Forum Replies Created
-
AuthorPosts
-
April 1, 2016 at 2:51 pm in reply to: Identity Management – Central Authentication Service (CAS) #684bpietrewiczKeymaster
The answers to these questions are complicated but I will attempt to simplify:
Q: CAS is definitely an Authorization service. I’m not sure it qualifies as an Identity Management service.
A: Agreed. CAS is actually not authorization. It is authentication. CAS is listed as IDM because it is one of the tools that can be used to integrated systems to be able to use NetID. If you have an application that you would like to authenticate using NetID, CAS of one of the tools available to do that.
Q: Given the increased adoption of AD, what is the long term plan for CAS? Is there a convergence between the two services planned? If CAS is to continue, is there a documented way that we can address the secondary authorization question for sites and services using CAS using group membership?
A: CAS is a pass through mechanism for Authenticating NetID’s. Currently it points at LDAP but it can be pointed of AD as well. AD and LDAP are synchronized so either will handle authentication for NetID’s. CAS only does authentication. It does not do authorization. Therefore it does not take advantage of groups. If you have an application that needs external authorization (groups), it would need to be integrated with AD or LDAP.
Q: Where does LDAP fit into the service boundaries of CAS and AD?
A: CAS is tied to the NetID SLA in terms of boundaries in that it authenticates NetID’s.
I realize the answers to these questions are confusing/complicated. If you have additional questions regarding how to authenticate or authorize an application or system using NetID, please put in a service request and we will walk you through the options.
bpietrewiczKeymasterQ:If I am a new customer, do I need a sla specifically for my needs. Does this mean departments that are not on already on IT AD and want to use this service will need an SLA?
A: This SLA applies to all departments that are already in AD and will apply to new departments that will be joining AD.
Q: There is no AD category in UNM.Help. How do I get to the support items for CAS and AD using Help.UNM.
A: There is a category for AD in help.UNM called ‘Active Directory OU Administration request’.
Q: It would be helpful to provide a URL that has the AD OU admin best practices, standards and guidelines that the OU administrators can reference.
A: OU Admin documents are stored in WES SharePoint site. Once OU Admins complete the training, they get access to that site. You do not need to be a customer to take the OU admin training.
Q: Will the OU Admin training have a set monthly schedule? If so, it would be helpful to add an URL to this SLA so OU Admins can sign up for the training.
A: Currently we provide OU Admin training to new departments that are joining AD. Existing OU Admins can also request training through help.UNM. As of today, we don’t have a set monthly schedule; however in the future if we decide to have a set schedule, we will post it in Active Directory service catalog.
Q: It would be helpful to provide references to other SLAs and Standards for IT issues which are not covered by this SLA but which are related to Active Directory. For example, server hosting, print/file management, LoboCloud, Workstations management.
A: All SLA’s are being posted for comment. All IT services will be in the IT service catalog. There is discussion about posting a link to SLA’s in the associated service catalog entry. I will discuss this with our agreement committee.
Q: What do you mean by resale? Can you please define resale of service?
A: If any IT services are being used to generate revenue directly or indirectly it must be disclosed. Ex: If a department charges to host or manage an application and the application is hosted in LoboCloud, this must be disclosed.bpietrewiczKeymasterQ: Section 2.1.1 End-User Requirements to Use the Service – Third bullet point
OU Administrators will adhere to the standards, policies and guidelines included in the OU Admin training such as the naming convention and use of privileged accounts;
I would like to read what these standards, policies and guidelines are exactly.A: See the attached PowerPoint. This will answer your questions at a high level. For more detailed answers you would need to attend OU admin training.
Q: Section 2.1.2 Boundaries of Service Features and Functions – Third bullet point
UNM IT reserves the right to apply security policy settings through domain GPO with reasonable
notification;
What is the definition of “reasonable”, reasonable by whose standard UNM IT or the department that may be adversely affected. How much time would we have for researching proposed change and testing?A: Changes to domain or forest wide GPO’s would go through our change management process and the change will be communicated through a number of channels including IT alerts and the OU admin listserv. If we anticipate that a change could impact customers we would solicit feedback from the OU admins. The amount of time we give depends on the reason for the change. If a GPO is being implemented to resolve a severe, time sensitive issue, the implementation would need to happen faster than a GPO meant to address a UNM policy change. Changes to Domain or Forest wide GPO’s are extremely rare and are handled on a case by case basis. To date there is only one domain wide GPO and it is the password policy.
