I was on a panel with Jennifer Sparrow (Penn State), David Weil (Ithaca College) and the EDUCAUSE staff to discuss the Digital Transformation (Dx as they call it). You can see the slides, read the transcript and (EDUCAUSE members) can watch the webinar at the EDUCAUSE E!Live site:
I presented at EDUCAUSE Annual 2018 on the Future of Higher Education in the US. The presentation talks about four big drivers: Shifting Skills, the Digital Transformation, Income and Employment Challenges in the American family and the Higher Education Financial Crisis. For each of these drivers, I suggest a set of responses. I then paint a picture of a future Higher Education institution that has responded well to these drivers. You can download the Playbook and the Presentation from the EDUCAUSE Site.
The presentation and playbook are downloadable as PDFs below:
My presentation on SOA in the Enterprise – Maturity is Key has been posted in a couple of places.
First, on the EDUCAUSE site is the talk listing:
Slides can be found at Slideshare.net:
I was chatting with a colleague about the new EDUCAUSE slogan, “Uncommon Thinking for the Common Good” when I realized that the saying encapsulates one way to think of my work as an I.T. Architect. “Uncommon Thinking for the Common Good” is what I try to foster in the teams that I work with. I’ll explain this in two parts “Uncommon Thinking” and “for the Common Good”.
I try to break people out of their daily routine and their comfort zone. For instance, I have sat in meetings where a team is supposed to develop a new user interface (UI) for a new application. I’ve watched as team redraw the UI for the old application, that they use day-in and day-out, as the solution for the new system. I’ve also seen teams “re-think” how a business process could be done. The end result was an automated version of the current process. The new implementation of the old solution substituted emails for people running around with paper. They are following the same steps, replicating the same authorizations and sending the same forms often without asking “why this form” or “why this person” or even “is this necessary at all”. My job is to get them to question their old ways of doing things.
People like what they know. They understand what they use daily. But advancement comes when we change and disrupt routines, not when we replicate them into a new technology. You have a telephone book at home with White Pages for people and Yellow Pages for businesses. Changing that into two Word files you can print doesn’t bring great advancement. It might be easier to carry only the pages you need but that doesn’t really improve the process. Search capabilities are a big improvement. Rethinking how you use the information, such as mapping businesses onto maps so you can find restaurants near your hotel, that brings advancement. The routine of grabbing a book and looking something up is thrown out. The new routine is to grab a laptop, look for wireless and Search.
I often introduce myself to new teams saying that my job will make them uncomfortable because I will ask them to throw out what they know and what they are comfortable with. I tell them I will challenge their assumptions. I say this not because their assumptions are wrong but to make sure their assumptions are correct and we accept them for the right reasons.
I love the fact that the Web 2.0 explosion is going on. There are so many examples of “other ways to do things”. I bring these examples and ask, “why can’t we do this instead?” I show them Netvibes and ask, “can we make our pages this flexible?” I show them Etsy’s Find By Color page and ask, “can we make creative ways to search like this?” I show them The Northface catalog and ask, “should we have filters to help people search like these?”
It’s not that I think we should have a UI that looks like any of these sites but I want to break the team’s mindset and get them to start thinking about all of the rich possibilities. I want them to work with a blank canvas and a rich palette of colors. I want them to really get imaginative in their solutions to the problems.
I had a watercolor instructor that I worked with at UC Santa Cruz. We were painting in the woods one day. Everything I produced came out flat, boring and uninteresting. They were awful, actually. I was having a terrible time. He came by, had a look and asked how it was going. I grunted out my disgust. He said, “Give me three paintings, but you can’t use any browns or greens at all. No earth-tones.” I’m sitting in a forrest of browns and greens. I was forced to paint purple and blue trees and red ferns. At first it was very uncomfortable and I was very hesitant. The first attempts were also awful. But then, it became fun and playful and the paintings improved. I was forced to let go of “how it is” and instead I had to play with “how it could be”.
