OSHEAN

Major Issues Statement:
Cloud Computing, Mobile Apps and
Federated ID

Version: 2

Introduction

For over a year, OSHEAN has studied the changing IT landscape, tracking several trends that impact the organization and its members. Of these trends, three that were considered “above the organization” emerged during 2010 as the main forces driving change in IT, and the June 2010 Member Forum focused exclusively on these three:

  • Cloud computing
  • Mobile applications
  • Federated ID

The Member Forum confirmed the growing sense that OSHEAN has already begun to move in a new strategic direction and that OSHEAN’s work for the foreseeable future is to manage the transition into this new space.

Part of the Member Forum used a structured roundtable conversation that served as an instant survey of members’ positions and attitudes regarding these issues. The participants discussed their results and put forth key ideas for moving forward.

This issues statement summarizes those recommendations, draws connections within and among the issues and responses, and uncovers a strong call-to-action from OSHEAN members to the organization.

Summary

Of the three issues, the last presents the smallest challenge to members. With high awareness of the overarching parameters, a clear understanding of the potential benefits and only a low-level of user demand for the change in service, members seem most ready to approach Federated ID as a project.

Both Cloud computing and mobile applications raise serious concerns among some members while inspiring others to early action. Mobile applications – a new set of platforms for which members lack knowledgeable developers – present serious organizational issues for deployment, not to mention the inherent security concerns raised by mobile device use.

Cloud computing – the most complex and far-reaching of the three issues – raises for members systemic concerns that go to the heart of their organizations. In short, members widely agree that a future that involves cloud computing is a future in which IT is a very different kind of organization than it is today, one predicated more on service and less on specialized knowledge. Some have already started to move to this new space; others are unsure they want to go.

In the end, members called on OSHEAN to play a role in helping them negotiate each of the three issues, and the role is similar across the board. Members need OSHEAN to provide an internal development and piloting space, enabling collaborative workgroups to begin moving into these areas, developing expertise and sharing it with the broader membership.

Cloud computing

First and foremost, members expressed concern regarding the definition of “cloud computing”. Cloud computing represents a wide range of elements including off-site hardware, off-site software, virtual desktops, etc. But there is almost a second meaning, in that the applications created in the cloud are intrinsically collaborative. Thus, cloud computing also means distributed user groups, multi-editor documents and all the other issues associated with online collaboration. In particular, the collaborative nature of cloud computing can create frictions within individual member user communities, especially in the more hierarchical organizations.

Some members feel that cloud computing, while not yet fully vetted, lures organizations with promises of great cost savings. But are those cost savings realized? Are there other trade-offs that are not yet fully understood? What is the business model for cloud computing at a college, a research university or a hospital? Would it be legal to store court records in the cloud? In brief, these members feel that they may be exposing their organizations to unnecessary risks by shifting to an unproven architecture with inherent security, privacy and governance concerns in exchange for cost savings that may or may not be realized.

These more cautious members seek greater study of cloud computing with an emphasis on developing a strategic approach to the many issues involved.

Because a shift to cloud computing would reach to every corner of a member organization, many members view cloud computing “as a process” that involves the systematic retraining of user communities to transfer common business activities to the new platform. They see this process as far-reaching and lengthy in scope, far beyond what they would consider a “project”.

Governance and security concerns are perhaps too complex to deal with in the context of this issues statement, and members have specifically asked for the opportunity to study and test various approaches to these issues. Fortunately, thousands of organizations face the same core governance and security issues as OSHEAN members, and the broader community continues to work through them. In this regard, OSHEAN can draw from and, where appropriate or necessary, add to the community understanding to the issues and their solutions.

Also, cloud computing raises network capacity issues. What is the effect when almost all organization computing must travel over the Internet through a limited gateway?

Finally, members ask how will shifting to cloud computing affect the role that the IT department plays within the organization. Many see a need to learn new and, to some degree, foreign skill sets, including the creation of a core capability in customer service. In many cases, user demand for new cloud-enabled services is pushing member IT groups. Will IT cease being a provider and begin to act as a broker and facilitator? Will IT need to become a teaching group?

In an effort to answer the many questions cloud computing raises, members have asked OSHEAN to provide a private, internal cloud testing environment where they can develop and test solutions. As in the introductory definition at the beginning of this section, this environment allows users to experiment with these new hardware and software tools, but also to begin using the tools themselves to create greater amounts of collaboration among OSHEAN members.

Some members suggest forming a workgroup to lead the study. They suggest the work start with functions outside member core competencies as these functions are in demand, yet the member organizations lack full competency and can use the opportunity to learn more. Topics the for the workgroup to explore include:

  • Developing definitions and nomenclature, giving members a consistent shared language around cloud computing
  • Developing a framework business plan for cloud computing that member organizations could tailor to their specific needs
  • Outlining best practices and solutions from the local region and the broader community
  • Identifying both low-hanging fruit and important gaps that need to be bridged
  • Identifying connections between Shibboleth issues and security in the cloud
  • Surveying peak bandwidth to determine how much capacity a cloud would require

Mobile Applications

As with cloud computing, members sought to define what “mobile” meant, particularly as it applies to their specific sector. What are the implications of mobile computing for higher education or health care? What applications should be developed and by whom? How will these applications serve member organization’s individual missions?