Q: Where can we go to review the current security policy settings?
A: OU’s are currently delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in their OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.
Q: Bullet point 6
User management such as creation of new accounts, and password management is done through NetID service and not directly performed in AD.
We create user accounts several times per year as a matter of course, and we use provisioning tools to both create the account and its associated mail box. Would we be able to continue this practice if we were being hosted on this system?
We also create accounts for adjuncts and students that are not enrolled at unm as regular employees and or students, would we still be allowed to do this?A: You can continue the processes listed above using the NetID service. Email boxes are automatically provisioned through the NetID service. The NetID service allows for all of the scenarios in your questions above. Generally, no user accounts should not be created in Active Directory outside of the NetID service but exceptions can be made with adequate justification. Creating accounts outside of the NetID service disassociates the account from the service degrading security and in many cases degrades the user experience.
Q: Section 2.2.1 General Service Levels
Network security scans are completed for all systems slated for AD migration;
Is there a charge for this service?A: This is an old practice that we have demised. We no longer require a security scan of systems before migrating to the Enterprise AD. I will remove this from the SLA. If the customer is migrating data to our windows file storage service we scan the data at no charge.
Q: Default policies configured for Department IT OU.
What is the default policy currently?A: OU’s are delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in the OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.
Attachments:
bpietrewiczKeymasterQ: 2.1.1 End-User (Department IT) Requirements to Use the Service
Request access to the Data Center via Help.UNM, with a minimum of one (1) business day prior to visit;
What happens if a critical co-location server goes down and the owner needs immediate access?A: Relay the urgency to the service desk and they can raise the priority of the ticket. Or you can request unescorted access which will give you 24/7 access to the datacenter.
Q: 2.2.2 Specific Service Levels
Ensure bi-weekly walk-through by UNM IT to observe condition of Customer’s devices;
Does IT contact the customer if they find an issue? Does IT physically touch the machines?A: Yes IT will contact the customer if we notice anything unusual. No IT will not touch customer machines unless the customer requests IT to do so.
bpietrewiczKeymasterQ: 2 Service Description
The backup server keeps 3 revisions of active files and 1 revision of files that have been deleted from the
client. Deleted files are retrievable for 180 days.
What is the definition of an active file? If I leave a file untouched for an extended period of time is it inactive?A: Active means the file has not been deleted / is available.
Q: 2.1.2 Boundaries of Service Features and Functions
Customer may not exceed previously agreed upon storage capacity when using the backup and restore service; Customers must purchase additional storage prior to exceeding capacity;
What happens after storage capacity is exceded, is there are warning? Are zero-byte files kept in place of real files?A: IT will notify the customer that the allotted storage has been exceeded. The customer will either need to clean up the storage or purchase additional storage. The service is will continue to function normally.
Q: 2.2.2 Specific Service Levels
Additional backup storage available within three (3) business days pending availability;
3 business days seems like a long period of time to wait.A: 3 days is our standard turnaround time for most service request. Requests are often completed faster but 3 days is the time that we can commit to.
bpietrewiczKeymasterQ: 6.3 What priority would be assigned to an incident where DNS is unavailable for users on the UNM network? Is this driven on number of people affected? If DNS is unavailable there are many other services/processes dependent on this service which could impair student, faculty, or staffs ability to interact with UNM services. This is not limited to users on campus but external users such as students who need to submit information for Financial Aid or Admission to the University. I would suggest some specialized language in this section for covering DNS resolution issues and how priority will be assigned in those cases (Escalation to Service Owner, etc.)
A: If DNS is unavailable then the majority of IT services on campus will not function and it would be a priority one.
bpietrewiczKeymasterQ: 2.1.2 Boundaries of Service Features and Functions
UNM IT will retain administrative access to VMs;
This is a “Cloud Service”, Shouldn’t the owner of the VM have complete control of who has access to the machine?A: This is a managed service. IT patches the OS. IT is also responsible for resolving issues that are directly related to the OS. Therefore, IT must retain admin rights.
