3/5/2013 – A recent security incident at Evernote allowed attackers... Read More
Today’s IT environment is changing more rapidly than at any time before. In fact many of the technologies that we now take for granted were not in existence even 5 years ago. Consider the iPad and the wireless device
onslaught of these years since we installed wireless across campus. We built a high capacity infrastructure that is now crippled by BYOD. Everyone has more than one wireless device and they are all “on” at the same time. We have over 100,000 devices that connect to our network and that is rather troublesome. It affects not only our performance but is a significant security risk. This brings me to a point for consideration because not only has our IT infrastructure become more taxed but our security responsibilities have become much broader.
In order to address the security concerns OIT, last fall, hired Paco Diaz who came to us with an extensive IT auditing background. We immediately began the process of evaluation of our IT security risks through a process of Risk Management and Assessment. This represents a strategy to detect and prevent, or at least minimize the effects of serious risks associated with the management of information assets, proprietary information and intellectual property. The process is rather detailed and involves assessing and evaluating risks, implementing risk mitigation based upon severity, and measuring the results of the mitigation. It is a process that becomes an on-going part of the development of a critical security tool within our organization.
It is important for all of us to understand the value of this risk assessment. Failure of any institution to perform a thorough and honest risk assessment or to act appropriately on the findings of an assessment represents a breach of responsibility for the executive leadership of OIT as well as UA. One of the most critical elements of an assessment such as this is that it does not represent a direct cost but rather an indirect one; i.e. at least for UA. We have heavily invested in security and networking jointly as well as in our data centers. As an indirect cost it will weigh heavily on you, the staff of OIT. Documentation of processes, the development of policies and
procedures, and the implementation of these means a change in the culture and an added mandate from the Executive Team.
We have completed a first phase draft of the Risk Assessment tool and populated it with 302 risk scenarios that map into NIST (the National Institute of Standards) and CCA (Consortium for Cyber Security Action) critical control elements. These are the control elements defined by NSA, CIA, FBI, and SANS. We have also identified contributing and mitigating risk factors and the estimated mitigation efforts for the scenarios.
An estimate of residual risk is used to indicate how effective the mitigation is expected to be. The distribution of risks is indicated below and is based on the Risk Management process.
Notice that the security, compliance, and operational risks are predominate and that many of these relate to the need for the establishment of enforceable policies and procedures.
Our assessment will be presented to the Property and Causalities Committee of The Board of Trustees for the February meeting. It is an exciting and demanding time and I know we are willing to be at the forefront on IT Security!
A Time of Transition
Dear OIT Team Members,
It has been several months since I have communicated to all of you regarding the organization, its initiatives, and the strategic direction(s) that will influence our future. All of us have been quite aware of the fact that two major objectives have dominated our efforts; the first related to the improvement of the organization and the strengthening of our skill sets, and the second to the strengthening of the cyber infrastructure, whether it be regarding the Banner upgrades, eLearning migration to a hosted environment, or network build-out and security. So we have focused and indeed focused very well.
Witness what has just been accomplished. The Disaster Recovery initiative was one whopping success! We are one of few universities in the country that has the capability of completely failing over to another site with the high availability and redundancy components in place and fully tested and documented. That became a concerted effort from all of you!
However, as we move forward we face new challenges brought about by the changing dynamics of the senior leadership of the University. We have a new President, and at this time are awaiting the appointment of two key executives. The Provost and the Vice President for Research are critical positions that will affect the direction of technology for the campus and most certainly alter our strategy in the future.
The Provost will significantly influence the academic component of The University. It will most certainly become more dependent on technology for eLearning and on-line capabilities. Student, faculty and staff expectations of what technology should provide to them will only increase and a new Provost will approach what this academic experience should look like. I would expect that multimedia utilization would be significantly enhanced as students transition away from the traditional classrooms to those that are “flipped” or driven by on-line content provisioning. In addition, in order to address the subject of academic continuity, as we have business continuity, courses must have content on-line. It opens up a new world for course delivery!
