OCIONEWSLETTER Issue 5 • Oct 2011
SPOTLIGHT
A New Era for Data Centre Raymond Poon The Data Centre (DC) supporting CityU was built in 1988 when the University moved to the existing campus at Kowloon Tong. At the time, it was one of the most advanced designs in Asia. Over more than 20 years, it has been the core for providing IT services to the University community. Despite a number of changes taken place including increasing power supply, upgrading UPS, performing server consolidation and storage consolidation, starting virtualization etc., the speed of growth in IT demand still far exceeded the pace of these changes. Shortage of space, power and air conditioning became the utmost priorities to resolve in order to maintain IT service at its quality and level. Feeling the need and urgency of a revolutionized modernization to tackle forgoing problems once and for all, the CSC has started to join force with the Campus Development and Facilities Office (CDFO) to work out the solution. Taking the chance of campus preparation planning to meet the 334 changes, we were able to request additional space for the expansion of the Data Centre. A Data Centre expansion plan has been worked out and submitted to the UGC for budget. Thanks to the UGC, CityU has been granted HK$17M to complete the modernization of its Data Centre within the next 2 years. To help our readers understand the necessities, the architect, the challenges, the potential stumbling blocks, the solutions to critical problems or to mitigations of significant risks, and the progress of the DC modernization as well as how we will operate our DC and how it evolves when it becomes operational, a series of articles on our DC modernization will be
2
OCIO NEWSLETTER
published in this Newsletter and below is the first one.
Why We Need to Modernize Our DC to Become a Next Generation DC? Enterprises do need to control IT spending as well as to improve business agility through IT in order to stay competitive. Data centre modernization or building a Next Generation DC offers the opportunity to achieve these goals while, at the same time, to address pressing issues such as explosion in number of servers and storage devices, space constraints, migration paths for legacy technologies, compliance with legal requirements, rising energy costs, etc.
needs, and to allow different IT service levels or different IT availability (risk) levels, and different IT resource provisioning across heterogeneous platforms to be accommodated speedily; − For providing Security As A Service; and − To be environment friendly and for consuming energy efficiently
Way Forward
What Are the Benefits to Be Brought about by the Next Generation Data Centre (DC)? Leading-edge next generation DCs are dynamic ones; they are designed: − For flexibility - to make business agility possible by being able to meet the changing needs of service provisioning and support (i.e. service oriented and service on-demand) arising from high-density growth in IT infrastructure − For efficiency - to utilize space and IT assets more effectively and to maximize the universities’ capacity to control DC spending, hence reducing both capital and operating expenses in the long run; − For scalability - to enable services to span across physical, virtual and cloud infrastructures seamlessly as required by business changing
However, these benefits don’t come easy; modernization of DC, according to Gartner Group, “involves customizing Data Centre strategies according to business plans, regulatory requirements, skills availability and rapidly changing technologies”. Besides, other than the DC building work, a holistic data centre management solution must also be in place. “Such a management solution should combine proper data centre planning, committed management involvement, competent IT staff and usage of sophisticated management tools. Various hardening steps should also be implemented at environmental, physical, logical and procedural levels to reinforce the Data Centre security”. While modernizing the DC, we also
need to observe closely on the trend of services that will be outsourced to public cloud services, incorporating and balancing the effort in the DC future plans. In view of the complexity and the inter-dependency in strategies and implementation plans at different component levels of the overall DC modernization plan, a structured approach in realizing the plan must therefore be adopted and will be shared with our readers in the coming issues.
Reference: 1. Data Center Knowledge http://www.datacenterknowledge.com/ 2. Gartner Infrastructure, Operations & Data Center Summit http://www.gartner.com/technology/ summits/apac/data-center/ 3. Computerworld & Virtualization Summit 2011 http://dcs.questexevents.net/2011/hk 4. Oracle Next-Generation Data Center http://www.oracle.com/us/technologies/ next-generation-data-center/index.html 5. CA Technologies Data Center of the Future http://www.ca.com/us/content/campaign. aspx?cid=233176 6. Cisco Data Center and Virtualization http://www.cisco.com/en/US/netsol/ns340/ ns394/ns224/index.html 7. CA Technologies, Building the Next Generation Data Center – a Detailed Guide
Issue 5 • Oct 2011
BRIEF UPDATES
Readying SIS for the 334 W K Yu
The changes brought about by the 334 curriculum reform to the Student Information System (SIS) are tremendous. It is pleasing to report that the progress of the development of SIS for the 4-year degree structure has been well and most of the project schedules kept. As at the start of the academic year 2011/12, a few major systems or components have been launched for use by the nominated programmes piloting the 4-year degree curriculum in 2011/12. They include: • the newly introduced academic advising software, DegreeWorks; • a new i-Assessment System for the Faculty to propose awards to graduating students, and to record and process course results; • declaration of minor and related approval processes, and • OBTL Programme Management. Feedbacks and comments on the functionality and presentation of these systems are being gathered. The systems are expected to be further refined or enhanced during the year in preparation for full implementation in 2012/13. Completed also are the fundamentals to support the development of the deliverables above and other systems are still under development. They include re-configuring the Banner Student System and an overhaul of the access control to student and applicant information for meeting the changes brought about by the new degree structure.
