Much of our inaugural year was spent devising a high-level strategy that addresses the recommendations made in the Review of IT Infrastructure and Support (2013). An essential part of this has been increasing our engagement with the wider IT community to ensure that future services are designed around University users' needs. This feedback, and an intensive programme of 'workstrands' devoted to scoping best practice in the IT service industry informed the organizational design process, the first phase of which is now complete.
Of course, alongside all the scoping and planning activity, it was 'business as usual' when it came to the operation and development of the that UIS now delivers. 2014 saw the fruition of two major enabling IT infrastructure projects. A number of online services benefitted from major upgrades, and some new services were launched, aimed at improving the end-to-end student experience at Cambridge.
Open(SSL) heart surgery
Following the strategic move towards a single UIS Password and the launch of the UIS Password Management Application earlier in the year, we successfully trained in excess of 150 Institutional IT staff in the security issues and legal implications of managing personal data. Staff who passed the exam were authorized to become password resetters within their institutions so they can issue to local users who have forgotten their passwords. Nearly all Institutions now have at least one local password resetter.
April brought challenges for our security and systems development teams, who had an 'exciting' few days mitigating the risks introduced by a serious vulnerability exposed in OpenSSL, dubbed 'Heartbleed'. This compromised the security of the public keys used by our TLS web server certificates. Our developers were able to provide timely advice during the breaking story, while working to identify manually the 250 servers on the network that were potentially vulnerable, and warn their administrators.
As a result, we were asked to re-issue 80 SSL certificates. This was no mean feat, as it is a time-consuming manual process involving several steps to manually revoke and re-issue each certificate. UIS was able to reclaim the cost of replacing 50 of these from JANET, and bore the cost for the remainder on behalf of the affected Institutions. In all, our user admin and dev teams spent around 6 man-days in supporting and resolving this issue.
April also saw the opening of a new videoconferencing facility on the West Cambridge Site, and for the trial period of AY 2014/5, we have dropped the standard £40/hr charge for hire of our videoconferencing services and equipment loans.
DS-Files got a major upgrade that improved the user interface and provided a dedicated mobile app for iOS and Android users. Later in the year, individual users' personal filespace allowance was increased to 3Gb.
We also completed an upgrade of the Oracle E-Business Suite financial system (CUFS) to R12. This will provide the University with a Finance System that is 'fit for purpose' going forward, as the previously implemented version had reached the end of extended support from Oracle at the end of November 2013.
All work and no play
This was certainly true for the University's students, as the main exam period began. In 2014, our examinations under special conditions service enabled more than 240 students to sit nearly 600 separate examinations. UIS provides both the venue, and the secure Desktop images required to hold the examinations, as well as technical staff providing support both during the week and over weekends and Bank Holidays.
The Networks team, meanwhile, were busy extending the GBN and rapidly gaining new skills and experience in outdoor wireless network provisioning, while systems development activity was focused on improving the pre-arrival student experience.
UniOfCam wifi network tested on Tour de France crowds
In sharp contrast, June was our moment in the . The Tour de France circus came to town, providing the perfect opportunity to launch the extended wifi service and volume test the new wireless access points the Networks team had installed along the race route around town. The wireless network map details coverage and usage statistics.
The project, jointly funded between the University and Connecting Cambridgeshire, brought lasting benefits for both town and gown: the wifi network access points (APs) will remain in place, giving Cambridge users wireless connectivity to the CUDN via the 'UniOfCam' wifi network (which replaced the old 'Lapwing' SSID), as well as enabling public access to BSkyB's free The_Cloud service.
Extension of the network continues. We now have APs installed on Jesus Green, as we work our way out towards the College boat houses, which will be connected to the GBN soon. The coming months will see the UniOfCam wireless service extend to cover the Sidgwick, Downing and West Cambridge sites, Christ's Pieces and the Cambridge Biomedical Campus.
Improving the student experience for this year's freshers
July brought the fruition of the pre-arrival student accounts project. The objective was to give Colleges and Departments a method of communicating with their new students before their arrival, by letting them collect their @cam email accounts and UIS Passwords.
This allows students limited access to Raven-protected resources, some UL journals and any course materials made available to them by their Institution.
The 3-month project provided our first opportunity for former-UCS and former-MIS colleagues to work collaboratively and experience each others' current working methodologies. 96% of students successfully collected their accounts before coming up this academic year.
No sooner were the new students' UIS computing accounts in place, than it was time for us to undertake the annual purge of old accounts, cancelling those of the 3,179 departing undergraduate students.
