University Information Technology Services

Document Sample
University Information Technology Services Powered By Docstoc
					                     University Information Technology Services
                         Consolidated Hosting Environment
                                  Service Agreement
                                  September 8, 2008


Overview

The Consolidated Hosting Environment enables clients to use desired technologies not
available in any other hosting environment provided by University Information
Technology Services, for as low a cost as possible, while maintaining an acceptable level
of performance, reliability, and security. Applications requiring other levels of
performance, reliability, or security must be hosted elsewhere.

The unique features of this hosting environment are a Microsoft IIS web server with the
ability to serve dynamic web pages written using Adobe ColdFusion, Microsoft ASP, and
Microsoft .Net programming languages; and a Microsoft Windows Share with the ability
to serve executables and files. The web pages, shared files, and executables hosted in this
environment may access data in a Microsoft SQL Server that is part of this environment
or may use other data stores as desired by the client and acceptable to the provider.

The Consolidated Hosting Environment is available to departments on all campuses of
Indiana University. The clients develop and maintain the applications, and University
Information Technology Services provides the hardware, software, and system
administration.

This environment is provided by the combined efforts of the Enterprise Web Technical
Services, Enterprise Server Administration, Enterprise Infrastructure, Enterprise
Infrastructure Database Administration, Computer Operations, and Support Center
groups of University Information Technology Services. The remainder of this document
describes the environment, and the relationship between the service provider and the
service clients.


Definitions

“Client” refers to the consumer of the services provided by this environment. A client is
the organizational unit and all associated individuals served.

“Provider” refers to the University Information Technology Services groups and
personnel responsible for providing some aspect of this environment.

 “Workspace” refers to the total scope of a client’s use of this environment. A workspace
is comprised of all file and database space provided to a client.
“Project” refers to a sub-grouping of resources within a workspace. So a “Workspace”
can have one or more “Projects”. File and database space are associated with a “Project”.
The primary reason for multiple “Projects” would be security – to compartment access to
files and data to different groups of people.


Service Agreement

The service provider agrees to:

   Provide the Consolidated Hosting Environment 24 hours a day, 7 days a week, except
    for maintenance and emergencies. See the Guidelines section for further information
    about scheduled and emergency maintenance.

   Provide a full range of support resources. The service provider responsibilities are
    divided between the Enterprise Web Technical Services (WebTech), Enterprise
    Server Administration (ESA), Enterprise Database Administration (EDBA), Storage
    and Virtualization (SAV), Computer Operations (OPS), and Support Center (SC)
    groups within University Information Technology Services (UITS).

       The WebTech group is the service owner and primary contact for all clients. The
        WebTech group will introduce new clients to the environment, and provide
        general information and consulting services to existing clients.

       The ESA group is the system administrator for the environment. The ESA group
        will install, configure, and maintain the development, test, and production
        hardware and operating system software.

       The EDBA group is the database administrator for the environment. The EDBA
        group will install, configure, and maintain the development, test, and production
        database software.

       The SAV group will provide virtual servers, allocate additional virtual resources
        as needed, and perform file and database backups.

       The OPS group also monitors server activity and will report problems as
        necessary to the system administrator.

       The Support Center will provide first tier support for the environment.


The client agrees to:

   Secure their workspace and data.
       Assure your “Contacts”, “Permissions”, and “Access Control Lists” are up to
        date. “Contacts”, “Permissions”, and “Access Control Lists” are described in the
        Guidelines and Access Control sections of this agreement.

       Assure you are not storing the following personal information anywhere in your
        workspace without approval of University Counsel, Internal Audit, and the
        University Information Technology Security and Policy Office.

           o   Social Security Numbers
           o   Credit card numbers
           o   Financial account numbers
           o   Debit card numbers
           o   Security codes, access codes and passwords
           o   Drivers license numbers
           o   State identification card numbers
           o   HIPAA

       Please review the Knowledge Base article What is sensitive data, and how is it
        protected by law? (http://kb.iu.edu/data/augs.html). If you have any questions
        about whether your data can legally be hosted on CHE, please inform the service
        provider. Some sensitive data (like FERPA data) can be hosted with restrictions.


   Maintain their workspace in accordance with the terms of this agreement.

       The Consolidated Hosting Environment is shared by many clients. In order to
        provide a maintainable and acceptable level of performance, reliability, and
        security; the configuration of all applications is standardized. The client may
        request deviations to the standard but the provider reserves the right to deny any
        request for customization.

   Maintain their workspace to not adversely affect other client applications.

       All client applications must not adversely affect other client applications. If a
        client application does adversely affect other client applications, the provider may
        remove the offending client application from service.

   Maintain their workspace to be compatible with environment upgrades.

       Every software component employed in the environment will be patched,
        updated, or upgraded promptly. The client is responsible for making any changes
        necessary to their application to get it to function in the patched, updated, or
        upgraded environment.

   Use the following procedures to make changes.
       The Consolidated Hosting Environment is composed of development, test, and
        production areas. The client must develop only in the “development” area, and
        adequately test in the “test” area before moving changes to the production area,
        and only make tested changes to the production area.