A large number of systems are still under development. The Admissions System is an important one. The University is readily prepared in the processes defined by us, e.g. screening and selection criteria and the system development progress in this regard is on track. Nonetheless, the progress in building interfaces with the new Joint University Programmes Admissions System (JUPAS) is depending on that of the JUPAS development. System testing on this part hence has to be timely and focused whenever new JUPAS features are ready. Another major development is to revisit and re-design class scheduling. This is to ensure class scheduling meets the teaching and learning pattern of the 4-year degree curriculum, and copes with double cohort in 2012 and space constraints. Simulation will be done.
Other on-going developments include a revamped student enquiry, declaration of major, different kinds of listings to support Faculty members and academic departments in their teaching and related activities, transcript, application for credit transfer, graduation process, etc. Most of the system functions are to be ready for use some time in 2011/12, thus allowing contingency and time for further improvement before full launch in 2012/13. In addition to system development, the SIS will undergo a system health check and a review of system capacity. Appropriate action will be taken to ensure the system is sufficient to handle the demand in 2012/13, should the result indicate such a need.
3
4
OCIO NEWSLETTER
FEATURE
IT Service Arrangement for AC2 Joe Lee and Joe Chow
The IT services in the Academic 2 (AC2) building is in operation at the start of the academic year 2011-2012. Among other IT provisions, the classrooms, the lecture theatres, a number of PC-equipped teaching studios on Level 8 and a public access Computer Terminal Room on Level 3 of the AC2 have been set up with computer and network to facilitate teaching and learning. In order to distinguish the teaching studios and the computing facilities in Academic 1 (AC1) building, a naming convention is assigned to the rooms in the CSC Teaching Studio Booking System (accessible from the e-Portal). In the Booking System, building prefixes of “AC1-“ and “AC2-“ have been added to the room specifications at AC1 and AC2 respectively. For example, Teaching Studio A in AC1 now becomes AC1-A and Teaching Studio 8506 in AC2 is named as AC2-8506. Such naming convention has been adopted in the University Timetable from Semester A 2011. Photos courtesy of Peter Mok (CSC)
Setup of Facilities Lecture Theatre and Classroom Type Lecture Theatres • Instructor workstation • Multimedia Ready • LCD projector • Projection screen • Wyteboard • DVD player Classrooms • Instructor workstation • Multimedia Ready • LCD projector • Projection screen • Wyteboard • DVD player
No. of Rooms
Workstation Configuration (Lectern Only)
OS
Capacity Remark
Windows 7/ Windows XP
120, 160, 240, 320
Set up by the CSC
Windows 7/ Windows XP
30, 40, 80
Set up by the CSC
Intel Core i5-2500 CPU @ 3.30 GHz PC
12
45
• 120G Fast SSD Hard Disk • 4GB RAM • 20” Widescreen LCD Monitor • DVD/CD Writer Drive • Front-side USB ports • Front-side Headphone Jack • Front-side Microphone Jack Intel Core i5-2500 CPU @ 3.30 GHz PC • 120G Fast SSD Hard Disk • 4GB RAM • 20” Widescreen LCD Monitor • DVD/CD Writer Drive • Front-side USB ports • Front-side Headphone Jack • Front-side Microphone Jack
Issue 5 • Oct 2011
Teaching Studio Type Public Access Computer Room • 2 Fast Printers Teaching Studio • Instructor workstation • Multimedia Ready • 2 LCD projectors • Projection screens • Wyteboard • DVD player Teaching Studio • Instructor workstation • Multimedia Ready • LCD projector • Projection screen • Wyteboard • DVD player
Name AC23600
AC28506
Workstation Configuration Intel Core i5-2500 CPU @ 3.30 GHz PC • 4GB RAM • 20” Widescreen LCD Monitor • DVD/CD Writer Drive • Front-side USB ports • Front-side Headphone Jack • Front-side Microphone Jack
OS
Capacity 144
Windows 7/ Windows XP
AC28606
39
Intel Core2 Duo CPU E6550 @ 2.33 GHz PC • 2GB RAM • Front-side USB ports • 19” Widescreen LCD Monitor • Front-side Headphone Jack • DVD/CD Writer Drive • Front-side Microphone Jack
Windows 7
30
AC28501
Intel Core i5-2500 CPU @ 3.30 GHz PC • 4GB RAM • Front-side USB ports • 20” Widescreen LCD Monitor • Front-side Headphone Jack • DVD/CD Writer Drive • Front-side Microphone Jack
Windows 7
30
AC28502