The Chancellor and the Board have stated that research will be a major priority for this University as it moves forward. The VP for Research is an essential position that must be filled by someone that has significant experience as a researcher and as an administrator, and has the contacts
with the granting agencies. Technology and the use of advanced cyber infrastructure such as HPC and Internet 2 are critical infrastructural tools for the collaborative research that must accompany these efforts as we progress toward becoming a major research University. That means that the infrastructure that we have built out for the University will be efficiently used and demand will push us to provide more capacity.
So hold on…. The ride is about to commence! Change is the norm!
A Bottom-Up Approach to Weathering the Worst
The events of April, 27th, 2011 left an indelible mark on most of us. While the city of Tuscaloosa suffered terribly along with so many individuals, families, and businesses, the UA campus stood stunned but generally unharmed. Such a near-miss was a heavy line underscore to the importance and urgency of work already well underway in OIT at the time. That work is generally referred to as Continuity of Operations or Disaster Recovery planning and preparation.
For OIT, Continuity of Operations refers to our ability to keep as much of the technology as close to full operational status as possible in the face of whatever events may occur. Disaster Recovery (DR) refers to returning to full and normal operational status for those systems as soon as possible after a disaster event occurs. These two concepts are different but very closely related. We have been considering them both over the last two years and have made significant progress in addressing them in meaningful ways. To be brief, we often refer to the whole effort as DR.
Thinking the Worst
We started thinking about what should be done to be better prepared by considering the kinds of scenarios we might encounter, identifying the most likely disaster scenarios and their relative impact on IT systems and services. While there are many scenarios that could damage a part of the campus network, those that would have the biggest impact would be events that involved the primary data center. That facility houses the servers, storage, and primary network equipment that are essential to delivering IT and telecommunications services and applications across the whole campus. While our general network projects are continuing to improve network resiliency across the campus through redundant connections, there has not been a general redundancy model for data center itself, making it the highest risk for disaster impact.
What Matters Most
We began planning by surveying the services and applications that OIT provides and supports. Our approach has been to do this in a bottom-up fashion, looking at the most basic services first, those on which all other services and applications depend. Starting at the foundation, a host of specialized equipment supports various services required for the network to operate. We have included all of these foundational services as well as primary communications and messaging services (Internet, email, and VPN) in the first phase of our Continuity of Operations project.
We have also identified mission critical applications and determined the physical equipment (servers, storage, etc.) that would be needed to support them. This equipment has also been included in our initial phase of preparedness work.
A Home Away From Home
The right solution to mitigating the kind of risks we have identified is to create an alternative base of IT operations somewhere outside the greater Tuscaloosa area – a DR site. We wanted it to be far enough away to reduce the likelihood of the same event affecting both Tuscaloosa and the DR site but close enough that personnel could get to the site within a few hours if necessary. Since our primary and backup Internet connection circuits currently run through a secured, environmentally hardened, DR colocation facility in Atlanta, it was most practical and economical to select that facility for our DR site.
Recently, we completed the implementation of the foundation equipment at the Atlanta DR site. This includes three fully loaded equipment racks containing routers, switches, firewalls, load balancers, spam filters, servers, and storage. The equipment has been selected and configured to support the full range of foundation services and to ultimately host mission critical applications capable of being hosted off-site.
Making it Work
Having the equipment in place is one thing. Ensuring that it will actually work and provide the intended protections is an entirely different matter. We are beginning now to set up and document the intricate network routing configurations required to enable a fail-over process of network and security functions. Some of the services run in real-time redundant mode. Others will require the execution of an automated or semi-automated procedure to transition them in an event. We will be developing testing protocols for each layer of services.
Once the network transition is assured, we will begin deploying instances of the applications to the DR site and devising the procedures for operational fail-over and fail-back for them. This work is expected to continue throughout 2012.
In the meantime, we are realizing benefits from the having the DR site in place. It is already serving as the off-site backup location for our primary storage backup processes replacing a much less efficient tape backup model. Our email services are also now protected by redundant services in the DR site providing improved operational reliability for that platform. Later we plan to use the equipment at the DR site for application development and testing and possibly as a reporting platform to ease the load on local systems.
From generation to generation, parents feel compelled to tell the rising youth personal reflections from their old school days. These struggles, whether embellished or endured, often involve comments like, “Back in my day we walked 30 miles through snow, to and from school, with 50 pounds of homework on our backs.”
