5 october 2015 the other side of middleware: working with policy makers, data owners and campus...

April 19, 2023

The Other Side of Middleware:

Working with Policy Makers, Data Owners and Campus Constituents

The Other Side of Middleware:

Working with Policy Makers, Data Owners and Campus Constituents

28 October 2002 Internet2 Fall Member Meeting

Panelists

• Joseph Lazor Florida State University

• Lesley TolmanTufts University

• Dave TomcheckUniversity of California, Irvine

• Art VandenbergGeorgia State University

• Ann WestEDUCAUSE/Internet2/Michigan Tech


A Bit About Middleware

Middleware makes “transparent use” happen, providing consistency, security, privacy and capability

Identity - unique markers of who you (person, machine, service, group) are

Authentication - how you prove or establish that you are that identity

Authorization - what an identity is permitted to do

Directories - where an identity’s basic characteristics are kept


Map of Middleware Land


Topics Not Covered

Business Case

Long-term Value

Technology details


Themes

Middleware is not just a technology project

Implementation challenges are a reflection of• Institutional culture and needs• Installed technology, requirements, and available resources

• Leadership


Middleware Politics


Topics

Project Methodology

Stakeholders

Challenges

Lessons Learned


What’s unique about middleware?

It’s like an ERP project• Cross institutional impact and value• Changes the way business is done• Leverages the crown jewels, our data

It’s not like an ERP project• Rare for non-IT to lead the way• Costs less• Rare for the IT-data staff to implement it• Difficult to communicate the benefits• Transparent


Project Methodology

Three project approaches• Stealth • Application-based• Strategic


Stakeholders

Contributes to or benefits from implementation• IT (supplies/oversees data; offers services)

– Telecommunications– Campus-wide (email, calendaring, video, etc.)– Administrative– Academic

• Student Services (supplies/oversees data; offers services)– Registrar– Financial Aid– Advising– Admissions

• HR (supplies/oversees data; offers services)• Finance (supplies/oversees data; offers services)

– ebusiness (vendors)


Stakeholders

• Library (supplies/oversees data; offers services; consumers)• Research services (supplies/oversees data; offers services)• Advancement (supplies/oversees data; offers services)• Alumni (supplies/oversees data; offers services)• Athletics (supplies/oversees data; offers services)• Academia (faculty/departments)

• teaching (supplies data/consumer)– on-campus– distance ed

• research (supplies data/consumer)

• Facilities management (supplies/oversees data; offers services)• Students (supplies/oversees data)


Challenges and Pitfalls

Misjudging readiness of environment• Business needs are not obvious• Aim, fire, ready• Going too slow is a problem too.

Lacking leadership and support• IT trusted?• IT on board?• Where are the weak spots?

Failing to plan up-front • What could go wrong/right?• Just-in-time opportunities• Not setting boundaries, short and long term

Leaving out key participants• Do they lose control?• Do they need control? Do you?


Challenges and Pitfalls (cont.)

Incurring legal or PR risks• Your president gets a call…

Educating campus• What have you done for me lately?• Why should I care again?• Best practices

– Passwords are like underwear…• We’re never done

Resourcing the project• Missing one or more function: architect, implementer,

project manager, communicator • Do this in your spare time…• Let’s go for the big bucks…• Moving the on-going cost to the infrastructure category• Moving the operations to data-knowledgeable staff


Suggestions

Plan up front• Educate IT well before the external campaign • Assess weak spots• Allocate resources

– Consultants, Training, Creative management?– What are the boundaries?

• Be flexible and allow for opportunities – Overall architecture and tenets– Go for the easy wins to set up a track record

• Include ability to iterate, pilot, and fail; iterate, pilot, and succeed

• Identify ways to measure benefits ahead of time for later flag waving

– Consider opportunities taken, productivity gains through self-service


Suggestions (cont.)

