IT Council - George Mason University

Tech Council Notes
11/18/03

1. Update on MESA (slides): Walt Sevon, Joe Hutchison

Background--unified plan to improve overall security
Fewer accounts and passwords
easy access to LAN data
automatic updates for Windows desktop
more secure network structure
easy support for collaboration w/ other research institutions

Steering Committee--across the University
provides policy and guidance to Coordinating Committee--mostly ITU, focus on implementation

Accomplishments:
regular meetings
underlying infrastructure in place
password policy
milestone draft plan completed
Milestones:
initial environment created
pilot live in IH
Testing and validation of pilot
Pilot eval and migration planning
Migration of campus to MESA
MESA Solutions:
Kerberos
LDAP
AFS
Active Directory
eduPerson
pubCookie
Physical network changes
Situation Today:
pilot operational
LDAP eduPerson and eduOrg in place
Kerberos and AFS systems built and functional
Active Directory for desktop support under Windows Server 2003
Trust relationship for AD and Kerberos authentication
Lessons Learned:
learning to use new toolkits--scripting, policies, etc.
local profiles sometimes corrupted
balance b/w security and usability
AFS File locking issue w/ Windows multi-user files
Pilot vs. actual Roll Out:
support structure now-server group/MESA developers
future support-support center and field services
SMS not yet integrated
generic logins vs. individual logins
need to automate password changes
Risks:
Over-tasking server and network engineers
Budget shortages
costs for additional network security
additional servers
Next steps:
order and install test bed
create a MESA budget
implement password policy and password change web site
pilot individualized logons
install SMS 2003
Research Banner LDAP interface
Research web app, portal, and MESA authentication
review MESA IH pilot
create realistic roll out schedule
update communication plan
create training plan both technical staff and customers
implement

web site: http://itu.gmu.edu/projectoffice/mesa

comments: data need to implement password change --G numbers, birthdays, etc.

Tech Council questions and responses from Joe Hutchison:

1. Is the MESA Pilot effective? It was only piloted in a lab environment that was built from scratch - not a faculty desktop system that was migrated from an existing system (Novell). Agreed. We already planned to have additional pilots of other segments of MESA - including integrated authentication, desktop migration (both managed and unmanaged), Banner authentication through MESA, Web Application authentication through MESA, and others (probably Network configuration changes). This initial Pilot was intended to see if the base foundation would be functional under fairly heavy loads. In addition, by keeping this initial Pilot simple, it allows for us to troubleshoot failures much more effectively.

2. It is a great distraction to Faculty to implement a new system over the summer break. The faculty frequently do not get the training they need before they need to use the just implemented technology, and many of the ITU support staff are dealing with the many issues that happen when the students return for the fall. Agreed. We already plan on working with the departments for their migration planning and timing. This is a major reason why we must have effective communications with our customers, and their official/unofficial technical support groups.

3. What will the Banner impact be? Don't know what it will be, but suspicious that it won't be good. Hard to say - there will be an impact due to Banner, but we will mitigate this as much as possible by splitting it into segments, and piloting these segments. I'm not sure If the concern is related to new information being pushed to Banner, or old processes requesting information pulled from Banner, or something else…..This needs to be researched more thoroughly.

4. Strong concern expressed as to the cleanliness/reliability of the data stored within the Banner system. This is a concern for MESA as well. We do need the identification information in Banner to be accurate, as well as the role-based definitions. As we migrate to Portals, and begin to utilize role-based information in more applications, the accuracy of the information within Banner will become even more important. It is one thing for the telephone number to be wrong…it's critical when an individual can access unauthorized data.

5. Recommend - Pick one thing, then do it well. Only then move to other things. This is the only way to effect a culture change. Agreed. This is why the MESA implementations are proceeding in a linear fashion. As we gain experience and customer confidence, we can do more in parallel.

6. Privacy concerns, and the desire for more levels of privacy settings. Ex. A faculty member would like his desk phone number to be visible to their faculty/staff, but not to students. This may have an impact to MESA - the LDAP directory will contain personalized information about people at some time. We will need to ensure that these additional privacy requirements can be fulfilled.

2. Web Standards Update: Dee

Document sent to the state is available on the Tech Council Web site.
Anne shared draft of revised accessibility statement from Mason Web Team. It includes more specific description of accessibility standards.
Discussion about faculty response
Noted that these are not worded as requirements-should, whenever possible, etc.
Comment: it is an iterative process-creating accessible web sites
Is this incompatible with our response to state standards?
Web accessibility validator--new tool available via link from web development site
Comments on draft statement should go to Anne.