Intel Core i5-2500 CPU @ 3.30 GHz PC • 4GB RAM • Front-side USB ports • 20” Widescreen LCD Monitor • Front-side Headphone Jack • DVD/CD Writer Drive • Front-side Microphone Jack
Windows 7
27
AC28503
Intel Core2 Duo CPU E8400 @ 3.00 GHz PC • 2GB RAM • Front-side USB ports • 19” LCD Monitor • Front-side Headphone Jack • DVD/CD Writer Drive • Front-side Microphone Jack
Windows XP
30
AC28505
Intel Pentium 4 CPU @ 3.00 GHz PC • 1GB RAM • Front-side USB ports • 15” LCD Monitor • Front-side Headphone Jack • DVD/CD Writer Drive • Front-side Microphone Jack
Windows XP
30
AC28601
Intel Core2 Duo CPU E8400 @ 3.00 GHz PC • 2GB RAM • Front-side USB ports • 19” LCD Monitor • Front-side Headphone Jack • DVD/CD Writer Drive • Front-side Microphone Jack
Windows XP
27
AC28604
Intel Core i5-2500 CPU @ 3.30 GHz PC . • 4GB RAM • Front-side USB ports • 20” Widescreen LCD Monitor • Front-side Headphone Jack • DVD/CD Writer Drive • Front-side Microphone Jack
Windows 7
27
OS X 10.6
30
Windows XP
26
AC28608
Set up by the CSC
60
AC28500
AC28607
Remark
Apple Mac Pro (Instructor workstation) . • 2.80GHz Quad-Core Intel Xeon processor • 27” Widescreen LCD Monitor
• 6GB RAM • DVD/CD Writer Drive
Apple iMac (Student workstation) • 3.1GHz Quad-Core Intel Core i5 processor • 4GB RAM • 27” Widescreen LCD Display • DVD/CD Writer Drive Intel Core2 CPU 6300 @ 1.86 GHz PC . • 2GB RAM • Front-side USB ports • 17” LCD Monitor • Front-side Headphone Jack • DVD/CD Writer Drive • Front-side Microphone Jack
Set up by the CCCU
5
6
OCIO NEWSLETTER
Booking of Venue 1) Lecture Theatre and Classroom Class scheduling is managed by Academic Regulations & Records Office (ARRO), and individual class booking is available from e-Portal’s “Venue and Classroom Booking” system under the “Facilities Booking” of the “Univ. Services (Staff )” tab. 2) Teaching Studio/Computer Room Teaching staff can reserve the Teaching Studios/ Computer Rooms in the following ways: a) For timetabling purpose, staff members are invited to send CRN information to the ARRO during the timetabling period. The ARRO will then schedule the room requirements according to resources. This schedule will be populated to the CSC Teaching Studio Booking System where staff and students can examine. b) After the final University Timetable is released, if new room requirement is needed, staff can make ad hoc booking through the online CSC Teaching Studio Booking System in the e-Portal, under Univ. Services (Staff ) / FACILITIES BOOKING. c) Ad hoc bookings can also be made at the CSC’s Service Counter in person or through online CSC Work Request.
More information about CSC Teaching Studios and the guidelines of reserving them can be found at: http:// www.cityu.edu.hk/csc/deptweb/facilities/terminalarea/teaching-studio.htm
General Support Similar to the support in AC1, users can request the service by raising an on-line CSC work request, or call the CSC Help Desk at 3442-7658 for urgent matters. Users will normally receive a reply from the CSC on the same day (normally within 1 hour) and on-site work will be scheduled as agreed by the users and the supporting engineer. 1) Lecture Theatre and Classroom a) Similar to the support in AC1, users can call the CSC Help Desk at 3442-7658 and request immediate on-site support. b) In most cases, supporting engineer can arrive and provide necessary assistance in 5-10 minutes’ time. 2) Teaching Studio/Computer Room Since there is no CSC Service Counter in AC2, users are required to call the CSC Help Desk at 3442-7658 for all supports and services. Besides the support from the CSC, some Terminal Rooms (8500, 8501, 8502, 8503, 8505, 8601, 8603, 8604, 8607, and 8608) are co-operated by the CSC and the CCCU, and the support services for these rooms can also be obtained from CCCU’s Help Desk at 3442-9821 during the following office hours: a) 9:00 a.m. to 5:30 p.m. (Monday to Friday) b) 9:00 a.m. to 12:00 noon (Saturday)
BRIEF UPDATES
Notebook Ownership Scheme for Students (NOSS) 2011 Noel Laam In view of the success last year, the University has decided to organize the Notebook Ownership Scheme for Students (NOSS) 2011. For eligible students of the NOSS 2011 who purchase a notebook of one of the 32 models from the approved list of notebook models available for sale at the Digital Technology Festival 2011 (DTF 2011) organized by the Student Union (SU), they may apply for the subsidy amount of $1,000 for the notebook purchased.
