The answers to these questions are complicated but I will attempt to simplify:

Q: CAS is definitely an Authorization service. I’m not sure it qualifies as an Identity Management service.

A: Agreed.  CAS is actually not authorization.  It is authentication.  CAS is listed as IDM because it is one of the tools that can be used to integrated systems to be able to use NetID.  If you have an application that you would like to authenticate using NetID, CAS of one of the tools available to do that.   

Q: Given the increased adoption of AD, what is the long term plan for CAS? Is there a convergence between the two services planned? If CAS is to continue, is there a documented way that we can address the secondary authorization question for sites and services using CAS using group membership?

A: CAS is a pass through mechanism for Authenticating NetID’s.  Currently it points at LDAP but it can be pointed of AD as well.  AD and LDAP are synchronized so either will handle authentication for NetID’s. CAS only does authentication.  It does not do authorization.  Therefore it does not take advantage of groups.  If you have an application that needs external authorization (groups), it would need to be integrated with AD or LDAP.    

Q: Where does LDAP fit into the service boundaries of CAS and AD?

A: CAS is tied to the NetID SLA in terms of boundaries in that it authenticates NetID’s.  

I realize the answers to these questions are confusing/complicated.  If you have additional questions regarding how to authenticate or authorize an application or system using NetID, please put in a service request and we will walk you through the options.   

Q: Section 2.1.1 End-User Requirements to Use the Service – Third bullet point
OU Administrators will adhere to the standards, policies and guidelines included in the OU Admin training such as the naming convention and use of privileged accounts;
I would like to read what these standards, policies and guidelines are exactly.

A: See the attached PowerPoint.  This will answer your questions at a high level.  For more detailed answers you would need to attend OU admin training.

Q: Section 2.1.2 Boundaries of Service Features and Functions – Third bullet point
UNM IT reserves the right to apply security policy settings through domain GPO with reasonable
notification;
What is the definition of “reasonable”, reasonable by whose standard UNM IT or the department that may be adversely affected.  How much time would we have for researching proposed change and testing?  

A: Changes to domain or forest wide GPO’s would go through our change management process and the change will be communicated through a number of channels including IT alerts and the OU admin listserv.  If we anticipate that a change could impact customers we would solicit feedback from the OU admins.  The amount of time we give depends on the reason for the change.  If a GPO is being implemented to resolve a severe, time sensitive issue, the implementation would need to happen faster than a GPO meant to address a UNM policy change.  Changes to Domain or Forest wide GPO’s are extremely rare and are handled on a case by case basis.  To date there is only one domain wide GPO and it is the password policy.  

Q: Where can we go to review the current security policy settings?

A: OU’s are currently delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in their OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.   

Q: Bullet point 6
User management such as creation of new accounts, and password management is done through NetID service and not directly performed in AD. 
We create user accounts several times per year as a matter of course, and we use provisioning tools to both create the account and its associated mail box.  Would we be able to continue this practice if we were being hosted on this system?
We also create accounts for adjuncts and students that are not enrolled at unm as regular employees and or students, would we still be allowed to do this?

A: You can continue the processes listed above using the NetID service.  Email boxes are automatically provisioned through the NetID service.  The NetID service allows for all of the scenarios in your questions above.  Generally, no user accounts should not be created in Active Directory outside of the NetID service but exceptions can be made with adequate justification.  Creating accounts outside of the NetID service disassociates the account from the service degrading security and in many cases degrades the user experience.            

Q: Section 2.2.1 General Service Levels
Network security scans are completed for all systems slated for AD migration;
Is there a charge for this service?

A: This is an old practice that we have demised.  We no longer require a security scan of systems before migrating to the Enterprise AD.  I will remove this from the SLA.  If the customer is migrating data to our windows file storage service we scan the data at no charge.     

Q: Default policies configured for Department IT OU.
What is the default policy currently?

A: OU’s are delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in the OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.   