3. Web Functionality Requirements

Draft approved by TC in September 03; document available on Tech Council Web site
Communication Plan
We wanted to get feedback from others at University outside the Tech Council
Display at Open House, DoIT Dialog
Met with groups:
IT Project Briefing
SALT
Presidents Council
Senate IT Committee
Aux Enterprises
OCPE
Technology Coordination Team (ITU)

Comments have mostly been about implementation not whether these requirements are the right ones. Appears to be consensus on the functionality requirements.

4. Next Steps

General Comments on next steps:
Implementation of new architecture involves culture shift as well as change in technology.
Needs a reliable, cleaned-up database for the architecture to be effective

Next step: identify key databases
Pick one thing and do it successfully

Privacy and security issues
Segmented security
Impact on Banner?

Appoint Task Force to lay out options for a technical solution. What methods do we have to achieve the functionality requirements? Suggested methodology-matrix of options related to functionality requirements.
Anne will chair
Suggestions for members:
John Creuziger
Stephen Nash
MESA representative?
Linda Harbor?
Budget person?
Mike Wood
Mel Nichols
Committee will report back to Web Architecture Group at end of January. Once the Tech Council sees available options, it could decide which to explore further-visit other schools, set up vendor demos, pilots, etc.

5. Joy's comments

MESA has taken a new direction--towards security and authentication
started out looking at Novell and whether to stay with it for our LAN architecture
worked with other schools who had done more with Open Source, Middleware initiative--Georgetown, e.g. (Joy attributes faculty presence on Tech Council to our direction to Open Source.)
Thus the project migrated to focus more on security at a time when general social attention was more on security.

Higher Ed in general attempting to "secure its own house" to avoid more federal regulation.

Web Architecture project
Attempt to avoid wasted effort--similar documents on different machines. Multiple lists of info that don't match.
Choosing pilots will be very important. Pilot needs to be successful.

Attending:

Anne Agee
Dee Holisky
Joy Hughes
Carrie Gillotte
Wally Grotophorst
Joe Hutchison
Creston Jamison
Bob Nakles
Walt Sevon
Mike Behrmann
Lara Bushallow
Ann Clare
John Creuziger
Andrew Flagel
Andres Fortino
Jim Finkelstein
Paras Kaul
Ruth Kifer
Stephen Nash
Mel Nichols
Roy Rosenzweig
Stan Zoltek

Not Attending:

Doug Casey
Farrokh Alemi
Cathy Hubbs
Deborah Keene
Sean Watkins
Mike Wood
MeiHua Zhai

