Orange Team E Business Forum

Key Issues – Web Services Seductive and empowering, but how real? Are we in the early ‘hype cycle’ on this? Real opportunity to integrate and collaborate across diverse platforms It’s about standards, not about infinite choices

Key Issues – Web Services Next step in the evolution of services Portal is about service provision – but you need to integrate static pages too Use portal as the integration platform This gives us the ability of systems that students like to use Think of this as the “next small step” … makes XML useable Creates a new competitive market for components

Key Issues - Web Services Collaboration will be enabled and required The potential for inter-enterprise interactions  Federal and state government  Commercial relations Can we adopt common definitions? Need a Web Services management strategy

Web Services – Barriers Lack of clarity Lack of clarity about concept Lack of clarity about who will develop what What will it cost? How will higher education collaborate to make it happen? Need to have proof of concept, models that work, etc.

Web Services – Barriers Business processes/business rules Need to deal with data definitions Liability issues (who shares liability in this environment?) Risk management Incentives Governance Quality assurance of components

Web Services – Barriers New skill sets and attitudes needed Need new IT skills on campus In higher education, “we just like to do it ourselves” (no trust in others) Won’t this lead us to a renewed period of idiosyncratic applications? Organizational change – how do you imbed this new capability? This will require a lot of change management We don’t really know how to re-use components across enterprises

Web Services – Things to Do Get some learning from companies that are already making use of Web Services (KPMG Consulting) Look at data definitions Conduct tests across institutions (e.g., IU, UCSD)  3 Phases (intra-campus, inter-campus, external agency) We are not coders, we are integrators … an editorial piece in EDUCAUSE Review? Could EDUCAUSE/NACUBO deliver some Web services? Underwriters Lab?

Web Services - Things to Do Make the work public; web services and the relationship with CFOs and CIOs Demonstration pilot with TIAA-CREF Expand web services beyond students; consider alumni and other segments Rebundle the event with WACUBO or rework the details of this conference or define a Web Services meeting Emphasize that this is about money and having more sustainable models not about technology Generate some scenarios to make this more “real” Define some modules and ask vendors to develop

Web Services – Things to Do Piece about the value proposition (from NACUBO) Bring in corporate developers to have joint discussions Continue to involve corporations in proof of concepts and discussions Put web services in the context of a real problem that needs to be solved (similar to mortgage example) KPGM will work with Catholic University on an example

Summary Web services are  Seductive but fuzzy  The next evolutionary step Business processes and business rules will be critical Because of lack of clarity we need to “launch and learn” Web services will require significant change management

Key Issues – Security Identifying the risks Central point of responsibility Reliance on passwords is not scaleable Focus on vulnerabilities How offsite is offsite Securing remote access at the same level as on campus access Our culture carries risks Higher education is the weak link Openness vs. security Risks out there vs. problems from within

Key Issues – Security Need to know the value of what we’re protecting Unaware of the value of our assets … therefore hard to assess the risks Development of risk assessment framework “Acceptable” levels of risk in a zero sum game – is there a threshold? Incorporation of IT risk into overall campus risk framework Policies Explicit permissions or explicit prohibitions? What is the inherent transitive trust model

Security – Our Strengths Cultural strengths Inherently honest cultures Tradition (FERPA, etc) of protecting privacy and confidentiality Open disclosure of security breaches Able to deal with heterogeneity Resistant to fads Security by obscurity

Security – Our Strengths Institutional capabilities Very good staff Strong detection and response capabilities Technical diversity Suggestion Renewal of vows – UCSD security education strategy

Security – Our Weaknesses Awareness Students have not been educated about the problem Faculty Clear rules and repercussions Policy enforcement is difficult No public executions We make things too complicated Reactive not proactive Need for consensus IT becoming unclear about how to protect the institution’s systems and information assets Security is not a part of new systems evaluation process

Security – Our Weaknesses Decentralization Organizational decentralization is critical, but makes security difficult No central control of servers Value of what we are protecting Audit/adverse events define the policy environment (unfunded mandates!) Resources Resources – there are more of them

Security – Possible Solutions Reveal the value Asset management As our services and information become portalized … their economic value can be revealed Update and review policies Bring people together – clarify how to manage systems Need for policies for maintenance of data Reconsider the risks of decentralization What should be centralized, what not? Do we need 500 servers on campus?

Security – Corporate Observations This was a ’10 year ago’ discussion Need to look at the cost of doing nothing HE does not always have the skill sets Huge risk: Cannot put a price put on credibility

Summary Insufficient awareness and communication Value of what is being protected needs to be made explicit (e.g., asset management strategy) Enterprise-wide strategy is appropriate