Today’s generation of students will probably have a hard time convincing anyone they ever had to carry 50 pounds of homework, thanks to technological solutions such as e-Readers, which provide a lightweight solution to a “heavy” problem, or online lectures, which afford the opportunity for students to never set foot outside of his/her dorm room (relatively speaking, of course).
Technology has evolved in indescribable capacities year after year. Students are now able to harness the power of laptops, netbooks, recorded lectures, virtual classrooms and much more. Here’s a sneak peak at top, useful technologies for which students everywhere should be thankful (and it may give you some gift ideas for the holidays).
Laptops, Netbooks and e-Readers:
e-Readers, such as the Amazon Kindle, offer customized textbook rental periods, alleviates clutter created from piles of old, unused books and has a lightweight body for hours of comfortable reading and studying. Laptops and netbooks both allow students to take notes while simultaneously surfing the web to find real-time answers/information for vivid classroom discussions, group meetings and more. These luxuries combined provide students with more efficient ways of organization and overall relief for their academic lives day-to-day.
Tegrity is a class capturing system that instructors can use to record lectures for their students. Instructors are also able to capture the contents of their computer screens during lectures. Students can create their own Tegrity recordings, bookmark various content in a recorded lecture, and communicate with each other from inside a Tegrity course while watching recorded lectures.
DegreeWorks is a Web-based tool for students to monitor their academic progress toward degree completion. DegreeWorks allows students and their advisors to plan future academic coursework.
- Provides real-time counsel for degree-seeking students
- Potentially speeds time to graduation and/or streamlines the process
- Gives intuitive web access to self-service capabilities
- Allows direct access to multiple related services and advice through hyperlinks to catalog information, class schedules, transcripts, help desk services, & FAQs
The list definitely doesn’t stop here! What are some of your favorite technologies for which you’re most excited about using? Tweet us at www.twitter.com/OITatUA or post on our wall at http://www.facebook.com/ITatUA.
Dr. John P. McGowan
Vice Provost and Chief Information Officer
Clothes, supplies, textbooks…you name it. The list could go on forever. Preparing for heading back to school can jump from fun and exciting to overbearing and stressful in seconds.
Luckily, students getting back in the swing of things with classes will be able to enjoy useful technology resources and alleviate some of the stress. Here’s a peek at some of the things available to you:
The Residence Hall network (ResNet) provides student residents with a high-speed connection to the University’s network and the Internet within UA residence halls. It’s available to all students living on campus.
To configure your connection, make sure your laptop is off and use an Ethernet cord to connect it to the ResNet jack (likely orange) in your room. Turn on your laptop and run your Internet connection or setup or wizard—ResNet is a Local Area Network (LAN) with IP addresses assigned automatically. You will be prompted to register your computer the first time you attempt to access the ResNet network. Use the network connection tool provided by the manufacturer of your computer or wireless card to connect to the open UA ResNet Wireless network. For more detailed instructions visit http://oit.ua.edu/oit/services/it-service-desk/resnet/.
Sidenote: Be sure to stay away from using your own wireless router on ResNet. This will degrade everyone’s wireless service.
IT Service Desk
The IT Service desk offers a variety of resources for students. The best part is customer service agents are staffed 24/7 to provide technical assistance! Services and assistance include, but are not limited to the following services:
- myBama access
- Bama, Crimson, and departmental e-mail accounts
- Mobile device configuration (Android OS, iPhone, etc.)
- Computer repair/maintenance/virus removal
- And more…
If you’re having computer issues, never hesitate to reach out to our Service Desk representatives and see what support they can provide. After all, that’s why we’re here. Click here for an inside look.
Free Antivirus Software
Cyber security is an integral focus of our office. We want to ensure that you’re always winning the fight against hackers. The University maintains a site license for antivirus software for Windows and Macintosh workstations and servers. The license covers all University-owned computers as well as computers owned by University faculty, staff, and students—free of cost. Click here for system requirements and further details.
In conclusion, relax! Take a breather. Heading back to school isn’t as stressful as you think—especially when OIT is working around the clock to meet your technology needs. Good luck with classes and here’s to a great semester! For a list of technology resources, visit oit.ua.edu.
Dr. John P. McGowan
Vice Provost and Chief Information Officer