Eligibility The NOSS 2011 applies only to the students of the City University of Hong Kong, and is not applicable to the students of the Community College of City University. The following categories of CityU students are eligible to apply for the subsidy in NOSS 2011: a) Students admitted in 2011 and are enrolled in a UGC-funded Bachelor’s Degree (including those in their foundation year) or a UGC-funded Associate Degree programme, and are not in possession of any LLS notebook computer (obtained from the LLS buy-out exercise or currently still enrolling in the LLS), and have not received the subsidy from the NOSS 2010. b) Students admitted in 2010 and are enrolled in a UGC-funded Bachelor’s Degree programme, and were not admitted as senior-intake and are not in possession of any LLS notebook computer (obtained from the LLS buy-out exercise or currently still enrolling in the LLS) , and have not received the subsidy from the NOSS 2010.
Application Procedure for Reimbursement Eligible students can apply for the reimbursement by completing the NOSS application form available from the AIMS, and submit it together with the necessary documents by hand to the drop-box of the Finance Office. The application period is from 1 October – 30 November 2011, and the hard copies of the necessary documents must reach the FO no later than 15 December 2011, or the application will not be considered. For more information of the NOSS, please refer to http://www. cityu.edu.hk/csc/deptweb/services/noss/noss2011/noss2011.htm
Issue 5 • Oct 2011
BRIEF UPDATES
Choose Your Own Display Name for Exchange Email Yeung Man
Display Name is one of the Microsoft Active Directory (or AD) attributes. This display name will appear in a number of Microsoft based LAN (e.g. when users log on to their office PCs) and applications including the Microsoft Exchange Email and the Microsoft SharePoint (CityUWiki) services. By default, a staff member’s Display Name is the same as the Preferred Name of a staff member’s choice as recorded in the AIMS, which is used for communication for administrative matters. As the Display Name is the primary lookup value in the Exchange Global Address List (or GAL), it will be revealed as a staff’s email name in the Microsoft Exchange/Outlook system. After migrating to the MS Exchange email, some staff may prefer to have another choice for a name more commonly known to their friends in correspondence which is different from their Preferred Name. Accordingly, the Computing Services Centre (CSC) has devised a new function for staff to personalize their names in Exchange and AD based on one’s Preferred Name and Email Alias. The new function “Change Display Name for Exchange Email” can be found in the University e-Portal (https://eportal.cityu.edu.hk), in the “Quick Links” box located in the middle column under My CityU tab.
The same function is also provided as an option “Change Display Name” under “Management for @um (Exchange) Account” in “Account Management for Staff Email Services” after clicking “Account Management” in the Email Services home page http://email.cityu.edu.hk.
The new chosen Display Name will be effective within three hours. It will be displayed, as a user identity, in Exchange Email and CityU Wiki (or any Microsoft products if applicable), or when a user logging on to the campus network through Staff LAN, Student LAN, Wireless LAN, or Virtual Private Network. Please note that the Display Name will not be displayed when a staff member is neither using the foregoing software, nor logging on to the campus network.
The “Change Display Name” function involves two steps.
In step 1, staff can decide their display name and title by choosing the words from the drop-down boxes.
In step 2, staff can change the letter case ( upper or lower) in any combination by clicking on the letter. Finally, click ‘Confirm’ button to complete changing the Display Name.
7
8
OCIO NEWSLETTER
FEATURE
CityUWiki Leaps from MS SharePoint 2007 to MS SharePoint 2010 Maria Chin
To maintain the integrity of the CityUWiki and its interoperability with the advancing office applications, the plan to upgrade the CityUWiki from MS Office SharePoint Server 2007 (MOSS2007 hereafter) to MS SharePoint 2010 (SP2010 hereafter) started early this year. Please refer to the appendix for more information on the CityUWiki and MS SharePoint 2010. As in-place1 upgrade from MOSS2007 to SP2010 is not recommended by Microsoft, a new load-balanced server environment was set up for the out-ofplace2 approach where content from MOSS2007 had to be moved (migrated) from the old server to the new one. The new server farm was installed afresh with the most recently released operating system, database and SharePoint, namely MS Windows 2008 R2, MS SQL 2008 R2 and MS SharePoint 2010. In addition, to strengthen the integrity of user content stored in the CityUWiki, two server-side anti-virus3 tools were installed to protect user content from computer virus which might be unknowingly uploaded to the CityUWiki in user files. The technical team in the Computing Services Centre (CSC) did an initial assessment on the upgrade efforts including content migration, service interruption, impact on site owners and their users. The findings suggested that the upgrade would be a strenuous process. Apart from migrating the 25GB of contents in the 80 sites, customized site templates and pages, workflows, survey results, site permissions, etc.
