Middleware Planning and Deployment 101: Setting the Stage

1
Middleware Planning and Deployment 101
Setting the Stage

• Keith Hazelton, University of Wisconsin-Madison/In
  ternet2
• Renee Woodten Frost, Internet2/University of
  Michigan

2
Agenda

• Introductions
• Middleware What and Why?
• Concepts and Architectures
• Discussion
• Break
• Building a Business Case
• Discussion
• Research and Resources

3
MW 101 Outcomes

• Understand what middleware is
• Recognize the value of a common middleware
  architecture
• Begin planning for your own business case

4

• Middleware in Action

5

• Dr. Alice Agnew has just been hired to Chair the
  Dept. of Physiology and is very anxious to get
  access to campus IT resources such as e-mail,
  calendar, web services and the mainframe and
  cannot wait for the requisite 3-5 business days
  it takes to get the accounts setup. Since IT
  already knows of her through the HR system, she
  can use a self-service interface to accomplish
  this goal. And because her new institution has
  her new credentials, she does not need to give
  her research consortium new credentials.

6
Dr. Alice Agnew

• Self-registration
• Minimal time delay for enabling services
• Administrative data flows to research
  applications
• Administrative and security services integration
• Privacy trust
• Inter-organizational impact
• University vouches for and acts on behalf of
  Alice

7

• Mary has been reported to the Dean of Students
  for plagiarism. Through the campus portal, the
  Dean with authorization, accesses the Student
  Information System, where he searches for Marys
  record. He places an electronic hold on it and
  sends an e-mail to Mary requesting her presence
  at a preliminary discipline hearing. Minutes
  later, Mary cannot check out library books, enter
  restricted labs, use the student health
  facilities, or access her computer files. After
  reviewing Marys case, the Dean finds the
  accusation in error and removes the hold,
  restoring Marys access within minutes.

8
Mary

• Decision maker performs action
• Integration of services
• Increased security
• Status change affects service offerings
• Short-time to disable and enable services
• Suite of services

9

• Sam is taking a class in genetics at Alpha U
  and needs to do some research for a paper. At
  lunch, he goes online to access a restricted
  EBSCO database AU shares with Beta U. A window
  pops up in the browser asking if its okay for AU
  to give EBSCO information about his status ---
  only students from subscribing institutions can
  access the database. He clicks ok, knowing that
  only his status is passed, not his name or
  contact information. The browser then loads the
  restricted website.

10
Sam

• Privacy trust
• Sam controls personal information flow
• Administrative and security services integration
• Inter-campus access
• University vouches for and acts on behalf of Sam

11
What is IT being asked to do?

• One stop for university services (portal)
  integrated with course management systems
• Email-for-life
• Automatic creation and deletion of computer
  accounts
• Submission and/or maintenance of information
  online
• Privacy protection

12
More on the to do list

• Multi-campus scanning electron microscopes
• Integrated voicemail, email, and faxmail for
  Advancement staff
• Secure PDA and wireless support
• All-campus email announcements (spam)
• Expensive library databases shared with other
  schools by joint agreement
• Browser or desktop preferences follow you

13
What questions are common to these scenarios?

• Are the people using these services who they
  claim to be?
• Are they a member of our campus community?
• Have they been given permission?
• Is their privacy being protected?
• What is the answer?

14

• Enterprise Middleware Definitions

15
Middleware

• Specialized networked services that are shared by
  applications and users
• A set of core software components that permit
  scaling of applications and networks
• Tools that take complexity out of application
  integration
• A second layer of the IT infrastructure, sitting
  above the network
• A land where technology meets policy
• The intersection of what networks designers and
  applications developers each do not want to do

16
Map of Middleware Land
17
What is middleware?

• Suite of campus-wide security, access, and
  information services
• Integrates data sources and manages information
  about people and their contact locations
• Establishes electronic identity of users
• Uses administrative data to assign affiliation
  and gives permission to use services based on
  that role

18
Definitions Identifiers

• Identifiers your electronic identification
• Multiple names and corresponding information in
  multiple places
• Single unique identifier for each authorized user
• Names and information in other systems can be
  cross-linked to it
• Admin systems, library systems, building systems

19
Definitions Authentication

• Authentication maps the physical you to an
  electronic identifier
• Password authentication most common
• Security need should drive authentication method
• Distance learning and inter-campus applications

20
Definitions Authorization

• Authorization services allowing you access to
  data and services
• Affiliated with the school (role)
• Permitted to use the services based on that role

21
Definitions Enterprise Directory Services

• Enterprise Directory services - where your
  electronic identifiers are reconciled and basic
  characteristics are kept
• Very quick lookup function
• Machine address, voice mail box, email box
  location, address, campus identifiers

22
Underlying Concepts Architecture
23
What IT needs to do

• Determine who you are
• Determine what resources you can use

24
What IT needs to do

• Possible ways it might do that
• Ask you to login and look up info in its own
  database.
• Ask you to login in and look up info in a common
  database.
• Trust some other source to assert needed info
  (and other source might ask you to login).
• Examples
• Videoconference current network address
• Video for course enrolled in the course
• Email or calendar University username
• Library resource current member of the set of
  licensees

25
Pause for some terminology

• Identity set of attributes.
• Attributes specific information stored about
  you.
• Authentication process used to prove your
  identity. Often a login process.
• Authorization process of determining if policy
  permits an intended action to proceed.
• Customization presentation of user interface
  (UI) tailored to users identity.