Include key stakeholders early• Don’t promise what they want; offer reality instead• Bring them inside and develop strategy together

Develop your story early• Decide if middleware should even be mentioned• Tie the implementation to culture and business needs• Use stories and words your audience can relate to

On-going communication is critical• Find IT staff who can talk to the campus constituents• Include web/hard copy/personal communications• Consistency and constancy of message• Use the informal network

Don’t do what you shouldn’t do


If you build it…

They will:

1. Want it before you know they want it.

2. Want it before the pilot is done.

3. Want it right after it’s done because department A wants it.

4. Wait and see until department A &B weigh in and then want it.

5. Wait until they are required to want it and still not want it.


Case Studies


Enterprise Directory Service:A Case Study

Florida State University

Joseph A. LazorOffice of Technology Integration

[email protected]


Florida State UniversityHighlights

58,000 students, faculty, staff.

Main Campus, London, Puerto Rico, Panama City Campuses.

10th largest in research royalties.

17th most wired –1st in Florida.

1200+ Distance Learning courses.

Largest University owned supercomputer configuration in the U.S.

Bobby Bowden


Highlights

Centralized Finance & Administration.Centralized Information Technology – Office

of Technology Integration.AVP-CIO – Provost & VP F&A

• Administrative: human resources, financial, student, administrative services. • Academic: Network, Labs, E-mail. • User: Helpdesk, CBT training.• Office of Distributed Distance Learning – Blackboard.• Data Center

Colleges, Schools operate with great deal of autonomy.


Enterprise Directory Service

MissionProvide FSU and Our Constituents With Secure

Web Delivered Information Services that are:• Personalized

• Access to Many System Services with ONE Password

• Easy to Use

• Easy to Support

• Available World-wide

• Based on Progressive Industry Standard Technology

Positioning FSU for Integrated Systems with a Single Login.



Expanding Community of Constituents

Expanding with “Lifelong Relationships”, Distance Learning, and Enrollment Management, etc.

• Students on Our Four Campuses plus • Remote Learning Centers and Distance Learners Worldwide• Special Education Relationships (e.g.. Navy, Army, IRS)

• Faculty and Staff

• Prospective Students



A Complex Community of Constituents• Students and Alumni sharing information

• Family, Friends and Potential Employers – Delegation of Access• Alumni Access to Services after they leave FSU

• Academic• Business Partners i. e. Technology Transfer Partners• Research Partners i. e. Mag Lab, Internet 2, JA-SIG, Weather Service

• Administrative• Potential FSU Employees • Oversight Relationships i.e. Purchasing, Accounting, Travel• Vendor for Business Services i e. Bookstore, Food Services

• Complexity - Invisible to people using Integrated Web Security



Security with an LDAP

A technical word for - Progressive Industry Standard

Technology • Strong Password Encryption Worldwide

• Reliable 7/24 Access to Services

• Selective Access Control with User Roles

• Limit Number of Invalid Login Attempts

• Password Change + Lost Password Processes

• No Password Retrieval

• Position Ourselves to Phase out the SSN and Move to Self-selected Webname for Web Identification


Usability/Drivers• Single Login to Individualized Set of FSU’s Systems• Privacy & Security • Ease of Use, Familiar Look • Personal Choice of Favored Login Method • User Friendly Procedures (e.g. Lost Password, Secure

Q/A) Help Desk Relieve • Personalized Services Environment (Real Name)• Fast and Easy Setup for First Time Users • Scalable to Larger Communities (Roles!)



Rollout

Step One – Business needs – Campus wide. Web enabling legacy systems as foundation for Integrated Web Security was Implemented for Faculty and Staff Fall 2000.

Personalized Web names



Rollout – ContinuedStep Two – Personalized User Account Service and the Integrated Authentication Process

• Conduct training Sessions for Key Business Offices.

• Implement the User Account Service and the Integrated Authentication Process (using LDAP) for Faculty and Staff; while Retaining the Current Menu and Applications.



Rollout – Continued

Step Three – Students get Personalized Web services

• Implement the New User Friendly Menu of Services including the Services for Enrolled Students.

• Add Enrolled Students

Step Four - Implement Common Security and Password for ACNS and AIS Services - using LDAP



Rollout – ContinuedProceed to Integrate Additional Services and Communities:

• Blackboard’s “Teaching and Learning Services”

• FSU’s Web Based E-Mail

• Alumni and Foundation - with our Shared Login

• “Admitted but not Enrolled” Students

• People applying for jobs at FSU

• Student Support Service Toolkits for Staff

• Student’s Delegation of Access - Family & Employers



Enterprise Directory Service Outputs/Results

Integrated Web Security, and the Services Accessed through it, will Position FSU as an Integrated Web Services Leader in Higher Education.