Q: In regards to Right Sizing mentioned in 2.2.1 General Service Levels, I fear this cloud lead to some of your systems being over provisioned by have too many people in down sized virtual machines packed onto the same cloud physical host.
A: We have thresholds on host that we do not exceed to address this situation. We add hosts as needed to ensure threshold are not exceeded.
bpietrewiczKeymasterQ: About 5 year ago, there was talks about implementing multi-tenancy on LoboCloud. What is status of this? Will it be part of this SLA if it is available?
A: Correct about 2 and a half years ago when we released Lobocloud, the intent was to make it multi-tenant. We are working on implementing an SDN solution (NSX) that will provide true multi-tenancy. NSX will be implemented in the Lobocloud environment in 2016.
Q: What is the Disaster Recovery process for LoboCloud? Is there a failover site (replication)?
A: Today data is replicated to a building on south campus for DR purposes. We are I the process of setting up a hybrid cloud with a public cloud provider. This combine with NSX will provide DR capabilities with a recovery time of 2 to 24 hours. Implementation is pending funding.
Q: Can the snapshot be a self-service process? I mean on-demand snapshots, consolidation, or roll-back possible? Is the snapshot backup of the VM included in the price of the VM or is it a separate charge?
A: Snap shots are available but it is manual at this time. Adding snapshot capabilities to the self-service portal is a high priority for Platforms. It should be available in 2016. Snapshots of all VMs occur nightly. Snapshots are available for 7 days.
bpietrewiczKeymasterQ: Is “LoboCloud’ the umbrella service for all VM hosting?
A: Yes. Lobocloud a frontend self-service portal for provisioning, de-provisioning and managing virtual machines in our VM hosting environment.
Q: As I understand it, there are 2 ways to request a UNM IT hosted VM:
1) Using LoboCloud (largely self service)
2) Via Help.UNM (UNM IT builds the VM for the customer)A: Correct. VMs can be provisioned via Lobocloud or by placing a ticket in Help.unm.edu. LoboCloud has no setup fee. Tickets placed in help for provisioning VMs have a $500 setup fee.
Q: I have received customer requests to produce an SLA for VM hosting that IS NOT provisioned via LoboCloud. Will this SLA cover those cases? Thanks, -N
A: Yes. The Lobocloud SLA covers both.
bpietrewiczKeymasterQ: 2.1 Should explicitly define OS versions. What if I want a Server 2016 VM but it isn’t considered a supported OS by this service?
A: 2.1.2 is intended to answer this question. We will support all vender supported versions of Redhat Linux and Windows. The supported versions should be in the service catalog. We will update the service catalog with the supported versions.
Q: 2.2.2 “Firewall request can take up to 72 hours” is this clock hours? Business hours? Should this be converted to days?
A: Good catch. I will update the SLA to read 3 business days.
Q: What happens if 99.9% availability is not met? Are customers refunded for the time services were unavailable?
A: That is what platforms does today. However, this is not a formal policy in IT. I will take this question to agreements.
Q: 3.1 Reference to a forum.unm.edu website that doesn’t exist
A: Good Catch. I’m pretty sure this is a typo. I will delete it from the SLA
Q: 7 There isn’t a Maintenance window line item for LoboCloud. Other hosting windows are advertised but LoboCloud is not listed. Availability webpage should match services listed in IT Service Catalog
A: We do not have a “Maintenance Window” for the virtual environment. The system is architected such that we do all maintenance with the system running. That said, on rarely occasions we may have a need to take down a supporting system. In that case the outage would be posted on IT alerts and Lobocloud customers would be notified. We will accommodate customer needs to the best of our ability.bpietrewiczKeymasterQ: 2.1 – For departments paying for a full rack, can UNM IT limit equipment installed into that rack to equipment owned/operated by the contracting department?
A: If a department is paying for a full rack the rack is dedicated to the department.
Q: 2.1.1- Is NATing of equipment in the rack supported so that we can limit exposure of traffic between web servers and data base servers, for instance?
A: We do not offer NAT for co-lo at this time. It is on the road map. Nat will be available to LoboCloud customers in the near future.