26
Three service architectures1 Stovepipe (or
Silo)

• Service performs its own authentication. Consults
  own database for authorization and customization
  attributes.

service
authN
attrs
27
1 Stovepipe (or Silo) Architecture
Characteristics

• Stovepipes authentication and attribute services
  are run by separate offices.
• Environment is more challenging to users, who may
  need to contact each office to arrange for
  service.
• No automated life cycle management of resources.
• Per-service identifiers and security practices
  make it more difficult to achieve a given level
  of security across the enterprise.

28
Three service architectures2 Integrated

• Service refers authentication to and obtains
  attributes for authorization and customization
  from enterprise infrastructure services.

authentication service
service1
service2
attribute service
An Organization
29
2 Integrated Architecture Characteristics

• Enterprise authentication and attribute services
  are run by a central office.
• All attributes known by the organization about a
  member can be integrated and made available to
  services.
• Automated life cycle resource management is
  possible across the enterprise.
• Common identifiers across integrated services
  make an easier and more secure user environment.

30
Three service architectures3 Federated

• Service refers authentication to and obtains
  attributes for authorization and customization
  from possibly external infrastructure services.

authentication service
service
attribute service
Organization 1
Organization 2
31
3 Federated Architecture Characteristics

• Federated authentication and attribute services
  rely on participating organizations enterprise
  services.
• Inter-organizational applications such as Grids
  and digital-library content provision are
  integrated with and facilitated by enterprise
  services.

32
Middleware Initiative Objective

• Help prepare campuses to implement core
  middleware for an integrated and ultimately a
  federated architecture.

authentication service
service1
service2
attribute service
An Organization
33
Core middleware for an integrated architecture
34

• Vignettes Revisited

35
Vignette analysis

• Set of vignettes portray
• Seamlessness of transitions between services
• Independence of location of service or user
• Suites of services designed to support activities
  of different constituencies
• Absence of need to make prior arrangement for
  resources required to enable services
• Services rendered in airport waiting areas
  remotely

36

• Provisioning Vignette Dr. Alice Agnew begins as
  department chairltto modelgt

authN
Metadirectory
HRS
attrs
Acct Init Service
37

• Integrated Services Vignette Mary accused of
  plagiarismltto modelgt

Mailbox
Lib Proxy
authN
Files
attrs
Building access
Health Facilities
38

• Federated/Restricted Resources Vignette Sam
  using remote, online database ltto architecturesgt

Database1
Content Provider
Federation
? University
Database 2
? University
39

• Refreshment Break

40
Building the Business Case
41
Business Case Components

• By definition, middleware cannot be effective
  unless it maps closely to an institutions
  business policies and practices. In this
  context, a strong business case will
• Outline the Institution-specific Drivers
• Articulate the Opportunities Challenges
• Define the Benefits
• Enumerate the Costs

42
Groups to Consider

• Business case audience
• Select stakeholders and possible champions
• Stakeholders
• Executive Leadership
• Business and Finance VPs
• HR Directors and Registrars
• CIOs
• IT staff
• Program Directors and Data Stewards
• Auditors and Risk Managers
• Faculty
• Staff
• Students

43
Institution-specific Drivers

• Internal Drivers
• Specific application(s)
• Financial
• User expectations
• External Drivers
• Federal/state legislation
• E-enterprise functions
• Inter-institutional collaboration

44
Opportunities

• Legislative pressure to reduce paperwork, secure
  information, and deploy electronic services
  (grants, financial aid, HIPAA, etc.)
• Interdisciplinary and inter-institutional
  research and collaboration
• Changing needs of teaching and learning
• User expectations of access to technology
• Budgetary pressures

45
Benefits to the Institution

• Economies for central IT - reduced account
  management, tighter network security
• Economies for distributed IT - reduced
  administration, access to better information,
  easier integration of depart. applications...
• Improved services for students and faculty -
  access to scholarly information, control of
  personal data, reduced legal exposures...
• Participation in future shared environments -
  Grids, videoconferencing, digital libraries, etc.
• Participation in new collaborative initiatives -
  Shibboleth, Inter-institutional resource sharing

