding whether to proceed to full production in the Fall.

We plan to test ODE Architect in this environment.  If you have ideas about other applications we might put in LabSTOR (eg. something you have to go to a lab to use, either a lab managed by CIS or one managed by a department), then please let us know.  We will work with the vendor to ensure that we comply with licensing terms and then try the application out in the virtual lab.

For more information see:

LabSTOR blog at http://labstor.blogspot.com

Earlier news item: http://www5.hmc.edu/ITNews/?p=393

NITLE: http://www.nitle.org

Longsight: http://www.longsight.com/

ODE Architect: http://www5.hmc.edu/ITNews/?p=609