Q: “Refrain from bypassing or circumventing security (firewall rules);” – I suggest something like “Will engage IT security and IT Networking as appropriate on all proposed changes to security (firewall rules)
A: There are special circumstances in which co-lo customers can bypass the firewall. We want to call this out specifically.
Q : 2.2.1 – Add “Meet or exceed UNM Data Center Standard requirements for a Tier 4 facility”? If not Tier 4, perhaps you could specify which tier it satisfies.
A: Good catch. I will add it the SLA.
Q: 3.1
More definition of this would be useful “Communicate and deactivate network access for hosts and/or network segments when infection or violation of security policies are identified;”
Where will reports on performance be accessible?A: Per Security:
Standard Communication Approach:
For documents that describe our operational security processes, it is our practice to keep those documents from publication.Below are a couple of redacted, non-sensitive steps taken from our Standard Operating Procedure SOP that covers responding to incidents on deptweb. The steps listed below are representative of the standard steps in our SOPs that describe what we do in incident response in terms of standard customer communications:
a. Attempt to contact department … (to) make the first attempt to un-publish the compromised site;
b. If department can’t be contacted … or if malware is being distributed through the compromised site … un-publish the compromised site.
Exceptions:
While there are rare exceptions to the approach referenced above, those exceptions involve either:
• An apparent breach/ exposure of Personally Identifiable/ Sensitive and Protected Information (PII/ SPI) that require an immediate disconnect or similar response;
• An apparent Denial of Service (DoS) attack that also requires an immediate disconnect or response.
Hopefully this helps clarify the standard approach that we use in responding to such incidents from the perspective of customer communication.Q: For Scheduled Maintenance, is all Change Management and notification through CAB or are there other venues? are processes for standing maintenance windows, scheduled maintenance, and emergency maintenance requests documented somewhere?
A: Yes we follow our standard change management processes for changes to the datacenter. Change would go through CAB/TAT. Notifications will be posted on IT alerts. If an outage of Co-Lo services is required we would reach out to co-lo customers. There is no need for a maintenance window at this time. If a maintenance window is needed in the future IT will update the SLA and give co-lo customers at least 90 days’ notice.
Q: 3.2 Is there any training or certification that should be required for qualified personnel?
A: Yes we give co-lo customers training before they begin using the service and upon request. I will update the SLA.
Q: 4.2 Can department owners of racked equipment participate in service exception planning via CAB or some other process?
A: Yes. We will notify customers of any maintenance that may impact them. At that time we will discuss customer requirements.
Q: 7 Same question as 4.2 related to input into changes in maintenance windows.
A: After seeing this question for the second time I think it would be best to update the SLA with the appropriate information. I will update the SLA.bpietrewiczKeymasterQ: 2 What happens if a department is working with an external contractor? What is the process for UNM IT when interacting with contractors hired to implement solutions for UNM?
A: We only get involved from access perspective. Contractors working on Co-Lo equipment must be escorted by the Co-Lo customer. If the contractor needs frequent access to the co-lo space there is an option to grant unescorted access.
Q: 2.1 Community is misspelled also “physical compute servers”? Physical Servers?
A: I will correct both on the SLA.
Q: 2.1 Is 10 gigabit networking available in the colocation space? Is there an additional charge?
A: 10 Gb networking is not available at this time. We have not received enough interest to invest in the infrastructure. If you would like to have it you can make a request and we can discuss options.
Q: 2.1.1 “Request access to the Data Center via Help.UNM, with a minimum of one (1) business day prior to visit” What happens in the event of an Incident?
A: Relay the urgency to the service desk and they can raise the priority of the ticket. Or you can request unescorted access which will give you 24/7 access to the datacenter.
Q: 7 Maintenance Window for Colocation servers is not listed?
A: There is no maintenance window for the datacenter at this time.
Q: If UNM IT needs the change the regular maintenance window, they should generate a new SLA to make sure it meets the business requirements of UNM.
A: If IT has a need for a maintenance window in the future we will update the SLA and give customers 90 days’ notice of the change.
bpietrewiczKeymaster
Jenny:Thanks for taking the time to comment.