46
Benefits Specifically . .

• Achieves Economies for Central and Distributed IT
  organizations
• Access to primary user identity sources such as
  HR, Payroll, SIS, and secondary sources such as
  library, parking, alumni assoc., etc. can be more
  effectively managed by fewer people saving time
  and money
• Access to any one of these services can be
  enabled or disabled more readily
• Access to a range of services can be accomplished
  more quickly and in a more coordinated manner
• Deployment time for new applications is reduced

47
Benefits Specifically . .

• Enhanced Security
• A secure enterprise directory can
• Be used to manage access to multiple
  apps/services (web, remote access, etc.) to the
  entire institutional community
• Facilitate differential access to wireless ports,
  restricted content, restricted listservs, etc.
• Allow identity management to be administered by
  fewer staff
• Simplified Network and on-line service access
• A common middleware infrastructure can enable
  single sign-on access to a larger range of
  customized and personalized services

48
Challenges

• Investing the time and effort for planning,
  review and negotiation
• Surviving the politics of reviewing/revising data
  stewardship policies and procedures
• Resource reallocation People and !
• Covering up-front costs
• Finding to build/maintain data feeds from
  authoritative data sources to central directory
• Potential legal risk WRT publishing personal data
  in white pages

49
Expected Costs to the Institution

• Modest increases in capital equipment and
  staffing requirements for central IT
• Considerable time and effort to conduct campus
  wide planning and vetting processes
• One-time costs to retrofit some applications to
  new central infrastructure
• One-time costs to build feeds from legacy source
  systems to central directory services
• The political wounds from the reduction of
  duchies in data and policies

50
Enterprise Directory Costs

• Phase 1 Building the Enterprise Directory
• Hire new staff vs. Repurpose current staff
• New equipment/software vs. Use of existing
  resources
• Phase 2 Deploying Applications
• Application dependent, but ROI is high
  considering
• Cost Savings
• Lost Productivity
• Increased Opportunity
• Increased Security

51

• Where are you in your business case process?

52
Research and Resources
53
Research Community

• Expert, diverse leadership and collaborators
• Broad participation and review
• MACE and related working groups
• NSF catalytic grants
• Early Adopters
• Higher Education Partners
• campuses, CNI, CREN, GRIDS, NACUBO, NACUA
• Government Partners
• NSF, NIH, NIST, fPKI TWG
• Corporate Partners
• Liberty Alliance, IBM, Sun, WebCt, Radvision,
• International communities
• Standards bodies
• IETF, ITU, OASIS

54
NSF Middleware Initiative

• NSF award for middleware integrators to
• GRIDS Center
• Globus (NCSA, UCSD, University of Chicago, USC/
  ISI, and University of Wisconsin)
• NMI-EDIT Consortium
• Internet2, EDUCAUSE, and SURA
• Separate awards to academic pure research
  components
• Build on the successes of the Globus project and
  Internet2/MACE initiative
• Multi-year effort
• A practical (deployment) activity that
  necessitates some research
• Releases occur every six months, roughly May and
  October

55
ResearchWorking Groups/Projects

• Directories
• Group Utilities
• Directory Management Utilities
• Practice Papers and Implementation Roadmap
• Directory Schema
• Shibbolet Inter-institution web access
• PKI HEPKI-TAG PAG, S/MIME, PKI Labs
• Middleware for Video VC, Video on Demand
• Medical Middleware

56
Enterprise Middleware Resources Available

• NMI-EDIT Release Components
• Software
• Directory Object Classes
• Conventions and Practices
• Recommended Practices
• White Papers
• Policies
• Services

57
Enterprise MiddlewareEducational Opportunities

• Workshops
• Pre-conference Seminars at EDUCAUSE Regional
  Meetings
• (Like this one)
• Campus Architectural Middleware Planning
  Workshops
• CAMP June 4-6, 2003
• Management and Technical staff
• Campuses beginning implementations
• Advanced CAMP July 9-11, 2003
• Highly technical
• Research topics
• Campuses with mature directory and authentication
  infrastructures

58
On-line Resources Available

• Introductory Documents
• Sample Middleware Business Case and corresponding
  Writers Guide
• Identifiers, Authentication, and Directories
  Best Practices for Higher Education
• Identifier Mapping Template and Campus Examples
• See resource list

59
Websites and Discussion Lists

• Websites
• http//middleware.internet2.edu
• http//www.nmi-edit.org
• Look for the Enterprise Implementation
  Directory Roadmap Coming in April!
• Middleware information and discussion lists
• http//mw-announce_at_internet2.edu
• http//mw-discuss_at_internet2.edu
• NMI lists (see websites)
• EDUCAUSE Constituency Group on Middleware
  Coming Soon!

60
Contacts

• Keith Hazelton
• University of Wisconsin-Madison/Internet2
• hazelton_at_doit.wisc.edu
• Renee Woodten Frost
• Internet2/University of Michigan
• rwfrost_at_internet2.edu