-top-




Home Members Projects Meeting Notes Information Technology Unit	Tech Council Notes 11/18/03 1. Update on MESA (slides): Walt Sevon, Joe Hutchison Background--unified plan to improve overall security Fewer accounts and passwords easy access to LAN data automatic updates for Windows desktop more secure network structure easy support for collaboration w/ other research institutions Steering Committee--across the University provides policy and guidance to Coordinating Committee--mostly ITU, focus on implementation Accomplishments: regular meetings underlying infrastructure in place password policy milestone draft plan completed Milestones: initial environment created pilot live in IH Testing and validation of pilot Pilot eval and migration planning Migration of campus to MESA MESA Solutions: Kerberos LDAP AFS Active Directory eduPerson pubCookie Physical network changes Situation Today: pilot operational LDAP eduPerson and eduOrg in place Kerberos and AFS systems built and functional Active Directory for desktop support under Windows Server 2003 Trust relationship for AD and Kerberos authentication Lessons Learned: learning to use new toolkits--scripting, policies, etc. local profiles sometimes corrupted balance b/w security and usability AFS File locking issue w/ Windows multi-user files Pilot vs. actual Roll Out: support structure now-server group/MESA developers future support-support center and field services SMS not yet integrated generic logins vs. individual logins need to automate password changes Risks: Over-tasking server and network engineers Budget shortages costs for additional network security additional servers Next steps: order and install test bed create a MESA budget implement password policy and password change web site pilot individualized logons install SMS 2003 Research Banner LDAP interface Research web app, portal, and MESA authentication review MESA IH pilot create realistic roll out schedule update communication plan create training plan both technical staff and customers implement web site: http://itu.gmu.edu/projectoffice/mesa comments: data need to implement password change --G numbers, birthdays, etc. Tech Council questions and responses from Joe Hutchison: 1. Is the MESA Pilot effective? It was only piloted in a lab environment that was built from scratch - not a faculty desktop system that was migrated from an existing system (Novell). Agreed. We already planned to have additional pilots of other segments of MESA - including integrated authentication, desktop migration (both managed and unmanaged), Banner authentication through MESA, Web Application authentication through MESA, and others (probably Network configuration changes). This initial Pilot was intended to see if the base foundation would be functional under fairly heavy loads. In addition, by keeping this initial Pilot simple, it allows for us to troubleshoot failures much more effectively. 2. It is a great distraction to Faculty to implement a new system over the summer break. The faculty frequently do not get the training they need before they need to use the just implemented technology, and many of the ITU support staff are dealing with the many issues that happen when the students return for the fall. Agreed. We already plan on working with the departments for their migration planning and timing. This is a major reason why we must have effective communications with our customers, and their official/unofficial technical support groups. 3. What will the Banner impact be? Don't know what it will be, but suspicious that it won't be good. Hard to say - there will be an impact due to Banner, but we will mitigate this as much as possible by splitting it into segments, and piloting these segments. I'm not sure If the concern is related to new information being pushed to Banner, or old processes requesting information pulled from Banner, or something else…..This needs to be researched more thoroughly. 4. Strong concern expressed as to the cleanliness/reliability of the data stored within the Banner system. This is a concern for MESA as well. We do need the identification information in Banner to be accurate, as well as the role-based definitions. As we migrate to Portals, and begin to utilize role-based information in more applications, the accuracy of the information within Banner will become even more important. It is one thing for the telephone number to be wrong…it's critical when an individual can access unauthorized data. 5. Recommend - Pick one thing, then do it well. Only then move to other things. This is the only way to effect a culture change. Agreed. This is why the MESA implementations are proceeding in a linear fashion. As we gain experience and customer confidence, we can do more in parallel. 6. Privacy concerns, and the desire for more levels of privacy settings. Ex. A faculty member would like his desk phone number to be visible to their faculty/staff, but not to students. This may have an impact to MESA - the LDAP directory will contain personalized information about people at some time. We will need to ensure that these additional privacy requirements can be fulfilled. 2. Web Standards Update: Dee Document sent to the state is available on the Tech Council Web site. Anne shared draft of revised accessibility statement from Mason Web Team. It includes more specific description of accessibility standards. Discussion about faculty response Noted that these are not worded as requirements-should, whenever possible, etc. Comment: it is an iterative process-creating accessible web sites Is this incompatible with our response to state standards? Web accessibility validator--new tool available via link from web development site Comments on draft statement should go to Anne. 3. Web Functionality Requirements Draft approved by TC in September 03; document available on Tech Council Web site Communication Plan We wanted to get feedback from others at University outside the Tech Council Display at Open House, DoIT Dialog Met with groups: IT Project Briefing SALT Presidents Council Senate IT Committee Aux Enterprises OCPE Technology Coordination Team (ITU) Comments have mostly been about implementation not whether these requirements are the right ones. Appears to be consensus on the functionality requirements. 4. Next Steps General Comments on next steps: Implementation of new architecture involves culture shift as well as change in technology. Needs a reliable, cleaned-up database for the architecture to be effective Next step: identify key databases Pick one thing and do it successfully Privacy and security issues Segmented security Impact on Banner? Appoint Task Force to lay out options for a technical solution. What methods do we have to achieve the functionality requirements? Suggested methodology-matrix of options related to functionality requirements. Anne will chair Suggestions for members: John Creuziger Stephen Nash MESA representative? Linda Harbor? Budget person? Mike Wood Mel Nichols Committee will report back to Web Architecture Group at end of January. Once the Tech Council sees available options, it could decide which to explore further-visit other schools, set up vendor demos, pilots, etc. 5. Joy's comments MESA has taken a new direction--towards security and authentication started out looking at Novell and whether to stay with it for our LAN architecture worked with other schools who had done more with Open Source, Middleware initiative--Georgetown, e.g. (Joy attributes faculty presence on Tech Council to our direction to Open Source.) Thus the project migrated to focus more on security at a time when general social attention was more on security. Higher Ed in general attempting to "secure its own house" to avoid more federal regulation. Web Architecture project Attempt to avoid wasted effort--similar documents on different machines. Multiple lists of info that don't match. Choosing pilots will be very important. Pilot needs to be successful. Attending: Anne Agee Dee Holisky Joy Hughes Carrie Gillotte Wally Grotophorst Joe Hutchison Creston Jamison Bob Nakles Walt Sevon Mike Behrmann Lara Bushallow Ann Clare John Creuziger Andrew Flagel Andres Fortino Jim Finkelstein Paras Kaul Ruth Kifer Stephen Nash Mel Nichols Roy Rosenzweig Stan Zoltek Not Attending: Doug Casey Farrokh Alemi Cathy Hubbs Deborah Keene Sean Watkins Mike Wood MeiHua Zhai -top-
Contact: Anne Agee \| Updated June 7, 2004