FSU will be Positioned to Continue that Leadership with the Future Implementation of Digital Certificates which will Provide a technique for electronic signatures - an even Higher Level of Security.


Enterprise Directory ServiceCase Study

This concludes my first presentationand now Art!


Georgia State University – Case Study 1 Middleware:

Working with Policy Makers, Data Owners, and

Campus Constituents

Art Vandenberg

Director, Advanced Campus Services

Information Systems & Technology

Georgia State University

[email protected]


Culture, Business Needs& Project Methodology

CIO - top level sponsor of eUniversity

Analogous to eCommerce, higher ed needs:• Directory services (not limited point solutions) for id, authN,

authZ per application

• Seamless interfaces to applications: libraries, email, calendaring, eLearning, room/resource access, etc.

• Reduction of multiple electronic identities

Specific commitment, assignment & charge for Advanced Campus Services - broad coordination


Specific Direction& Action Plans

Feb 2000, ACS charged with: • University-wide directory, metadirectory

• Universal account creation (namespace)

• Universal email solutions

• Interface to other electronic domains (one card, library…)

• Public-private key infrastructure

NOTE: Georgia State’s ERP domain:• Peoplesoft financials, Student SCT begun, WebCT…


Stakeholders

CIO and IT directors• Steering Group, scope doc, charter

Data Stewards for Person Working Group:• registrar, hr, financials, card office, person registry

LDAP Technical Working Group

Application domains• WebCT, student email, Rec Center, one card office

University System - discussion, promotion• CIOs, Vice Chancellor, Technical staff


Pitfalls/Missed Opportunities?

Misjudging readiness• Competing ERP deployments• “Not ready for prime time” PKI

Business needs not obvious• Hard to engage ERP teams focused on their core tasks• “But we can already do that!” (finding a killer app…)• “We’ll do that later, as soon as finished with priorities.”

Lack of trust from data custodians?• Not really, but challenges with“technical” custodians


… Opportunities?…

Re: Bringing in key stakeholders• Deference to ERP teams (hindsight is 20/20… but)• However…aircraft carriers need room (time) to turn

Changes the way we do business• Easier for new applications to embrace change?

– WebCT, student email, Rec Center

• Major event horizon (inevitable…)– First stop is person registry, then HR– Change process, not business

University System - a necessary engagement


Legal Risks with Data

Limit initial issues (but be aware)• If risky, leave data behind ERP wall (cf. bank accounts)

Person registry actually inserts level of protection• Publishing/provisioning can have appropriate limits• Registry remains behind access controls

White pages: “print” directory (Registrar/HR)

Core principles:• Authoritative sources remain ERP systems• Data Stewardship & Access Policy governs all data


Silos and Fortresses?

What about aircraft carriers?• Major ERP implementations already underway• Production and operations culture vs. R&D• Technical debates can be: <invigorating/debilitating>

Tactical versus strategic• Just do it (works well initially)• Iterative process, that keeps focusing on strategy• Remember, we’re part of a state system• Keeping one eye on national initiatives in middleware


Communication Model

Enterprise Directory Infrastructure Steering Group• CIO and IT directors

– Start biweekly, phase toward monthly end year 2– Level setting, resource identification, priorities

University System• Burton Group directory/PKI seminars (1999-2000)• Directory Working Group (3 research, system office)

– Establish vocabulary, concepts, general consensus– Recommendation to ACIT (CIOs & V.Chancellor)– Directory of directories/system-wide id/ERP integration


Communication…

Conferences• University System Rock Eagle, CUMREC

Focus-IT newsletter, campus contacts

System Committee on policy for SSN

Internet2 Middleware working groups• Support group, sanity check, best practices• Consider as “retreat & renewal” for more evangelism

Technical staff (listen, be patient, leverage)

Work it until it’s part of the IT vocabulary


The Sales Pitch…

Focus on application areas• Middleware may be too arcane, except for “initiates”

“Printed Directory” as a metaphor

Provisioning - as it impacts colleges/depts:• Automatic course rolls for WebCT• Universal email(and for admitted students)• New staff hires (get them online “day one”)

Account management - as it impacts technical• User X has what accounts? Who is in application Y?


