P.O. Box 400217
Charlottesville, VA 22904-4217
VP/CIO Annual Report
Background & Context | Introduction
It has become commonplace to open discussions of technology with a nod to the ubiquity of change. Storage, network bandwidth, and computing power double every 18 months. Today's smartphones have more computing power than was onboard Apollo 11 as it hurtled toward the moon. Software gets easier to use with each release. New online services roll out daily. Most burn brightly and fade by evening. But a few make it, sometimes with profound implications for the ways that we work and interact (e.g., email, GoogleDocs, Facebook, online banking, etc). Security threats and their associated countermeasures proliferate at network speed. The Secretary of Defense recently announced that a single cyber attack allowed hackers to steal 24,000 military files. Our own network is tested thousands of times a day by hackers and their automated bots in a never-ending quest to find ways to control machines and acquire data. Indeed, bombastic tomes to the constancy of technology-driven change are so common that we risk becoming deaf to moments of real and significant change. This is such a moment.
Information and communication technologies are currently undergoing a series of fundamental changes that rival in scope the disruptions that accompanied the transition from mainframe to personal computing. Three forces are driving this sea change:
- the economics of aggregation,
- IT consumerization, and
- the Janus-faced role that technology plays in serving the University's mission.
A few words about each of these forces:
The Economics of Aggregation
Although the hype around cloud computing is often more medicine show than substance, what has clearly changed about computing in an era of advanced networks is that scale matters—a lot. For many technologies, the most efficient scales are huge. The data centers that universities have been building over the last decade, for example, have typically been in the 5,000-30,000 sf range. In contrast, the data centers that the Microsofts, Googles, and Amazons of the world are building are in the 300,000 sf range and are located where power is cheap and sustainable. Though challenging to capitalize, huge data centers are much less expensive over the life of the building.
Networks, enterprise software, and storage systems have similar economics. Most of the costs for these systems are tied to providing access and those costs are fixed by the cost of the hardware and the labor to operate the systems. What this cost structure means is that for the vast majority of people, whether they use the network, Oracle enterprise system, or storage services a little or a lot, the costs remain the same. For these customers, it makes little sense to meter use. Where use does change the cost structure is when very heavy users place demands on a system that exceed the baseline provisioned capacity (e.g., a dedicated 10 gig fiber connection, a modification to the SIS that serves the needs of a single academic unit, or a massive storage request within UVaCollab). In these situations, it does make sense to charge a premium to recover the marginal cost associated with providing the additional capacity. More generally, the fact that many technology services have high capitalization costs and low marginal use costs means that we should increasingly look to aggregation and collaboration to keep our costs down.
Where our needs are mundane (e.g., email, storage, compute cycles), we should look to the consumer market and pursue terms with commercial providers that protect the interests of the University while allowing us to take advantage of the favorable costs associated with their global scales.
Where there is a shared need for services tailored to the academy (e.g., data preservation archives, research administration and compliance systems, and advanced networks), we should look first to multi-institutional collaborations like Internet2, HathiTrust (a large-scale digital repository serving the CIC), or Kuali (a community source software consortium that builds open source software by and for higher education) where we can share the costs and risks associated with capitalizing the infrastructure while maintaining control over its design and implementation.
The places where we should deploy emerging and customized technology are the places where the needs of the University or an academic program are truly unique and where we see the opportunity to use that technology to gain competitive advantage (e.g., a new instrument that allows researchers to observe the metabolism of cancer cells at an earlier stage, an enhanced web presence that distinguishes our academic programs from others, a customized database that allows historians, political scientists, and biologists to visualize systemic interactions).
More succinctly, the economics of aggregation require us to get increasingly smart when it comes to discerning when there is competitive advantage to provisioning things on our own and when the economics of scale outweigh those advantages. This is true for both central IT and for the individual units on Grounds.
In the halcyon days of mainframe computing, access to technology and control of services were heavily centralized. The technology and services that people used at work were provided by the institution and controlled by central IT. With the rise of personal computing in the 1980s, access and control remained with the institution (i.e., the institution bought the devices and licensed the services that people used for their work), but responsibility became more decentralized. Central IT tended to focus upon enterprise-wide services (e.g., networks and ERPs), security/policy (e.g., acceptable use policy and data stewardship standards), and technologies that leveraged economies of scale (e.g., secure network storage and bandwidth), while individual units focused more on addressing local needs (e.g., visualization facilities in architecture, trading rooms in commerce, online classrooms in nursing, etc.).
In today's chaotic and fully consumerized world, institutional control is up for grabs. Need an email account? Go to Google. Want more storage? Go to Amazon. Think some online collaboration tools will be useful? Go to Webex, GoogleDocs, Microsoft365, or any of a dozen companies that you almost certainly haven't heard of before. Faculty, students, and staff now have the ability to provision many of their technology needs directly and to do that on devices that they already own.