That is the uncommon thinking of the Architecture practice. Letting go of the how it is and thinking about how it could be when we start with a blank canvas and rich palette.
For the Common Good:
The other aspect that I deal with on teams is the narrow focus of their solution. Often, the solutions that are put forth solve the very local needs of the group of people sitting around the table. My work is to ask, “how does this fit with the broader issues that the people deal with daily?” “What does this solutions do to actually help people?” “What impact will this have on them?” Not all solutions should be broadened and generalized to solve a larger issue but we should consider their larger impact.
Every application must fit into an already rich application environment. No application is truly a silo-application anymore. Someone has to use it. That someone already has a username and password if not several. That someone already has a day that is full of tasks and applications. That someone has things that don’t work so well, things that they are comfortable with and things that they cherish dearly.
The impact assessment of a new solutions should consider all of those people that the solution will effect. If the new process changes their lives from reading paper documents to reading email, the users might not consider it an improvement. What if reading the paper documents is what they do on the train in the morning? Then your solution is a step backwards for them. What seemed like a good idea to the team, reduce paper and use electronic delivery, actually was negative impact to the user and to overall productivity. The user did that work before they got to the office as part of their daily routine.
This is part one of the “For the Common Good” part of my job. The solution that is delivered needs to take into consideration all those that will be impacted and it needs to fit into their lives and, ideally, change their lives for the better.
The second part comes into play during information gathering and sharing about the solution. The new application or solution needs to be described in terms of the business value and the overall positive value of the change. If you are going to add work to busy departmental staff, then it better be for something more than “your system”. It better be for something like improving the enrollment process for students. It better be for some larger good than simply benefitting the group developing the solution. You need to gather the business process improvements that the new solution will provide and then use those improvements to describe why the solution is important.
The final part has to do with scope. Often, issues in one group are problems in another group too. Finding co-sponsors is a way of expanding the positive gain for the new processes or solution. I spend time looking for others who I can bring into the discussion. I look to see if the problem can be solved once for several constituents. The broader solution will require collaboration and compromise but it can bring greater value and reduce the chaos of one-off solutions. If the problem is solved once for many groups, then there is only one solution to maintain and there are many people who can provide input and expertise.
For me, “for the common good” means considering the broad impact, looking for the greatest value and delivering a solution for the largest constituency.
Uncommon Thinking for the Common Good:
Bringing this all together provides one view on what I do as an I.T. Architect. I get people to think broadly about a solution. I get them to use a blank canvas and a rich palette of ideas when thinking of how we should solve a problem. I also get them to think about how that solution fits in the larger environment, who it will help and who it will impact and finally who else should be brought into the discussion so we can deliver a far-reaching solution.
If I do my job well, then we get truly creative and expansive solutions that fit into the organization, improve peoples lives and help the greatest number of users.
Merri Beth Lavagnino – Privacy and Policy
Policy and privacy are really consideration of the human aspects and impacts of technology. Policies are: strategic direction and operating philosophy (which are usually informal and cultural), Public and Institutional policies (these are both documented and usually legal documents).
Institutional policy – a statement that reflect the philosophies and values of the project, service, organization or federation. Policies should be clear and concise, applicable across a wide range of activities and should not change very much.
Why create a policy?
- When reasonable people disagree
- To guide thinking when making decisions
- To correct repeated misbehavior
- When there are significant risks or liabilities
- In response to external forces like regulation or law
Where does the policy apply? Federation, Institution, Service
- Email Outsourcing: vendors proposed that we would do incident response and legal requests for both students and alumni. There was no policy that said they had to be in charge and n control. She took the discussion back to the original goals for the project. (1) Improve and add services for students and (2) reduce their costs. So they did not take on the incident response because that would not reduce the costs. That was the policy that helped inform the decision.
- Course Management System: they changed their course management model. They began to get incident reports because the new service didn’t match the old policies for the previous system.