Hot Buttons – Internal Pressures

Doesn’t everyone use same email? (No!)

President: Why can’t I send email to all faculty?

“I want to choose my own unique ID”

New hire online “day one”

Group email, paperless office, email check advice

Too many ids, too little management

Operational/production missions take priority

Resources: staff, time, money (in that order)


Wormholes…Strategic Goals

Goose & gander (student email policy… staff too)

Aha! (Metamerge & NMI-R1 for dynamic groups)

Just do it! (Forgiveness negotiable)

Involve faculty & students (competitive edge)

Support teaching & learning mission

Integrate with ERP systems (Campus Pipeline…)

3 years… but directory services on VC’s plan!


Carrots & Sticks

We’ll do this app for you if…

vs

We can do this app better if…

Involve from beginning?• Advantage sometimes, sometimes not• Good for us: research faculty & students• Find customer app that sells: WebCT, demographics

The problem you want: middleware advisors!• You’ve really arrived!


Policy and Data


Overview

Technical Implementation of Institutional Policy

Pitfalls

Suggestions


Defining and Maintaining Policy, e.g. Parking Permits

Business Rules Derived from Policy

Implementing Technical Triggers of Policy• Applications enforce business rules and policy definition, e.g. SAA

Middleware glues applications via messaging and transaction services

Institutional Policy


Challenges

Data Owners and Control Issues

Policy Framework out of Sync with Reality• New Culture of Staff/Faculty/Students• New Mobility• Increased Regulatory Environment• Greater Concern over Privacy


Managing Policy Change

Implementing Technical Triggers• Policy Conflicts with Stakeholders, e.g. password

expiration

Directory Management with Middleware• Role Definition – data comes from disparate systems and

can overlap• Need Group Role Management e.g. LDAP

Challenges (cont.)


Data Access • FERPA for Students• Application Level Security• New Concern for Privacy e.g. SB1386• New Definition and Role for Data Owners

Challenges (cont.)


Security Issues• Level of Granularity• Build vs Buy - Software that scales to Enterprise-wide Implementation.

• Non-repudiation • Risk vs Cost e.g. Ph vs Payroll

–Robustness, Redundancy for Business Continuity

Challenges (cont.)


Communication

Understand the policy process well

Have executive management support

Develop a cross-functional campus committee for resolution of conflicts

• Include annual review of process and applications/data use

Suggestions


Applications have to be owned by a stakeholder

Data integrity responsibility owned by appropriate stakeholder

Process for identity reconciliation, e.g. married name vs professional name

Spend time getting educated about middleware

Suggestions (cont.)


Case Studies


Enterprise Directory Service:A Case Study (Continued)

Florida State University

Joseph A. LazorOffice of Technology Integration

[email protected]


Coke or Pepsi Recipe(Lessons Learned)

Understanding “authentication versus authorization.” Ldap is not a security protocol. Solid, Comprehensive communication plan.

Two (2) ldaps – “There can be more than one” – Joseph LazorNetwork ldap – Directory services (e-mail, phone book). (Academic)

Application ldap – directory enabled applications. (Administrative)

Distance Learning Application.

Data sources – multiples db’s.

Costs – mainframe legacy versus client server.

Enterprise – reach consensus on design summary early on, multiple ldaps with different functions/services.

No Bridges/interfaces inherent in design methodology


People – single project manager, dedicated resources, project design.

Policy - Common schema – eduPerson 1.0/1.5, fsueduPerson 1.0

Policy - Common user account generation and naming conventions.

Policy - Common security standards.

Policy - Enterprise - Unique user ID

Policy - Open standards solution – Active Directory, Metadirectory



National Science Foundation Middleware Initiative (NMI) Integration Testbed

Eight (8) Higher Education Institutions working together with SURA, EDUCAUSE, Internet2, and the GRIDS Center to share and solve research and education technology initiatives - integration with middleware.