Q: 2 Service Description
The backup server keeps 3 revisions of active files and 1 revision of files that have been deleted from the
client. Deleted files are retrievable for 180 days.
What is the definition of an active file? If I leave a file untouched for an extended period of time is it inactive?

A: Active means the file has not been deleted / is available. 

Q: 2.1.2 Boundaries of Service Features and Functions
Customer may not exceed previously agreed upon storage capacity when using the backup and restore service; Customers must purchase additional storage prior to exceeding capacity;
What happens after storage capacity is exceded, is there are warning? Are zero-byte files kept in place of real files?

A: IT will notify the customer that the allotted storage has been exceeded.  The customer will either need to clean up the storage or purchase additional storage.  The service is will continue to function normally. 

Q: 2.2.2 Specific Service Levels
Additional backup storage available within three (3) business days pending availability;
3 business days seems like a long period of time to wait.

A: 3 days is our standard turnaround time for most service request.  Requests are often completed faster but 3 days is the time that we can commit to.   

Q: 2.1.2 Boundaries of Service Features and Functions
UNM IT will retain administrative access to VMs;
This is a “Cloud Service”, Shouldn’t the owner of the VM have complete control of who has access to the machine?

A: This is a managed service.  IT patches the OS.  IT is also responsible for resolving issues that are directly related to the OS.  Therefore, IT must retain admin rights.  

Q: In regards to Right Sizing mentioned in 2.2.1 General Service Levels, I fear this cloud lead to some of your systems being over provisioned by have too many people in down sized virtual machines packed onto the same cloud physical host.

A: We have thresholds on host that we do not exceed to address this situation.  We add hosts as needed to ensure threshold are not exceeded.  

Q: Is “LoboCloud’ the umbrella service for all VM hosting?

A: Yes.  Lobocloud a frontend self-service portal for provisioning, de-provisioning and managing virtual machines in our VM hosting environment.  

Q: As I understand it, there are 2 ways to request a UNM IT hosted VM:
1) Using LoboCloud (largely self service)
2) Via Help.UNM (UNM IT builds the VM for the customer)

A: Correct.  VMs can be provisioned via Lobocloud or by placing a ticket in Help.unm.edu.  LoboCloud has no setup fee.  Tickets placed in help for provisioning VMs have a $500 setup fee.

Q: I have received customer requests to produce an SLA for VM hosting that IS NOT provisioned via LoboCloud. Will this SLA cover those cases? Thanks, -N

A: Yes.  The Lobocloud SLA covers both.  

Q: 2.1 – For departments paying for a full rack, can UNM IT limit equipment installed into that rack to equipment owned/operated by the contracting department?

A: If a department is paying for a full rack the rack is dedicated to the department.  

Q: 2.1.1- Is NATing of equipment in the rack supported so that we can limit exposure of traffic between web servers and data base servers, for instance?

A: We do not offer NAT for co-lo at this time.  It is on the road map.  Nat will be available to LoboCloud customers in the near future.

Q: “Refrain from bypassing or circumventing security (firewall rules);” – I suggest something like “Will engage IT security and IT Networking as appropriate on all proposed changes to security (firewall rules)

A: There are special circumstances in which co-lo customers can bypass the firewall.  We want to call this out specifically. 

Q : 2.2.1 – Add “Meet or exceed UNM Data Center Standard requirements for a Tier 4 facility”? If not Tier 4, perhaps you could specify which tier it satisfies.

A: Good catch.  I will add it the SLA. 

Q: 3.1
More definition of this would be useful “Communicate and deactivate network access for hosts and/or network segments when infection or violation of security policies are identified;”
Where will reports on performance be accessible?

A: Per Security:
Standard Communication Approach:
For documents that describe our operational security processes, it is our practice to keep those documents from publication.  