Whether they should be doing any of this is, of course, a question of high interest to the University. The University remains accountable for the security, legality, and stewardship of its data, services, and intellectual property. What has changed, fundamentally, is that we can no longer depend upon the University's exclusive ability to provision technology to act as an effective control. In a world where there are 300,000 apps for a single smartphone, control is devolving to the individual and that fact should have enormous impact on the way we think about managing services, data, and risk.
The Janus-faced Role of Technology
Several years ago, Nicholas Carr published an article with the provocative title “Does IT Matter?” Carr's main theme was that in the heyday of the technology revolution, institutions could invest in IT and expect to see those investments translate, almost automatically, into competitive advantage. Wal-Mart, for example, made major investments in technology to manage their supply chains and rode those investments to market dominance. As technology has matured, however, Carr argues that investments in technology no longer lead to competitive advantage because everyone is making those investments. Rather than seeing technology investments as “strategic” he argues that they are merely “essential.” Technology investments, he argues, are now no different from investments in any utility.
In our part of the world, at least, Carr is wrong. Information technology is changing the landscape of higher education in ways that go directly to competitive advantage. It is disrupting traditional models of delivering education and, more importantly, it is changing the very fabric of inquiry. Research in every domain is becoming more data intensive, more collaborative, and more technologically dependent. Universities that figure out how to provision the right tools and create sustained cultures of inquiry based in computation and digital media will be the leaders going forward.
Carr's distinction between “essential” and “strategic” IT does, however, provide an important framing for the two faces of IT investments. Most of our investments are aimed at the “essential side” of IT. Like electric power, water, space, and sanitation, IT has become an essential part of our operations—so essential that the only times we may notice IT is when it fails to work properly. Our orienting response to the essential side of IT is to focus on reliability, cost reduction, and security. But we must also make strategic investments if we are to lead going forward. Here our strategy has been to place control over IT resources that directly enable research and creative expression (e.g., high performance compute cycles, large data storage, technical advisors, digital media production tools, etc.) in the hands of key faculty leaders. With the creation of ITS (Information Technology Services) and accompanying reorganization of the areas that report to the VP/CIO, we are doubling down on both of these strategies.
The Road Ahead
In a world where access to information and communication technology is fully decentralized, where every device is potentially compromised, and where economics force a more strategic approach to sourcing, the job of managing technology is more about policy, architecture, contracting, efficiency, and relationship building than it is about hardware speeds and feeds. Accordingly, this year's goals are organized around four themes designed to focus attention on the challenges and opportunities at hand: operational efficiency, architecture and policy, security, and strategic initiatives.
On the essential side of IT, we must run our services efficiently and be judged by the metrics of predictability, cost, and value. In the year ahead we will:
- Define and validate costs for services provided by ITS, benchmarking with other universities and other industries as appropriate. Explore a long-term solution for ongoing benchmarking with peer institutions.
- For our catalog of services, develop service level targets with stakeholders and customers and develop mechanisms to monitor and maintain service level targets.
- Establish service level agreements with customers for selected services (data center services, other new/other for-fee services) as appropriate.
- Increase our commitment and effort regarding project and portfolio management, enabling us to use resources most effectively and allowing stakeholders and customers to plan against published rollout timelines.
- Enhance our ability to ensure services and projects are aligned with University priorities.
Enterprise Architecture and Policy
As noted above, IT consumerization brings significant architectural and policy challenges. In a world where users control their devices, we must pay increased attention to network access, identity and authorization, data management policies, and licensing/software provisioning requirements. In the year ahead we will:
- Modernize the University's Voice Communication Infrastructure: For the past year, we have been developing, issuing, and evaluating the responses to an RFP aimed at replacing the University's aging telephone system with more modern technology that provides communication over the data network. Over the next 12 months, we will finish negotiations with the vendors of the various systems involved in the procurement, develop an implementation timeline/project plan, and begin implementation of the selected systems.
- Identity Management: We have embarked on a multi-year effort to revamp our Identity Management infrastructure to better accommodate new needs and support emerging technologies and federations developing in higher education. Our primary efforts during the coming year will focus on the design, implementation, and policy aspects of Identity Management. The design for the Phase 1 Identity Management Steering Committee recommendations for “reversing the feeds“ will be finalized and, pending resource allocation, implemented. This work will provide a single place for users to update their identity information, speed the provisioning and de-provisioning of accounts, reduce back-office work related to duplicate identities, and provide a sound foundation for future work. Prioritization for the target components for a second phase of the initiative will be completed and design work in these areas will commence. A policy that authorizes the establishment of a single source of information regarding the identity of individuals granted access to data, services, and selected physical locations of the institution will be completed.