And so – where are we?NMI

ERP

Enterprise LDAP/Active Directory Integration.

Better design and integration/bridge efforts.

Metadirectory

Portal



This concludes my presentationand now Art!

Joseph A. LazorOffice of Technology [email protected]

Enterprise Directory ServiceCase Study


Georgia State University – Case Study 2 Middleware:

Working with Policy Makers, Data Owners, and Campus Constituents

Art Vandenberg

Director, Advanced Campus Services

Information Systems & Technology

Georgia State University

[email protected]


Technical implementationof institutional policy

Data owners and control issues• Data Stewardship & Access Policy. Very helpful• Consensus: source systems retain authority• There is control and there is control. Do

technical staff “know” functional needs? (Careful)

• Who drives project? (Remember: Organization is the winner… Strive for consensus)

• End users are data owners too!• Person registry has data steward


Implementing…policy

Policy Framework from the 1990s management• FERPA: Based on printed directory (annual,

static), not directory services (online, dynamic)• Was: Name, title, address, phone… Now:

email, uid, URL, pager, cell, mobile, jpeg…• Now: multiple roles overlaid with privacy issues• Now: lifetime CRM – pre- & post-relationship• Publication of employee info – We’re lucky (I

think) being public institution• Know your institutional policy process


Implementing… policy

Implementing triggers of institutional policy• ERP policy in person registry – be specific, be

careful• “Current, active” student? 25,000 vs 61,000• If student elects FERPA suppress, what about

directory entry?• Definition of privileges: application by application• Do not ASSUME agreement on definitions (spell it

out)• Technical staff defer to functional – nothing is simple• Be careful how you change business process (cf.

payroll doesn’t/can’t/shouldn’t initiate identity)


Implementing… policy

Role definitions: faculty, staff, affiliate…• “Hey cool! I’m faculty at the Library!”• More student employees than faculty…• Are student employees covered by FERPA?• When does (can) an employee “start”?• Concept of “provisional hire” (need date triggers)• Hierarchy: “payments out” trumps “fees paid in”• Retirees, survivors & “passed away”• Vendors, affiliates – require sponsor, date limits


Suggestions

Communication is good, and builds buy-in• CIO, IT Directors, data stewards, technical staff, campus• System & peer institutions, Internet2 Middleware

• Aim high,but focus on application specifics• Iterative development. Iterative review• Don’t underestimate group & organizational dynamics

Allow stewardship to work• Identity management is shared• Think metadirectory services (value add, not replace)


Questionsand Wrap-up


Wrap Up

Middleware is:• A strategic infrastructure• 50% technical and 100% political

Don’t reinvent the wheel • Each implementation is different• Big picture process and requirements are the same• There are resources that can help

Assess strengths and weaknesses • Plan accordingly

Communicate and manage relationships• This is key


Enterprise MiddlewareEducational Opportunities

Workshops• Pre-conference Seminars at EDUCAUSE Regional

Meetings

• Campus Architectural Middleware Planning Workshops• Base CAMP (Orientation) – 5-7 February 2003

– CIO and Technical staff

– Getting started topics

• Advanced CAMP– July 2003– Highly technical

– Research topics


On-line Resources Available

Introductory Documents

• Sample Middleware Business Case and corresponding

Writer’s Guide

• Identifiers, Authentication, and Directories: Best Practices

for Higher Education

• Identifier Mapping Template and Campus Examples

• And more….

See resources page of www.nmi-edit.org


http://middleware.internet2.edu

http://www.nsf-middleware.org

http://www.nmi-edit.org

http://www.grids-center.org

Middleware information/discussion listshttp://[email protected]

http://[email protected]

NMI lists (see websites)

Websites and Discussion Lists

Websites and Email Lists


Contacts

Joseph Lazor [email protected]

Lesley [email protected]

Dave [email protected]

Art [email protected]

Ann [email protected]@internet2.edu


www.internet2.edu

5 october 2015 the other side of middleware: working with policy makers, data owners and campus...

Documents

data staff

erp project rare

project manager

needsinstalled technology

way business

way costs

pr risksyour president

long termleaving