Q: 2.1 What versions of Windows OS and Linux distributions will the backup client support?
A: The backup system supports the clients listed at the following link:
http://www-01.ibm.com/support/docview.wss?uid=swg21243309
Q: 2.1.2 What do you mean by revision? Is this version control? Is it possible to retain more than the past 3 versions? Is revision a file or block level backup? Can the backup retention period extend beyond 180 days? Do you also provide backup service for bare metal recovery?A: Revision means change in this case. Every time the file changes it is considered a revision.
A: We can only change the retention policies (3 versions, 180 days) in extraordinary circumstances. Managing multiple retention policies is extremely resource intensive. We are in the process of implementing a new backup system so look for the feature set to improve in the near future.
A: Backups are file level backups.
A: We do not currently offer bare metal at this time. It may be available in the future for an additional charge.
Q: Is there some type of reporting tool or high water mark alerts to let the customer know the allotted backup space is close to the quota limit?
A: Yes storage utilization reports are available.
Q: Is there a cost sheet on backup space? Is the cost based on GB of space, based per client base, or client plus space?
A: Good question and the answer is a bit complicated. If the system being backed up is not owned by IT then it is the normal cost of storage or $700 per TB. http://it.unm.edu/servicecatalog/asset_list.php?service=23&product=128&origin=servicelist
A: If the server being backed up is owned/managed by IT, it is half the cost of the drive that is being backed up or $350 per TB. Ex: A LoboCloud system with a 1TB drive costs $350 to back up. I will update the service description.
Q: How far is the replication site from the backup site?
A: Data is replicated to a building on South Campus. Replication to a cloud provider is on the roadmap.
Q: Although at this point Financial Services Division (FSD) has no plans to use this service at this time, we reserve the right to create a customized SLA specific to our needs with mutually-agreed upon consequences for both FSD and UNM IT.
A: This is the SLA for the backup service that IT offers today. We are open to discussing customized agreements that are mutually agreed upon.
Regards,
Brian
bpietrewiczKeymasterAndrew,
Thanks for taking the time to comment.
Q: 2 Backup fees are not listed in service catalog entry. Data storage pricing is listed, is there an additional charge for the “Backup Service” license fee? etc.
A: There is no fee for licensing. We only charge for the amount of storage purchased/used.
Q: 2.1 Should this section be under 3.1?
A: No, 2.1 is the section for features, 3.1 is for UNM IT responsibilities. Perhaps I don’t understand the question.?
Q: 2.1.1 “Notify security@unm.edu of any compromises or breaches” Why is this not a Help.UNM ticket?
A: The state is accurate. For more information please see: http://it.unm.edu/security/
Q: 2.1.2 “Backup client is not capable of backing up databases. Native database tools are required” What backup product doesn’t support this? Should UNM IT be evaluating new backup solutions?
A: No database products are currently supported. We have purchased a new backup system and we are in the process of implementing it. The new system supports several databases. Look for new features soon.
Q: 3.1 “Basic up/down system monitoring” does this include storage monitoring?
A: Yes, it includes up/down of all components of the backup system except the clients and client servers. Monitoring clients and the servers being backed up is the customer’s responsibility. Storage utilization is not monitored in an automated fashion. Reports are available for storage utilization. It is the customer’s responsibility to review the reports.
Q: 4.1 Where is the maintenance window listed for the backup service?
A: There is no limit to when backups can be run. It is strongly recommended to run backups between 5pm and 5am. I will update the SLA.
Q: 5.2 “Requests will be fulfilled within fifteen (15) days” What happens in the event of an emergency for a department? 15 days seems pretty generous for responding to a service request for this service. Exception process seems overly complex with too many approvals, sounds like by the time all the approvals and sign offs were obtained we would be at 15 days for a normal service request.
A: 15 days is time to initially deliver the service. This includes provisioning the storage, training, and handling any nuances that might arise. If it is an emergency it can be discussed when the ticket is acknowledged which is within 12 hours.
Regards,
Brian
bpietrewiczKeymasterCyndi,
This is the SLA for the backup service that IT offers today. We are open to discussing customized agreements that are mutually agreed upon. -
AuthorPosts