- As noted above, one of the major challenges IT consumerization poses is how to ensure accountability for work-related tools that are not provisioned through central or departmental IT. Typically, these tools come with some sort of licensing agreement that often poses problems for the institution (e.g., indemnification). We have initiated a project in partnership with OGC and Procurement to deploy policy, operating procedures, and training that will allow our faculty, staff, and students to make the choices they need to make to be effective, while, at the same time, allowing the University to exercise the essential control and oversight required for business and compliance reasons.
We no longer live in a world where it is reasonable to assume that technology alone or even primarily can protect data and systems. We must learn to operate in a world where every device that touches our network is potentially compromised and where people are seen as empowered and accountable decision agents for the data that they use, create, and store. In the year ahead we will:
- Prioritize the key tasks from our Network and Application Security Addenda Request and create a revised project scope that matches the addenda funding that was provided.
- Complete remediation of highly sensitive files found in 2010-11 on general-purpose storage servers and search and begin remediation of additional locations where legacy files might be stored.
- Complete assessment of sourcing and funding options for achieving compliance with Payment Card Industry Data Security Standards.
- Establish a community of key individuals with institutional data management and compliance responsibilities for the purpose of enhancing communication and collaboration among them.
- Building on records management successes over the past two and a half years, we will:
- continue work to automate the currently paper-based process that certifies the destruction of public records;
- facilitate the movement of paper records to secure storage by establishing contracts with approved storage vendors; and
- develop standards for trustworthy electronic records to be incorporated into the design of new systems.
On the strategic side of the IT house we must continue to invest in areas where technology gives us competitive advantage on the teaching and research fronts. In the year ahead we will focus investments on:
- Working with the Library to
- build a multi-institutional partnership to create an appropriately scaled and redundant digital preservation archive;
- continuing to develop tools that address the needs of scholarship in a digital age, and
- developing U.Va. data management plans that are responsive to emerging funding agency requirements. The prestige, cost avoidance, and grant funding opportunities across all three initiatives are significant.
- Continuing to work with Internet2, Berkeley, Indiana, and other premier institutions to acquire, test, and implement cloud-based technologies.
- Leveraging economies of scale by collaborating with MATP to improve regional network capacity, participating in Gig U to pursue gigabit access for faculty, staff, and students living near the University, continuing to participate in the leadership of I2, and closely observing and participating where appropriate in the evolving mission of NLR.
- Coordinating and providing infrastructure support for U.Va.'s participation in the 4-VA
initiative that focuses on leveraging technology to:
- improve teaching/learning efficiency, productivity and quality, and
- enhance the research competitiveness of the partner institutions.
- Continuing support for the COFU initiative focused on computation intense research and scholarship.
In the year ahead we will:
- continue to enhance our digital infrastructure capacity/use;
- enhance our high performance computing capacity/use;
- build the culture around digital/computational inquiry;
- provide direct support for computation intense projects; and
- measure the impact of these investments on funding support for computation intense research and scholarship.
- Providing support for the development of the new university financial model. While the specific form of the new model has yet to be established, it is clear that any new model will require significant investments dedicated to enhancing/creating new reporting mechanisms.
The Year Behind
In the fiscal year that has just concluded, we organized our work around the themes of collaboration, access, alignment, and securing and improving core enterprise services. Status reports for each area follow.
Create an environment that supports the full range of collaborative activities of U.Va. faculty, students, and the extended U.Va. community.
- Enterprise Architecture: Update the ITC architecture documents using the new Wiki-based system
and publicize those documents so that they can be used at the departmental level.
Status: Ongoing. Significant progress has been made in documenting systems and in introducing the existence of that system to departments and the broader University community. There is, however, much to be done and the reorganization within the VPCIO area places additional emphasis and resources in this area.
- Dean's Technology Council: Using ITC documentation as a starting point, work with the Dean's
Technology Council to embark on a collaborative process to develop an Enterprise Architecture
(EA) for the University.
Status: The DTC engages in its regular meetings twice a month around topics directly related to the Predictability Initiative, and around opportunities for collaborative action brought to the group by one or more of the schools.
- Cloud Provisioning: Increasingly, commodity services are run most efficiently at
very large scales. During the coming year, engage in one or more multi-institutional experiments
in Cloud provisioning.
Status: We are engaged in three experiments in partnerships with Internet2, CSG, and a “private cloud” experiment with Indiana University and Berkeley. All three are in the final phases of start-up.
Create an environment of ubiquitous access to appropriate IT resources for all core activities.
- Begin Pilots of the Advanced Virtual Desktop: We will continue down the path towards
broader use of virtualization technology in our computing environment. This year's development
focus will be to apply virtualization technology to meet the needs of the traditional office
Status: The Advanced Virtual Desktop pilot projects conducted with the Alumni Association and the University Library are complete. What remains to be developed is a cost/pricing model that meets current expectations and use cases that are driven by policy/security requirements that are sufficiently compelling.
- Improving Network Connectivity: We continue to work towards a network infrastructure
that includes university control over a direct fiber optic path to the major networking hubs in
the Northern Virginia area.
Status: We have a detailed proposal from the preferred firm with several options to consider. We are presently finalizing the details in negotiations and will decide which set of options to procure as part of the overall analysis of the voice communications modernization procurement.
- Machine Room Project: The Machine Room building construction project has broken
ground and we expect to move into the new facility by the summer of 2011.
Status: This first phase of this project was completed on time and on budget. ITS services have been relocated to the new University Data Center. In the project's next phase, departmental systems will be moved to the new University Data Center.
- Modernizing the University's Voice Communications Infrastructure: Most of the university's
existing telephone system is rapidly approaching the end of its useful life and needs to be
replaced with more modern technology that provides voice communications over the data network. Our
goal is to complete enough of the procurement process that we will have our direction
established and our key vendor chosen by the end of the first semester and start pilots in
specific areas during the second half of the fiscal year.
Status: This project is running behind projections. We currently have best and final pricing from the finalists for the critical system components requested in the RFP. We expect to move into a contractual arrangement in August with the selected firms for detailed system design. The implementation timeline for the full system will be finalized after those designs are completed.
Create new and more effective ways for faculty, students, and staff to participate as partners in creating the vision and ambition for technology-enabled teaching, learning, and research at U.Va.
Supporting Computationally Intense Research, Scholarship, and Artistic Expression
Status: Through COFU and associated changes that we have made to enhance support in these areas, more than 90 research projects have received direct technical support, we have tripled the research compute capacity, we have increased storage capacity 10-fold, and we have been able to provision new digital tools that are being used by hundreds of faculty and students. This initiative has met or exceeded its goals for provision and support of computational resources, creation of an ecosystem of scholarly tools, and engagement of faculty and students in application of these resources to their scholarly work.
Securing and Improving Core Enterprise Services
Ensure that the University's information technology systems and services address emerging risks of system compromise and data exposure while continuing to move the University toward its goals.
- SSN Remediation Phase II: Through the SSN Remediation Initiative the University has
made significant progress in reducing its risk of security breaches that expose Social Security
numbers. Despite this progress, we must continue to reduce institutional risk and move toward
an SSN-free environment.
Status: Through proactive scanning efforts, we continue to reduce the number of places where legacy files containing SSNs are stored.
- Records Management Annual Goals: Roll out a University Records Management Application
(URMA) to inventory and track all records; assist in documentation destruction; establish a
network of departmental records management coordinators and administrators to work with the
Records Management Office; implement a revised records management policy and evaluate and
implement more cost-effective solutions for secure managed physical storage; and continue to work
with Agency 209 to leverage these activities across the University.
Status: Initial phase of software development (URMA) is in production. We destroyed 35 tons of paper records during the course of the year. Individual records management coordinators from large departments were identified. The storage vendor RFP is nearing completion. We worked with Agency 209 to leverage these activities across the University and continue to work with them on a revised records management policy and on determining the best way to partition responsibility for records management within the Medical Center.
- Identity Management: We have embarked on a multi-year effort to revamp our
Identity Management infrastructure to better accommodate new needs and support emerging technologies
and federations developing in higher education. Our primary initiative for
the coming year will be to clearly define and start to implement a new architecture that
uses common mechanisms to incorporate new individuals into the electronic university community
and establishes a single repository for the maintenance of common data, roles, and authorizations
about the individuals affiliated with the university.
Status: A project to “reverse the data feeds” and create a single authoritative source for identity is underway. This project involves work by central IT as well as many units across Grounds. The distributed units across Grounds, where the conversion workload is lower, are enthusiastic and ready to move forward. The central systems units have generally estimated the project workload but have not yet been able to prioritize this Identity Management work into their production cycles.
- Oracle Upgrade: Oracle HR and Financial applications will be upgraded from version
11.5.10 to Release 12.1 in a project that started in August 2010 and will go live in May 2011.
Status: Completed; on time and on budget. The Oracle Release 12.1 upgrade was completed successfully on May 2, 2011.
- Student Information System (SIS) Stabilization: The SIS continues to require significant
work to ensure it is stabilized post-project end on December 31, 2009.
Status: The SIS is stabilized. Major new functions were added and many improvements were made, including successfully implementing summer session enrollment and billing, direct loans, new online applications for SCPS and Batten, and preparing for Early Action for Undergraduate Admission. Departmental Aid was stabilized and reconciled, and training and policies were put in place to ensure it remained on-track going forward. Academic requirements became more automated for graduation this year, with transfer credit rules automated, and schools now entering exceptions into SIS for automated processing. Undergraduate schools are now relying exclusively on SIS's Academic Requirements report for degree clearance. Finally, the graduate admissions process has been streamlined by improving integration between the 3 systems and by implementing a data mart that enables reporting across all systems.