might need to be touched up after they were moved to SP2010, and this meant tedious manual work and considerable service downtime. To verify our findings, external software vendors were invited to share their SharePoint upgrade experiences, and their views concurred with ours. In view of the complexity of the project, it was decided to partner with a software vendor with prior SharePoint upgrade experience, which led to the kick-off of the tendering process and the project in June finally. The selected vendor presented an attractive project plan that targeted at zero service downtime, and brought in a third party tool to help reduce the tedious content migration work. The upgrade project was carried out in three phases, of course, with the new server farm already in place. 1) July 2011 – Pilot Migration of User Contents 25GB of user contents in MOSS2007 was migrated to SP2010 with the vendor’s migration tool. The project team then identified and fixed most master pages and templates. More importantly, common issues and fixes were worked out. 2) Early August 2011 - Site Owner Training and User Acceptance Test Two training sessions on SP2010 were organized for site owners. Apart from highlighting enhancements of popular features,
site owners were asked to crosscheck the migrated contents with those on MOSS2007, and were trained to fix common issues in their sites. Two hotlines were set up to provide extra help to site owners. 3) 12-17 August 2011 – D-Day The time gap between phase 2) and 3) was kept short so as to minimize the chance of user contents being updated, hence reducing the data volume (also reduced time and error) that need to be synchronized from MOSS2007 to SP2010. These six days were intense; the CityUWiki was set to read-only mode providing view access to users. User contents were synchronized from MOSS2007 to SP2010, followed by applying its Service Pack 1 for SP2010, import user profiles, finalized system and network settings. Normal CityUWiki service running on MS SharePoint 2010 SP1 was released to users at noon on 17 August 2011. Minor fixes to sites and contents continued after the upgrade. The upgrade prepares the CityUWiki for the future incorporation of information rights management to support user contents requiring extra security and tracking of sensitive information wherever it is used and disseminated, for example, via email and website. It
Issue 5 • Oct 2011
FEATURE
Microsoft DreamSpark Program Joe Lee
also set the footsteps for the upgrade of the University’s public facing MOSS2007 service, wikisites.cityu.edu.hk, which is hosting the NewsCentre, the President’s Blog and various departmental public wikis and blogs.
Appendix Background: The CityUWiki was released in June 2008, and it is a portal based collaboration and document management service based on Microsoft SharePoint. The usage of CityUWiki grew from 10 sites in 2009 to 80 sites in 2011 supporting closedgroup sharing, for example, members of committees, departments, research and project teams. Information on MS SharePoint 2010 available at: http://technet.microsoft.com/en-us/ sharepoint/ee518662 http://office.microsoft.com/en-us/ sharepoint-server-help/what-s-newin-microsoft-sharepoint-server-2010HA010370058.aspx In-place upgrade refers to the method of software enhancement where the new version of software can be applied atop of the existing one. 2 Out-of-place upgrade refers to the method of software enhancement where the new version of software has to be installed afresh in another location and old content be copied to the new location. 3 McAfee VirusScan Enterprise and MS Forefront Protection 2010 for SharePoint 1
Microsoft sets up the DreamSpark program in 2008 to provide free professional developer and design tools to students around the world to help them improve their learning and skills through technical design, technology, math, science, and engineering activities. The only restriction on the use of these tools and software is self-explained. Getting your student status verified CityU has participated in the DreamSpark program, and therefore, relevant students are eligible to gain the benefits. As DreamSpark is for students only, proof of student status is required before downloading the available Microsoft software tools from the DreamSpark site. Microsoft provides an online verification program to do this and the only information required for verification is the Windows Live ID. If students have already applied for the CityU’s Windows Live account (Ref 1, the Live@edu cloud service offered by the Microsoft), they can simply use it in the Windows Live ID sign-in process at the DreamSpark site. Doing so will allow the student status to be verified at the very beginning, bypassing the verification step for future visits to the DreamSpark site. All students remain verified for 12 months and will have the option to renew after every 12 months. For details, please refer to the FAQs there. Downloadable Microsoft Products DreamSpark includes many free products for learning purposes (please refer to the Terms of Use for details) and students can see the complete list by visiting the DreamSpark site (Ref 2). The products provided are the same as those commercial products that professional developers can buy and use. All products are listed with links for students to download easily. Basically, students will be able to download ALL the products but they can only install and use one copy of each product. Students can view their download history from DreamSpark. A list of the software that they have downloaded is available for viewing on DreamSpark’s My Download History page. They can just click the My Download History link located in the navigation panel to check it out. Technical Assistance If students encounter problems when downloading or accessing the software at the DreamSpark site, they can contact the DreamSpark Technical Support for assistance or visit the Student Lounge Forum to get help from the student community.