The rolling programme of quarterly updates to University-wide admin and student systems continued over the summer. In Release 3, the Web Recruitment System gained the functionality to gather immigration information directly from applicants who require a Tier 2 Certificate of Sponsorship (CoS), and an automatic purge policy to expunge data we shouldn't retain. It also introduced the ability for recruitment adminstrators to run reports directly from within the system itself. These incremental steps are paving the way for the major Release 4 upgrade later in 2015. The Moodle virtual learning environment was also enhanced.
Nearly all quiet on the western front...
On 1 August, the High Performance Computing Service (HPCS) officially joined UIS, completing the first stage of the merger process.
After all the frenetic activity of the previous few months, August was comparatively quiet – that was, until a fault triggered an emergency evacuation of the RNB, setting in motion a chain of events that would ultimately lead to the UPS going into emergency mode and activating its first stage shutdown. This caused a loss of power to our machine room which, in turn, wiped out all in/out communications to the RNB. This, of course, should not have happened., when all hell broke loose here at the Roger Needham Building (RNB). During scheduled fire suppression system testing by external engineers,
Most UIS systems are designed to failover to other machine instances automatically. This meant that most UIS services continued to operate as normal for everyone outside the RNB, Hermes email servers being the notable exception (for good reason).
After some adrenaline-fuelled emergency re-wiring in our server room, all the RNB racks were brought back online within an hour; Hermes was back online after 2 hours, having been fully checked to verify that there had been no loss of data during the disruption. Following the regrettable incident, we have been working closely with Estates Management and external engineers to understand why we had a single tier activation system that cut power, rather than a double tier activation system that didn't, as had been specified originally.
Major service upgrades to save website managers' time
During September, several end-user services launched major upgrades: users of the University Map gained the ability to export and print custom maps, making it easy to create maps to print or email, or to export high resolution map artwork for litho printing or large format graphics.
The Streaming Media Service (SMS) is the University's central online media repository, where staff can publish audio and video media. The upgrade introduced fine-grained user access control to include individual people, Lookup Groups and Institutions in addition to the existing 'Raven' and 'World' options, as well as smart auto formatting technology that streams the best file format for each user's device. Both the University Map and SMS now have built-in support for the oEmbed method, making it very easy to display dynamic views of the Map and streaming media from the SMS on other web pages.
The process for maintaining Shibboleth metadata has also been streamlined, with the manual process being replaced by an online interface allowing website administrators to upload and maintain metadata themselves and to grant update and delete access to others; metadata changes now take effect almost immediately.
Plans for the future of the Managed Web Service (MWS) were announced, and user feedback invited. Our intention with v3 of the MWS is to introduce a hosting service much more akin to that offered by external hosting companies, at a very competitive price. Website managers will have control of the configuration of their site – hosted in an Apache-based environment on a virtual machine (VM) running Linux – and the amount of technical knowledge required will be significantly reduced in comparison with the current free service. The MWS v3 alpha demo control panel was made available to the wider IT community for testing and comment in October.
Preparing for the demise of SHA-1 certificates
Also in October, the world discovered the 15 year old SSLv3 protocol was no longer fit for the purpose of securely transporting data over the internet. The 'Poodle' vulnerability potentially allowed man-in-the-middle attacks via the SSL/TLS protocol. The fix was to disable the use of SSLv3 – both by individuals on their web browsers, and admins on their web servers – in favour of the TLSv1 protocol. The MCS and Admin cluster managed desktops were updated, as were most of UIS' web servers, and detailed advice was published for institutional web admins.
SHA-1 certificates were another ageing technology we began to phase out last year, in preparation for the browser vendors' scheduled adoption of . Since October 2014, all web server certificates issued by JANET through UIS' TLS Certificate Scheme include signatures based on the SHA-2 hash function, and should work seamlessly with all modern browser/platform configurations, although some minor web server reconfiguration is necessary during deployment. In a pro-active move, UIS renewed 382 current certificates that were due to expire post-2016, but which would have started to give error messages in Chrome from November 2014 onwards. Fortunately, we were able to automate much of this process this time, so it didn’t require as much resource as Heartbleed had consumed earlier in the year. Again, this was managed at no direct cost to the University, other than our staff time.
In which we get our hands on some new toys
November began with another test for the emergency power provision. A 45-second power dip occurred on the West Cambridge site one Sunday afternoon. Both the RNB and the new West Cambridge Data Centre detected the event and battery backups kicked-in, keeping the services hosted there online. At the Soulsby building, however, around 50% of the RCBO power breakers tripped during the switch to battery, resulting in outages of a number of key UIS, Library and Astronomy systems. A full investigation swiftly followed; the findings were published, and two corrective maintenance have been .November also saw the first UIS IT Exhibition (ITX) to be held here in the RNB. The modern building and an additional marquee, provided a light and spacious venue for over 40 IT suppliers, large and small, who came to showcase their latest products, technologies and services, and engage with the University's IT community. Despite the move away from the city centre this year, a record number of visitors and exhibitors attended.