- Virtualization: They moved to a new virtualized systems. The old policies where around knowing that super-hot data is on a specific machine, with a specific system admin. Now, they didn’t know what machine had the data and all sys admins might have access. Had to expand training and the understanding of how they would manage super-hot data.
- InCommon Agreement: Thought that went very well.
“A policy is a temporary creed liable to be changed, but while it holds good it has got to be pursued with apostolic zeal.” Mohandas K. Gandhi
Categories of privacy harms:
- Intrusions : They come into your space and contact you and tell you what to do (spam, cold calls)
- Information Collection: They watch what you are doing more than they should (tracking, interrogation, etc)
- Information Processing: They have a lot of data about you, and they do things with it. (data mining) Need to watch out for secondary use – collect for one reason then use it for another reason.
- Information Dissemination: They disclose data about you, perhaps more than you think they should. (Transferring data, true or false facts)
Fair Information Practice Principles: The FTC drafted these principles and they do enforce them. Higher Ed is not under the FTC’s jurisdiction but users are expecting these principles to be met. If we don’t
- Notice/Awareness: User should be given notice of your information practices, in order to make an informed choice about whether to provide information.
- Choice/Consent: User should be given options as to how any personal information collected from them may be used.
- Access Participation: Users should be given access to the data held about them, and ability to contest that data’s accuracy and completeness.
- Integrity/Security: data should be secure and accurate
- Enforcement/Redress: there should be a mechanism in place to enforce fair information practices and it should include appropriate means of recourse by injured parties. At a minimum, you should right the wrong.
Ken Klingenstein: Federated Identity and Data Protection Law
Good quote from Ken K: “This is an attempt to bring trust to internet via technology not just because it is just us chickens”.
EU Law Directive 95/46/EC : You can process personal data when it is required to perform contact, required to satisfy legal duty or consent.
Identity Providers must identify which services are necessary for education and research. Must inform the users. May seek users’ informed freed consent to release personal data to other services. You have to show why it is important. Should have a data process/data controller agreement with all service providers to whom personally identifiable data is released. Must ensure adequate protection of any data released to services outside the EU. We have to play by the EU rules.
Service Providers must consider whether personally identifiable information is necessary for their service or whether anonymous identifiers are sufficient. You may request personal information from users but you must inform.
There is no normalized definition of what Personal Identifiable Information (PII). There are questions about email addresses: if it is a third party email address it might not be but a .edu address might be. So the content might be more important than the field.
IP Addresses – if it is a dynamic address it is not PII. So, unless you know it is a dynamic address, then you have to treat it as PII.
EduPerson Targeted ID – this is going to the EU privacy commission this Fall. It is a 32 bit opaque identifier that is different per site visited.
OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) – just formed group. A mechanism to allow consent agreements flow with data. The first and dominant Use Case is health care. Looking for other Use Cases. Does this make consent a new service in our loosely coupled service? Do services need to be consent aware?
Report Out from Discussion Sessions:
Data Modeling Group:
Modeling person and organization data. Modeling of organization data is remarkably difficult not just in the nature of the data but also in the resistance that you get from organizations to being characterized. Multiple organization charts – financial, hr and reporting structure. The characterizations can be political. Are there pressures that will lead to the marginalization old way of doing things? Organizations that don’t want to be characterized may not get services.
What would a service description look like: what is it called, cost, how to call it, operational context (where is it physically located). Discussion about how you describe the service, how do you recognize similar services in distributed locations. Talked about the grid is doing this with their RNA.
What is happening today: people using Google to search for services and looking for a WSDL.
How do you get consent? What about promises and claims? What about a directory of all the services? What about a directory of directory? You could have a convention for naming the directory so you could at least find the directories.
DNS works for finding things.
Domain Governance – governance revolves around an application or a data element, or attribute (student ID). These models will have to evolve to domain governance: enrollment, IdM etc.
Who owns the data especially as the data is transformed and sent along the ESB? Services are requesting the data that can then be used by other services.