Reference: 1. Application for a CityU Windows Live account: http://www.cityu.edu.hk/csc/deptweb/services/ email.htm 2. DreamSpark site: https://www.dreamspark.com/Default.aspx 3. DreamSpark privacy policy: https://www.dreamspark.com/policies/Privacy.aspx
9
10
OCIO NEWSLETTER
BRIEF UPDATES
Launch of i-Assessment Danny Law
i-Assessment, a new web-based tool for course and programme management, was launched on 22 August 2011 for staff use from Semester A 2011/12. It is developed using the latest J2EE technologies and running on JBOSS (Java EE-based application server). The new tool is designed to cope with the student record management under the 4-year degree structure where students are admitted into Colleges/Schools with an undeclared major upon entry to the University and then select their major by the end of the first year of studies. It will also provide enhanced functionalities to capture student data on double majors, multiple minors as well as double degrees. In addition, the following main features are introduced: - easy access to different student summary lists on a single page - additional information on cohort, major, minor, stream and expected graduation term - enhanced sorting functions - enhanced e-mail functionalities for communication - direct link to Class List in AIMS for more comprehensive information To provide users with an overview of the new tool, two briefings were held in September 2011. More than 120 staff members attended the briefings
and they gave valuable feedback on the new functionalities.
i-Assessment and Summer Term 2011 data in i-CMS.
i-Assessment will replace the i-CMS (Internet-based Course Management System), which has been used by staff members for more than 10 years, in October 2011. In the meantime, both systems will run in parallel with Semester A 2011/12 data available in
Further briefings focusing on entering of course grades and decisions on academic awards will be arranged in November 2011. Staff members will be notified of the arrangements in due course.
i-Assessment is available under ‘Useful Links’ of the e-Portal’s University Services (Staff) and ‘My Courses’ menu in AIMS
Issue 5 • Oct 2011
BRIEF UPDATES
University-wide Web Redesign Project Progress Web Redesign Team
The CityU website redesign project is probably the largest Web project the University has undertaken since its establishment. It benefits all central and departmental websites, covering close to a hundred websites and hundreds of thousands of web pages. It is the result of the collaboration of over a hundred IT and non-IT staff across all departments and units. The project is part of our continued effort in improving online user experience, user friendliness and accessibility as well as search engine optimization; strengthening our online branding and providing a consistent look-and-feel throughout all our websites. Using the latest Web technology, the new websites support modern mobile devices, such as smart phones and tablets. In the previous OCIO Newsletter, we highlighted the background of our University-wide web redesign project and its main objectives. In this issue, we would like to provide some update on the progress of this project. In the past few months, Central IT finalized a set of standard website guidelines and templates and made them available to everyone to follow (http://www6.cityu.edu.hk/redesign/). The templates greatly simplify the work needed by colleges, schools, departments and units to port their websites to the new design. Using the templates, for departmental websites, redesign can be a matter of days to a few weeks. The templates also ensure
that all the applicable Web standards and best practice are followed. Several Web redesign workshops were held in August and September 2011. In these workshops, we went over the project scope of the Web redesign project as well as the expected milestones and timeline. Step-bystep instructions were given to show how our templates can be used to simplify porting efforts. Following that, additional in-depth technical workshops were giving to further guide IT staff in development work. To help kick start departmental Web redesign efforts, Central IT has been providing various related consulting services in all departments and units. This included drafting tender specification and/or vendor selection for departments that plan to outsource the Web redesign work as well as a hotline for any Web redesign technical questions.
The above shows the new design of the CityU homepage (http://www.cityu.edu.hk/).
will be launched within the coming one or two months. With our modern HTML5/CSS3compliant templates, all the new CityU websites will automatically be mobileenabled and will display properly in all the popular mobile devices and smart phones.
The University has been working quite aggressively on the project since early this year. The redesigned University homepage was recently launched on 3 October 2011. Since then, roughly a dozen other redesigned departmental websites were launched as well. The other remaining The above shows what the CityU website looks like on an departmental websites iPhone and iPad.
11
12
OCIO NEWSLETTER
IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Password Management I. Background Industry Story Sony Hack Reveals Password Security is Even Worse than Feared A million Sony users’ password / username IDs and 250,000 Gawker login credentials, each stored in plain text, were exposed via separate hacks. An analysis by security researcher Troy Hunt revealed that two-thirds of users with accounts at both Sony and Gawker used the same password on both sites. Half the password sample from the Sony hack used only one character type and only one in a hundred passwords used a non-alphanumeric character, much the same as revealed by the earlier Gawker hack. Only 4 per cent of these passwords had three or more character types. In addition, around 36 per cent of the passwords used appeared in a password dictionary, a factor that would leave them wide open to brute-forcing attacks. The data gleaned by Hunt from the Sony hack shows that this is unlikely to be some sort of statistical quirk. On the contrary, by any metric, consumer password security revealed via the Sony hack is dire. See the article: (http://www.theregister.co.uk/ 2011/06/08/password_re_use_survey/)
Password Management Overview Passwords are secret strings of characters that are used for authenticating users and gaining access to information resources. As the authentication method used by most of the universities’ information systems today, an appropriate management framework of passwords plays a significant role in sustaining information security within universities. The objective of password management solutions is to reduce the risks of passwords being compromised due to inappropriate user behaviours or security threats caused by malicious activities. Typical components encompass processes and technologies that regulate the provision and storage of user account IDs and passwords across the information systems within organisations such as universities.
can be further enhanced through implementing various password management technologies. Three common practices are employed by most of the password management solutions today: 1) single sign-on technology; 2) password synchronisation; and 3) local password management. These practices are designed to minimise the risk of password compromise because of human factors, such as passwords being written down in clear text, passwords being logged when typed at keyboards, or weak passwords created for the ease of use. Nevertheless, these practices may also cause other security risks to which the management should pay attention during implementation.