As with cloud computing, some members have already developed mobile applications while others still seek more study. Of the OSHEAN member mobile applications, the most common are e-mail programs, automated campus tours and applications that connect learning institutions with alumni and prospective students. Several other applications track mobility of workers, students, vehicles or other physical assets.

Members suggested other applications that could be developed such as a tool that enables anytime-anywhere polling, a system to reserve library books or applications that directly enhance learning. Again, the questions arose. Where does an organization draw the line? Which features are required vs. which are desired?

Perhaps even more directly than with cloud computing, mobile applications’ need for instant access from any location creates important security issues. By its very nature, mobile computing sends sensitive data over wireless network over which members have virtually no control. Who’s to blame, for example, if patient information is compromised?

Some members expressed concern that the increasing decentralization of business computing means increased demand for support. If member organization workers access business materials days, nights and weekends, will they demand that IT support them at all hours?

When members came to discuss likely next steps, they agreed broadly on several key issues to address. First, members seek guidance on the best platform for development. Should they jump into the 3G space or wait for the 4G build out? URI supports Google’s Android platform with Brown supports Apple’s iPhone. Can OSHEAN support both?

One concern raised by several members involves the issue of internal knowledge. That is, very few member organizations have in-house capabilities in mobile application development, and some have only a general understanding of their uses. For the higher education organizations, student use of mobile devices so far out paces staff and faculty that trends become fully developed and even decline before administrators become aware of them. Indeed, the greatest capability for mobile application development may not reside in the university IT departments but in the student body.

To some extent, mobile computing provides a forgiving space in which OSHEAN members can learn. Given the platform’s newness, very few organizations of any kind enjoy vast levels of experience, and users accept some degree of dysfunction or failure with applications, especially at launch. Quality levels of existing applications range from the elegant to the barely adequate. Thus, the definition of “success” in this realm provides new arrivals an easier entry to the market than with a more mature platform.

Members again have asked that OSHEAN provide an internal platform to support member learning in the mobile space. As with cloud computing, members seek an internal platform to develop test applications for internal use before creating an external platform (i.e., OSHEAN mobile app store) to support applications that drive member organization business processes.

Members agreed to form a mobile application workgroup to address issues including:

  • Developing a shared platform where members can work together to solve common problems and share what they have learned
  • Creating a common survey for students, health care workers, etc. to determine user needs
  • Assessing currently available and planned applications to avoid the unnecessary development that duplicates existing solutions
  • Developing a protocol for creating “mobile ready” web pages
  • Evaluating the market for phone gap wrapper tools
  • Evaluating wrapper pilots and developing a version of wrapper
  • Hiring a consultant to bridge any gaps in knowledge and direct learning

Federated ID / Shibboleth / InCommon

Given the complexity and era-defining quality associated with cloud and mobile computing, issues regarding so-called Federated ID seem relatively mundane. But perhaps no issue goes more directly to the core of network computing that identity. From the earliest example (c.f., The Cuckoo’s Egg), compromised identities lead to compromised networks. One need only re-read the cloud and mobile sections above to see the critical problems associated with security and, hence, identity.

For the most-active users, however, demands for individualized security regimes for each building, company or website becomes an onerous and much-hated burden. Few of these users realize that for their network administrators, who often manage several individual systems, the burden is greater.

Thus, from within and without, some IT organizations feel a need to consolidate identity management across systems and networks, and increasingly they are asking OSHEAN to help them develop the systems to do it. The core idea is to give users a single set of log in credentials that let them access all systems from all locations.

To its advantage, OSHEAN members have already begun to assemble the element of a solution and to work through the issues associated with implementation. And the broader community continues to develop solution components.

However, other members feel that this issue is not yet ripe and seek further study. Also, they do not feel an acute need to implement ID management at the expense of other priorities. This divide among members reflects similar gaps in opinion regarding cloud and mobile computing.

At present, some member organizations use the open source product Shibboleth to “federate” their user authentication systems. These members report that “the technology is the easy part”, while crafting the sharing agreements has proven more difficult. Specifically, to what standards should participants be held? Who sets the standards? How is compliance assured?

For now, these members have adopted the InCommon standard and protocols that include auditing to ensure compliance. Having a broadly-accepted standard helps institutions take what to some must seem like a risky step – sharing the information that, if abused, would render them vulnerable to unthinkable attack.

Even with InCommon, some member organizations are not prepared to move forward so quickly. ID management presents many specific technical challenges. Given the stringent security requirements of the most sensitive systems, can they fit into the broader managed identity structure? How does the security manager differ from a portal? What resources will be required? What effect on network performance?

Some even question the basis of the idea. Given that a single compromised identity would result in multiple compromised networks, would this not make us more vulnerable?

Again, members ask OSHEAN to provide an internal platform to help them develop pilot projects to work through these issues. Also, they ask OSHEAN to provide support for Shibboleth and to pilot Federated ID among the members.

Conclusion

OSHEAN faces important challenges that may require yet another organizational transition, significantly expanding OSHEAN’s role as a service provider. As members navigate what seem to be cataclysmic changes in the IT landscape, they ask OSHEAN to provide more laboratory-like services, especially:

  • Internal development platforms for pilots and testing
  • Collaboration tools to maximize shared knowledge
  • Leadership “above the organization” to spearhead entry into new areas of IT

1