SLAs – keeping tracking of who can use the use the service.
The need for a directory of services especially in emergency notification. There is also a need to know who is consuming services so you can notify on changes.
What is being done now on campuses? It is evolving on campuses. Identity and Access Management is a domain that is being governed as a domain at Penn State.
Saint Louis University has a good examples of domains in higher education that need to be governed as a domain.
Rob Carter: Tracking and Authenticating IP in Cyberspace
We had all of our resources stored inside the walls of the institution. We now see with cloud computing and Web 2.0 applications, our intellectual property out in the cloud. How do we track the reuse of them? How do we contextualize the content.
How do we know that it is really and artifact of mine and not someone spoofing my creations?
Could solve this with digital signatures. What if we could add metadata before it goes out into the cloud. Get a signature of the object and attach the signature to the object or store it elsewhere.
How does this align with Creative Commons licensing efforts. You can search and crawl for for CC licensed objects that you use.
Loretta Auvil: Music Analysis.
Dynamic analysis of a Tom Lehrer file. Very entertaining.
Scotty Logan: IAM Services and Well Behaved Apps
If every app does its own thing, there is no real management.
Trust the container: Identity – you can get a user name from Tomcat et al, Authentication, Authorization
Have the container provider the groups and privileges as a URI
OAuth.net – a specification developed by a group to solve the “I want my Flickr protected photos on Facebook but I don’t want to give you my Flickr username and password”.
I have been talking with peers, pushing ideas around and working with various groups for a while and it seems that the work is finally paying off. ITANA.ORG (http://www.itana.org) is a peer group for I.T. Architects in Academia. We will share ideas, tricks and tools; work on common deliverables and working group projects; spread the word about what I.T. Architects do and help new Architects get their feet. At least, that is my vision for the group.
Head over to ITANA.ORG and sign up for the email notices, pick up the RSS and request an account. Have an idea for a post? Send me an email.
Thanks for everyone’s help, support and enthusiasm.
This is a 90 minute presentation on Service Oriented Architecture that I gave at the EDUCAUSE Seminars on Academic Computing in Snowmass Village, Colorado. This talk was given on August 9, 2006
The link below is to the PDF version of the talk.
Policy and Process Discussion
Ken K opens with a very funny cat herding video
Richard – Penn State
2004 Strategic Initiative was developed along with a plan. Purchased the Fujitsu workflow engine on Linux on a Mainframe. Moving 75 Mainframe forms.
2 academic and 1 financial process will be done first.
Will establish a Workflow Governance body. Want to leverage existing policies. Standardize and streamline central approvals. There will be a “Role Steward” who will assign roles, handle DELEGATES (permanent) and PROXIES (temporary).
The Web Role Assigning Tool (WebRAT) is a tool for creating the roles. The Web Stewards put people into the roles.
At MIT how many roles are there for Financials? About 50
Stanford did a business process re-engineering got number of roles down to 85
Barry Walsh – were able to boil down the number of roles since most were hierarchical. The roles don’t change very much. The people change but the actual roles don’t change. IU had the stake-holders take responsibility for defining the key roles and mapping people in offices to those roles.
The flow is different for each department. One department may have subflows that are outside of the official process. There will be one Fiscal Officer Approval role for each department. They allow the department to map their own processes into the system but they don’t care at all about what they do inside of the department.
Make the roles names meaningful in the workflow world: PurchaseOrderApprover, TimeCardApprover, etc.
There is a teeter-totter issue around automatically mapping people into roles. Quite often people cannot be mapped into workflow roles because the titles in HR don’t align with business functions. So people have to be manually mapped into a role. But, when a person leaves, they may abandon a queue in a workflow unless they delegate their functions before they leave. Need to store the mapping of the people by the PVI and then check that the person who is identified by their PVI is still present.