Below are a couple of redacted, non-sensitive steps taken from our Standard Operating Procedure SOP that covers responding to incidents on deptweb.  The steps listed below are representative of the standard steps in our SOPs that describe what we do in incident response in terms of standard customer communications:  
a. Attempt to contact department … (to) make the first attempt to un-publish the compromised site;
b. If department can’t be contacted … or if malware is being distributed through the compromised site … un-publish the compromised site.
Exceptions:
While there are rare exceptions to the approach referenced above, those exceptions involve either:
• An apparent breach/ exposure of Personally Identifiable/ Sensitive and Protected Information (PII/ SPI) that require an immediate disconnect or similar response;
• An apparent Denial of Service (DoS) attack that also requires an immediate disconnect or response.
Hopefully this helps clarify the standard approach that we use in responding to such incidents from the perspective of customer communication.  

Q: For Scheduled Maintenance, is all Change Management and notification through CAB or are there other venues? are processes for standing maintenance windows, scheduled maintenance, and emergency maintenance requests documented somewhere?

A: Yes we follow our standard change management processes for changes to the datacenter.  Change would go through CAB/TAT.  Notifications will be posted on IT alerts.  If an outage of Co-Lo services is required we would reach out to co-lo customers. There is no need for a maintenance window at this time.  If a maintenance window is needed in the future IT will update the SLA and give co-lo customers at least 90 days’ notice. 

Q: 3.2 Is there any training or certification that should be required for qualified personnel?

A: Yes we give co-lo customers training before they begin using the service and upon request.  I will update the SLA.   

Q: 4.2 Can department owners of racked equipment participate in service exception planning via CAB or some other process?

A: Yes.  We will notify customers of any maintenance that may impact them.  At that time we will discuss customer requirements.

Q: 7 Same question as 4.2 related to input into changes in maintenance windows.
A: After seeing this question for the second time I think it would be best to update the SLA with the appropriate information.  I will update the SLA.  

 
Jenny:

Thanks for taking the time to comment.

Q: 2.1 What versions of Windows OS and Linux distributions will the backup client support?

A: The backup system supports the clients listed at the following link:
http://www-01.ibm.com/support/docview.wss?uid=swg21243309
 
Q: 2.1.2 What do you mean by revision?  Is this version control?  Is it possible to retain more than the past 3 versions?  Is revision a file or block level backup?  Can the backup retention period extend beyond 180 days? Do you also provide backup service for bare metal recovery?

A: Revision means change in this case.  Every time the file changes it is considered a revision.  

A: We can only change the retention policies (3 versions, 180 days) in extraordinary circumstances.  Managing multiple retention policies is extremely resource intensive.  We are in the process of implementing a new backup system so look for the feature set to improve in the near future.   

A: Backups are file level backups.

A: We do not currently offer bare metal at this time.  It may be available in the future for an additional charge.

Q: Is there some type of reporting tool or high water mark alerts to let the customer know the allotted backup space is close to the quota limit?

A: Yes storage utilization reports are available.     

Q: Is there a cost sheet on backup space? Is the cost based on GB of space, based per client base, or client plus space?  

A: Good question and the answer is a bit complicated.  If the system being backed up is not owned by IT then it is the normal cost of storage or $700 per TB. http://it.unm.edu/servicecatalog/asset_list.php?service=23&product=128&origin=servicelist

A: If the server being backed up is owned/managed by IT, it is half the cost of the drive that is being backed up or $350 per TB.  Ex: A LoboCloud system with a 1TB drive costs $350 to back up.  I will update the service description.   

Q: How far is the replication site from the backup site? 

A: Data is replicated to a building on South Campus.  Replication to a cloud provider is on the roadmap. 

Q: Although at this point Financial Services Division (FSD) has no plans to use this service at this time, we reserve the right to create a customized SLA specific to our needs with mutually-agreed upon consequences for both FSD and UNM IT.

A: This is the SLA for the backup service that IT offers today.  We are open to discussing customized agreements that are mutually agreed upon.  

Regards,

Brian

Cyndi,
This is the SLA for the backup service that IT offers today.  We are open to discussing customized agreements that are mutually agreed upon.