II. Management
Single Sign-On Technology
In general, management should ensure that formal policies and procedures have been established to govern the allocation of passwords to authorised personnel and the strong password requirements in accordance with industry standards. Such policies and procedures should be consistently implemented, either through manual processes or automated controls, across all academic / administrative divisions and information systems to enforce general users’ compliance with the common practices (please refer to Section III General Users for recommended password requirements). In addition, the implementation
• Implementation Single sign-on (“SSO”) technology allows a user to be authenticated once and gain access to all information resources that he or she is authorised to use. The user is only required to enter the user account and password to SSO software, which performs authentication to individual resource using unique and strong passwords, and meanwhile keeps this process transparent to the user. The benefit of using SSO is that users are not required to remember multiple strong passwords for individual resources. Instead, the SSO software will enforce it automatically for them.
Issue 5 • Oct 2011
There are different possible architectures for SSO technologies. One common example is to have a Kerberos-based authentication service for user authentication and a centralised database or directory service (e.g. Lightweight Directory Access Protocol Server) for the storage of authentication information for individual resources. • Security Concern The nature of SSO brings a single point of failure to users at the centralised servers hosting users’ authentication credentials of individual resources. The availability of the centralised server affects the availability of all the resources which rely on the SSO services for authentication.
information resources. Instead, their passwords are automatically synchronised to the same password as the one typed in and remembered by the user. Although using password synchronisation does not reduce the number of authentications required to gain access to individual resources, its implementation is easier and less expensive than SSO technologies since no centralised server is required to store authentication credentials.
The security of the centralised server is particularly important since any compromise of the server will lead to the compromise of credentials for many resources. Management should harden the centralised server and encrypt the transmission of authentication credentials to prevent this single point of failure from exploitation.
• Security Concern There is a major security disadvantage of password synchronisation. Since the passwords to all resources are the same, the compromise of any instance of the password, especially the low-security resource, will lead to the compromise of the entire resources under the same password synchronisation solution. Prior to implementing password synchronisation solutions, management should establish additional controls that enforce users to choose strong passwords.
Password Synchronisation
Local Password Management
• Implementation Password synchronisation is similar to SSO from users’ perspective. The user is only required to remember one password to gain access to all the authorised resources.
• Implementation Local password management utility allows users to remember only one master password to gain access to the usernames, passwords and account numbers of other information resources. Users usually select an account from a list, giving command to the utility to copy the corresponding password. The password can then be pasted by users onto the authentication field of
However, no centralised directory or authentication server is required for using password synchronisation to perform authentication to individual
the target information systems or applications. Local password management software can be installed on users’ computers. Some software also supports the storage of passwords on a removable media instead of local storage, which introduces an extra layer of protection enforced by the ad-hoc connection of the password storage and the computers. For example, Kaspersky password manager can be installed on mobile device. Once the device is removed, the password database is automatically locked and any trace of the password data is removed from the host machine. • Security Concern The security of the passwords stored within local password management utility is highly dependent on the security enforced on users’ computers or devices because they are installed locally. Management is recommended to choose local password management software that have timeout feature to automatically lock the stored passwords from being copied after certain period, such as five minutes. The buffer (used for copy and paste passwords) should also be cleared automatically by the software after the password is pasted onto the authentication fields by users.
13
14
OCIO NEWSLETTER
III. General Users Common Practices to Be Followed by General Users • Use Strong Passwords From the users’ perspective, it is essentially important to develop the awareness on the use of strong and complex passwords. The following is an example of password strength recommended by the Centre of Internet Security (“CIS”) for a Windows XP desktop computer: Password Parameter
Password Strength Requirement
Minimum Password Length
Create a password of minimum 8 characters
Maximum Password Age
Change the password every 90 days in maximum
Password Complexity
Create a password with an uppercase character, a lowercase character, digits and non-alphanumeric characters
Password History
Do not reuse the previous 24 passwords
Force first time password change
Change temporary passwords at the first log-on
• Never Write Down Your Passwords Despite the implementation of SSO or password synchronisation, there are still plenty of passwords required to be remembered by the user. However, users should never write down their passwords for the ease of use. This will increase the risk of passwords being compromised, which may result in sensitive information being accessed by unauthorised personnel or even
the information systems / networks of universities being attacked. • Do Not Disclose Your Passwords to Any Third Party Users should be aware that their individual passwords must not be shared with other users to gain access to resources or applications. This is because the original use of password is to facilitate identification and authentication so that relevant resources can only be accessed by authorised individual users based on their identity. Disclosure to third parties not only compromises the confidentiality of passwords but also imposes serious security risks on the information resources affected. Users should change their passwords immediately if there is any evidence. Nevertheless, there are also industrial best practices and users are advised to: • avoid keeping a record (e.g. paper, software file or hand-held device) of passwords, unless this can be stored securely and the method of storing has been approved; • not include passwords in any automated log-on process, e.g. stored in a macro or function key; • not share individual user passwords; • not use the same password for business and non-business purposes; and • change passwords whenever there is any indication of possible system or password compromise.