There was time for some fun on the day, too, and amidst the many big-prize competitions and freebies on offer, people enjoyed playing the 'sausage roll keyboard', trying out 3D printing pens, and a Minority Report-style hands-free user interface demo. Post-event feedback was encouraging from both visitors and exhibitors. We are already working on plans to evolve the event in 2015, trying a different format. Watch this space!
On the subject of 'new toys', the University took delivery of one of the biggest and shiniest (not to mention most valuable) 'new toys' imaginable – the West Cambridge Data Centre (WCDC). The state-of-the-art facility will enable many of the University's disparate machine rooms to be brought together into one industry-leading energy efficient, secure, fully managed facility.An innovative 'chilledwater' cooling technology was developed for the data center project, which we expect to deliver an impressive reduction in carbon emissions and energy generation costs, as Ian Tasker, the data centre manager, explained to TechTarget. Work is now underway to complete the commissioning of the building and relocate equipment to it. The official opening, by Lord Sainsbury, will be on 19 March 2015.
The data centre will initially house equipment for the High Performance Computing Service (HPCS), Cambridge Assessment and UIS, with additional space available to meet future demand. The HPCS' current environment includes 600 Dell servers, with a total of 9,600 processing cores on Sandy Bridge–generation Xeon chips. Our GPU environment consists of a 128 node, 256 card Nvidia K20 GPU cluster, and claims to be the fastest in the UK. The University has begun to test Intel’s latest Xeon Phi chips to meet fast-growing demands from its users, and plans a larger rollout in 2016, as Paul Calleja, Head of the HPCS, explained to ComputerworldUK.
Goodbye VPDN, hello VPN!
On 18 December, the new VPN service was launched. It gives remote access to specialised local systems by securely connecting remote devices to the Cambridge University Data Network (CUDN). Just like the eduroam wireless network, it uses the UIS Network Identifier and UIS Network Access Token. Since the University's main online services are already available remotely via Raven authentication, most people will never need to use the new VPN service.
For the small number of users needing to access specialised systems within their Institution or Department, however, our new service provides higher security standards and supports a wider range of operating systems than the old VPDN service, which is is scheduled for retirement on 27 April 2015. For UIS, the new system represents a move to updated hardware and software, enabling us to provide a more robust and user-friendly service. Early feedback suggests that easy set-up of the new VPN service is greatly appreciated by the people using it.
Rounding off the year, another infrastructure milestone was reached. The Granta Backbone Network (GBN) grew to over 1,000km of lit fibre. The GBN links 156 University and College sites, stretching from Girton College in the north-west of the city out to the Cambridge Biomedical Campus in the south-east.
To celebrate the GBN, the Networks team and PandIS (our Photography and Illustration Service) have designed a local take on a very familiar diagrammatic map showing the extent of the GBN network under the city. The design was featured on a range promotional items at the ITX exhibition; this proved so popular that we have made the customised mugs and mobile device cases available to order online.
Looking ahead, 2015 is going be a year of enormous change for everyone in Information Services as the new organizational structure is realised. Recruitment of the senior leadership team is in progress, with the new post-holders joining us in April, after which the detailed organizational design phase will begin.
At the strategic level, UIS will be working to support the Pro Vice-Chancellor for Education in developing future IT strategy. Specific initiatives will include a research computing pilot with the Clinical School, developing a new University-wide end user compute strategy, a data storage strategy, and refreshing University-wide ERP systems.
Work will continue on the development of UIS' service portfolio and service catalogue. A service catalogue pilot project is already underway, in partnership with the School of Arts and Humanities.
Planned infrastructure enhancements include increased capacity for the HPCS, and expansion of the CUDN to support the North West Cambridge development and other estates projects.
There are also plans underway to improve the services UIS provides, with new videoconferencing and 'soft phone' applications launching, new hosting services at the WCDC, a new online graduate applications process, a streamlined online software sales platform, and further deployment of the Moodle virtual learning environment.
UIS' ethos is is to establish an effective collaborative working approach as the University moves towards a more federated IT service delivery model. As part of this, we look forward to meeting more of you at the many IT-focused talks, workshops and educational events we organise and host, and to actively working together to strengthen the IT community network at Cambridge.
As always, we welcome your input via firstname.lastname@example.org.