I suggest: Are there a suite of standard processes that we all have to go through because they are mandated by law or other agency that we could jointly develop and share? These would be the back-bone business processes and the departments may do some other stuff. We would document these in a high level language like UML or BPEL and share them. This might act as a jump-start for workflow initiatives. You could take the bundle and say, “these are the basic steps that we must implement…” in discussion with campus.
Ken K, “Jim has a dream…”
Barry Welsh – from the financial side, all institutions are following a suite of standards in one or two ways. He seconds my suggestion.
Federated and Inter-institutional Workflow
Paul Hill – Vendor Purchasing Process
MIT has a list of approved vendors. Purchasers can buy directly from the vendors without going through a purchase request process. They have a B2B workflow that allows people to log in to the vendor system via X509 Digital Certificates. They fill out their shopping cart. The line item detail flows back to an SAP system workflow which finishes the order process.
Grants.gov web site now has a WebService interface http://www.grants.gov/WebServices. You can download all of the source code and build your own little Grants.gov to debug against.
Scott Thorne – OKI and OSIDS
Scott discusses service abstraction through OSIDS.
The Unified Field Theory of Workflow
Final Session. Steve O is taking notes on the EDUCAUSE Wiki.
Bob Morgan – Identity and Privilege management seem closely tied or aligned. How to align the Internet2 efforts with Workflow? How does workflow align with Enterprise Service Bus, Message Oriented Middleware and SOA overall?
Paul Hill – are we ready to start on an authorization roadmap?
Steve – an interesting contrast: Workflow likes to have small decomposable services that does it thing then goes away where as our authentication/authorization systems usually support long big transactions (you log in all day).
Steve (Mellon) – standards are essential. His nightmare – that any meaningful semantic web will require 400 extensions in Firefox. His other nightmare is that there will be a proliferation of Workflow schemes. Not sure that BPEL and WS-* are a solution yet. There is another issue which is that Microsoft’s first product to contain their new workflow product is MS Office which was launched today. Which will win, the top-down version of workflow or the bottom-up version. He is looking for a compelling set of USE CASES for workflow. He would like to see the most horrendous set of USE CASES in the workflow space.
He would like to see a cross-communicatin on workflow between education and financial, etc.
Ken K – tie the use cases to Jim’s flow paradigms and match to Levels Of Assurance needed for that flow paradigm.
RDF and Semantic Web as a way to bridge workflow engines – premature but should be watched. Also, keep in my internationalization – UNICODE, legislative complexities. This might come up from the grid computing side of things.
I have posted separately here: Educause CAMP Enterprise Workflow Case Study
You can also find it onmy EDUCAUSE Profile Page
Manish Devjani – NYU
NYU is using Oracle Workflow as a stand-alone system. They have several automated workflows in place: Budget Integration Application (Modification, Submission, Capital Projects, Grants), Personnel Action Submission System, Tuition Remission App, Webcard App (fund raising), Adminstrative Tools (Change Management System ModTrak, Project Management ProjTrak, ITS Services Tracking ServTrak)
The Workflow engine is embedded in the NYU portal. Authentication goes against the NYU LDAP Services.
The workflow system generates a lot of data: email notifications, logs. Issues around when do you purge, what must you archive, what are the retention policies/requirements?
Joe Sharp – Microsoft’s Workflow Strategy
Window’s Workflow Foundation – reduction of all of the various workflow efforts within Microsoft (six different engines) to one. The workflow engine was designed to be embedded inside of other solutions. The Workflow engine compiles workflows as .Net assemblies.
BizTalk Server – “premium BPM server”. Use in B2B, EAI, BPM scenarios. BizTalk Server comprised of: (bottom up) Adapters, Transformation, Messaging, Orchestration, Accelerators. Side Bars: Design Tools (down left side), BAM and Admin Tools (down right side).
“UML is lacking in the class diagram capabilities”. “Microsoft held the OMG at an arm’s length”.
WinFX: Windows Workflow Foundation,
Workflow will replace Orchestration in the BizTalk server.