Conclusion The protection of password-based authentication system requires the commitment of both the management
and the general users in universities. Password management solutions are available for centralising the management of passwords to minimise the risk of compromise. Nonetheless, users should also be responsible for the security of their passwords and raise their awareness to password protection on top of operational convenience.
Reference: 1. http://csrc.nist.gov/publications/ drafts/800-118/draft-sp800-118.pdf 2. http://www.ogcio.gov.hk/eng/prodev/ download/s17.pdf 3. http://www.kaspersky.com/kasperskypassword-manager 4. http://benchmarks.cisecurity.org/tools2/ windows/CIS_WindowXP_Nenchmark_ v2.01.pdf
Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong
Issue 5 • Oct 2011
Statistics at a Glance Internet Bandwidth
Averaged Monthly Internet Bandwidth (Jul 2010 - Jul 2011)
AIMS Login Counts
Monthly AIMS Login Counts (Jul 2010 - Jun 2011)
15
16
OCIO NEWSLETTER
Blackboard Login
Issue 5 • Oct 2011
Spam Statistics
Monthly Spam Statistics Sep 2010 - Aug 2011
LLS Computer Usage
LLS Computer Usage Sep 2010 - Aug 2011 (Distinct LLS Computer)
17
18
OCIO NEWSLETTER
DLS — Student Notebook Computer Daily Loan Scheme
DLS Computer Usage Sep 2010 - Aug 2011 (Distinct DLS Computer)
DLS Computer Usage Sep 2010 - Aug 2011 (Total Login)
DLS Computer Usage Sep 2010 - Aug 2011 (Distinct User)
Issue 5 • Oct 2011
WLAN – Wireless LAN
WLAN Connection Chart Sep 2010 - Aug 2011 (Distinct Staff and Student)
WLAN Connection Chart Sep 2010 - Aug 2011 (Total Login)
WLAN Connection Chart Sep 2010 - Aug 2011 (User Type)
19
20
OCIO NEWSLETTER
Glossary Corner
IT Concepts from Wikipedia Andy Chun (ed.) Google+ (pronounced and sometimes written as Google Plus, sometimes abbreviated as G+) is a social networking and identity service, operated by Google Inc. The service was launched on June 28, 2011. Google+ integrates social services such as Google Profiles and Google Buzz, and introduces new services Circles, Hangouts, Sparks, and Huddles. Google+ is available as a web site, and will be available as a desktop application, and is already available as a mobile application, but only on the Android and iOS operating systems. Sources such as The New York Times have declared it Google’s biggest attempt to rival the social network Facebook. On July 14, 2011, Google announced that Google+ had reached 10 million users just two weeks after it was launched in a “limited” trial phase. After 4 weeks in operation, it had reached 25 million unique visitors. Features: • “Circles” enables users to organize contacts into groups for sharing • “Hangouts” are places used to facilitate group video chat (max 10 people) • “Huddle” is a feature available to Android, iPhone, and SMS devices for communicating through instant messaging within circles. • “Instant Upload” is specific to Android mobile devices; it stores photos or video in a private album for sharing later. • “Sparks” is a front-end to Google Search, enabling users to identify topics they might be interested in sharing with others; “featured interests” sparks are also available, based on topics others globally are finding interesting. Sparks helps to keep users posted on the latest updates on the topics of their interest. • In the “Stream,” users see updates from those in their circles. The input box allows users to enter a status update or use icons to upload and share photo and videos. The Stream can be filtered to show only posts from specific Circles. • “Games” (Social Gaming) had 16 games when launched on August 11, 2011. Unlike Facebook games, Google+ games are located under a games tab which gives games less visibility, with notifications that are separate from the rest of a user’s notifications. • Google+ has a “+1” button to allow people to recommend sites and parts of sites similar in use to Facebook’s Like button. • Similar to other Google applications, Google+ provides integration with other Google applications like Gmail, Calendar, Documents, etc. • A “Data Liberation” option provides the ability to download one’s content from Google+. This article uses material from Wikipedia. The Author(s) and Editor(s) listed with this article may have significantly modified the content derived from Wikipedia with original content or with content drawn from other sources. The current version of the cited Wikipedia article may differ from the version that existed on the date of access. Text in this article is available under the Creative Commons Attribution/Share-Alike License.
Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Mrs. W K Yu (ESU) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Mrs. Louisa Tang (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email cc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio