4-page Case Study - Posted 3/13/2008

Views: 623

Rate This Evidence:

University of California, Berkeley

University Tackles Management and Security Challenges in Complex IT Environment

The central IT division at The University of California, Berkeley faced significant management and security challenges in supporting a large and diverse user base and technology environment. Most users needed corporate-level IT resources and centrally based management, while others needed technologies capable of supporting world-leading research endeavors and self-management. Security challenges were compounded by the open environment required of a world-class academic environment. In response, IT executives used the Server Manager feature in the Windows Server® 2008 operating system to simplify account and security management, cutting application downtime by half and reducing security-setting management by 10 hours monthly. Executives also will take advantage of powerful Windows Server 2008 security capabilities to minimize the vulnerability to attack and simplify patch management.

Situation

The University of California, Berkeley (UCB) is a world leader in research, teaching, and technology. The larger University of California system graduates or confers more Ph.D.s than any other university in the United States, and UCB is the flagship campus for the 10 campuses that constitute that system.

At UCB, the central IT division supports a large, heterogeneous, and complex environment. Some 200 academic departments and programs, 20,000 faculty and staff, and 40,000 students, visitors, and others regularly access Berkeley computing resources. Some 80 percent of client computers are running on various versions of the Windows® operating system with the remainder running on versions of UNIX, including Macintosh.

While supporting a user base as large or larger than that of some of the world’s biggest corporations, the UCB IT department faces three challenges that distinguish it from most large corporations—and from many other educational environments as well.

The first challenge is the need to serve two distinct sets of users. At UCB, most users are accessing administrative systems for payroll, financials, or human resources, or they are conducting academic research that can be supported by technology. Other users are doing research into leading-edge technical and scientific pursuits. The former group works almost exclusively on Windows because of its high degree of standardization and interoperability with many third-party solutions. The latter group uses Windows as well as multiple UNIX technologies.

This situation makes for highly diverse support needs, according to Mike Blasingame, Manager, Enterprise Windows Team, Information Services and Technology Division, University of California, Berkeley. “If smaller or non-technology-focused departments want us to manage all their IT, we must do that for them,” he explains. “If others want to manage their own IT, we must enable them to do this while maintaining overall security and economies of scale.”

This challenge extends down to the user level, Blasingame adds, because individual professors are free to implement whatever technology best suits their research needs. “This means we are under continual pressure to keep up with what they’re bringing on board.”

Walt Hagmaier, Manager, Enterprise Platforms and Storage, Information Services and Technology Division, University of California, Berkeley explains that permissions and access make matters are made even more complex. “The central IT division cannot ‘dictate’ IT policy as it could, say, in a typical corporate environment,” he says. “Instead we must act as more of a service-offering provider, enabling different departments to ‘subscribe’ to different services. This makes it essential that we have a highly flexible approach to granting permissions and access to a diverse and sophisticated population of departments and end users.”

The second challenge for the UCB central IT department surrounds the university’s unusual security model. “We often joke that our ‘intranet’ is the Internet, but in essence that is the case,” Hagmaier says. “In keeping with our obligation as a public university to support open academic inquiry, anyone can access our servers and other computing equipment. This includes not only our faculty, students, and staff, but also the citizens of California and, to an extent, the world. At the same time we must address the growing risk of laptop theft and the serious liabilities imposed by recently enacted state laws that mandate costly notification to users of any server security breach.”

The third challenge is financial. “Like any other educational institution, UCB has fewer dollars than most corporate environments to invest in IT,” explains Michael Leefers, Systems Administrator, Information Services and Technology Division, University of California, Berkeley. “This makes our mission—to support many different kinds of users with a computing infrastructure that often must be state-of-the-art and always must be highly available—particularly daunting.”

Solution

For Blasingame, Hagmaier, and Leefers, the answer to these challenges was found in the powerful new capabilities of the Windows Server® 2008 operating system. “Windows Server technologies have played an increasingly important role at UCB in recent years,” Blasingame explains. “Back in 2000, we had no Windows-based servers in the data center, and today we have more than 250 of them.” In that spirit, he and his colleagues were eager to take part in the Rapid Deployment Program for Windows Server 2008 and take advantage of policy-driven access features that could help address the IT department’s management, security, and financial challenges.

We are making a strong commitment to adopting robust, best-of-breed technologies like Windows Server 2008 for our core infrastructure. Walt Hagmaier Manager, Enterprise Platforms and Storage, Information Services and Technology Division, University of California, Berkeley

To address their security challenge, team members turned to the Windows Server 2008 Server Core technology, which enables highly customized installations designed to minimize a server’s “attack vector” footprint. In addition, they liked support for Microsoft® BitLocker™ Drive Encryption, especially for the many off-site servers and student portable computers over which they have less control; Certificate Services, for an easier approach to certificate revocation; and support for granular password settings within a single domain, so they could cost effectively create and support passwords with varying levels of security attached to them.

The same Windows Server 2008 capabilities that the team liked for management and security purposes also showed potential for helping them address financial concerns. “With the product’s policy-driven management capabilities, we saw an efficient way to manage the university’s core technology while enabling self-management by those departments that wanted to support their own business models,” Leefers says. “With Server Core, we saw a way to reduce a server’s vulnerability to attack, but also its need for patches and our administrative overhead associated with patch monitoring and installation.”

Leefers and his colleagues deployed Windows Server 2008 to 18 servers in five phases: 1. ad hoc, involving labs and individuals; 2. a collaborative lab, involving Web services; 3. quality assurance; 4. change management; and 5. production. As part of the deployment, team members also created a single domain model across several dozen servers used by every department within the university except the business school.

Initially, the deployment included Active Directory Domain Services, Windows Server 2008 Expanded Group Policy, and the enhanced Kerberos authentication model. Further deployments will include the Windows Server 2008 Server Core (to be completed as soon as selected third-party products are available with a non-GUI user interface), Windows Server 2008 Certificate Services, BitLocker Drive Encryption, and Internet Information Services 7.0 (ISS 7).

Benefits

With Windows Server 2008, the UCB central IT division is simplifying management, boosting application uptime, enhancing security, and enjoying the financial advantages associated with economies of scale throughout the IT environment.

Saving Administrative Time, Boosting Application Uptime

Blasingame says the department is taking extensive advantage of the Windows Server 2008 enhanced Kerberos authentication model to synchronize user accounts into Active Directory and enable departments to use centrally managed single sign on accounts. “All 60,000 IT users at UCB have working accounts within Windows Server 2008 Active Directory organizational units, and are enjoying the productivity advantages of having a single sign on for Web services and applications,” Blasingame points out. “This is especially useful thanks to the integration of Windows Server 2008 with Microsoft Office SharePoint Server 2007 and other Microsoft products.”

Moreover, Blasingame adds, this “opt-in” single sign on service also saves administrative effort for a department’s technical staff. For the central IT division, further administrative efficiencies come through the ability to manage all 50 Windows Server 2008-based servers centrally through Active Directory Group Policy objects, and through the use of other management technologies such as Microsoft System Center Configuration Manager 2007 and Operations Manager 2007 to push out patches and new applications.

“Microsoft technologies give us a far more efficient approach to server management and maintenance than what we have in our non-Microsoft environment,” Blasingame reports. “There, because of the lack of centralized management tools, patches often must be installed box by box.”
Another advantage of simplified patch management is application uptime.

According to Blasingame, the combination of a reduced need for patching and the enhanced diagnostics available in Windows Server 2008 Server Manager has led to great application uptime. “Before, we experienced a total monthly downtime for some 20 applications of about one hour, but now that’s down to just 30 minutes,” he says.  “This is a welcome change for the thousands of users who access these applications each day.”

UCB also is saving time and effort in managing security settings. Using the support in Windows Server 2008 for granular password settings within a single domain, IT professionals reduced the time required for this work by 10 hours per month.

Addressing Security and Financial Concerns

When UCB finishes deployment of the Windows Server 2008 Server Core, team members anticipate significant benefits from both a security and a financial point of view. “With Server Core, we will minimize the number of components installed on a given server, reducing our vulnerability to attacks and the need for costly IT resources to monitor and install patches,” Leefers says.

Leefers and his colleagues also look forward to the security advantages of using Certificate Services and BitLocker Drive Encryption. “With Certificate Services, we will enjoy a cost-effective way of adding smart-card technology and updating restrictions and authentication settings on servers in development and quality-assurance environments,” he says. “With BitLocker Drive Encryption, we will have a more effective way of addressing security concerns with respect to off-site servers and expanding use of laptop computers by students and faculty alike.”

Through the deployment of IIS 7, Leefers and his team will be able to give the university’s Web developers a stronger delegation model, and outfit them with a skill set that is in growing demand. “With IIS 7, staff developers will be able to fine-tune Web servers and export their development configuration as XML to quality-assurance and production environments, for significant savings in time and effort,” he says. “Student developers also will be better prepared for their profession, as IIS 7 is becoming more widely adopted across industry.”

Preparing for the Future

According to Hagmaier, through the deployment of Windows Server 2008, UCB is preparing not only students but the university itself for changing patterns of employment.

“Within the next five years, large numbers of faculty members who did not grow up with computing will retire and be replaced by faculty members who did grow up with computing,” Hagmaier explains. “This newer generation will have far greater expectations of the kinds of IT services that we as a university can provide. This makes it all the more important that we are making a strong commitment to adopting robust, best-of-breed technologies like Windows Server 2008 for our core infrastructure.”

Windows Server 2008
Windows Server 2008, with built-in web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized datacenter. Powerful new tools like IIS 7.0, Server Manager, and Windows PowerShell, allow you to have more control over your servers and streamline web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller option for Active Directory Domain Services harden the operating system and protect your server environment to ensure you have a solid foundation on which to build your business.

For more information, go to:
www.microsoft.com/windowsserver2008

For More Information

For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com

For more information about the University of California, Berkeley, call (510) 642-6000 or visit the Web site at:
www.berkeley.edu