       The first time files are moved into “production”, clients must submit a change
        request to che-l@indiana.edu at least two weeks in advance. The actual date and
        time will be determined by the client and provider at least one week in advance.

       The first time database objects are moved into “production”, clients must submit a
        change request to che-l@indiana.edu at least two weeks in advance. The actual
        date and time will be determined by the client and provider at least one week in
        advance.

       Routine file changes can be made to the “production” environment by using the
        web based self-administration tool or by submitting a change request to che-
        l@indiana.edu. Requests must clearly specify the source and destination for all
        files.

       Routine database object changes can be made to the “production” environment by
        using the web based self-administration tool or by submitting a change request to
        che-l@indiana.edu. Requests must clearly specify the source and destination for
        all database objects.

       Other changes can be made by submitting a change request to che-l@indiana.edu.
        Requests must clearly specify the changes desired. The actual completion date
        and time will be determined upon review of each individual request.

   Any new component, software, or device that is needed by the new or modified
    scripts must be made available to the provider in advance for evaluation. If the
    provider approves the new component, software, or device for use and a license is
    necessary, three licenses must be provided for the development, test/staging, and
    production environments. Once installed, the client will be responsible for obtaining
    updates as necessary.

   The client must notify the provider of any anticipated “significant” changes in usage,
    such as a dramatic user base increase or the need for a dramatic increase in disk
    space, in order to ensure the environment has the resources to accommodate the
    changes.

   Designate at least one contact that can answer or find answers to any administrative
    or technical question related to the client workspace.


Guidelines
   Intended Clients
        o IU Departments on all campuses
        o IU faculty and staff
        o IU students only when sponsored by IU faculty or staff
        o Vendors only when sponsored by IU faculty or staff

   Contacts and client access to the environment
       o The client must designate at least one individual as a contact for all matters
           related to their use of this service. The provider will only act on requests made
           by or approved by a designated contact.
       o The client is completely responsible for controlling access to their workspace.
       o The client is responsible for developing and maintaining their content for the
           entire application life-cycle. The client is also responsible for adapting their
           application to changes to the environment such as software and hardware
           updates and upgrades.

   Initiating Service
        o Express interest to WebTech (che-l@indiana.edu).
        o Include a proposed name for the project and the network id and email address
             for the primary contact.
        o Development workspaces are available within a week.

   Ending Service
       o The client may end their use of the service at any time. WebTech reserves the
          right to end service to any application which violates any IU Policy, this
          Service Agreement, or adversely affects the performance of other users.
       o When a client ends their use of the service, the provider will archive all files
          on the file share and a complete backup of the database, and a copy of the
          archive will be made available to the client. The provider will keep a copy of
          the archived Project for one year.

   Consulting and Troubleshooting Services
       o Consulting and troubleshooting services are available upon request to
           WebTech.
       o Response time will vary based on personnel resources and volume of requests
           pending.
       o In general, all clients will have the same priority for services.
       o The service provider reserves the right to reprioritize pending requests for
           services as circumstances may require.
       o There is no additional fee for routine consulting and troubleshooting services.
           Extensive consulting and troubleshooting services may result in additional
           fees.

   Emergency communications
      o In case of an emergency, the client must first consult their developer to
          resolve the problem.
       o If the problem cannot be resolved by the client's developer, then the client
         may contact che-l@indiana.edu for assistance. If the report is made during
         normal business hours, then the problem will be investigated. If the problem is
         reported outside of normal business hours, then the problem will be
         investigated the next business day.
       o If the problem is identified outside of business hours, then clients or users may
         contact the Support Center. If the Support Center is closed, then clients or
         users may report the problem to Operations. The Support Center or Operations
         will report the problem to the System Administrator. The System
         Administrator will only be able to perform high level functions such as
         restarting a problematic server.
       o When clients or users report a problem to che-l@indiana.edu, Operations, or
         the Support Center, the following information is needed:


              That the application is part of the Consolidated Hosting Environment.
              The name of the application.
              The name, email address, and phone number of who to contact during
               troubleshooting.
              A description of the problem, including details such as:
                   o The complete URL to the problem page.
                   o The UNC path to the share containing the file with the problem.
                   o The server and database name if the problem is a database
                      connection.
                   o A description of the aberrant behaviors.

       o You may refer your users to the KB article http://kb.iu.edu/data/arrv.html for
         instructions for user problem reporting for the Consolidated Hosting
         Environment.

   Virus Protection
       o Clients are responsible for assuring their files do not contain viruses.
       o The service provider may periodically scan files for viruses.

   Data Backup and Restoration
       o Trivoli Storage Manager (TSM) is now used for backups and restores.
       o Files on file shares are backed up as follows:
               First, TSM copies all your files and keeps that copy of each file until
                 you modify or delete it.
               The previous 14 versions of your files are each kept for 14 days.
               When you delete a file the most recent 3 versions are kept for 14 days
                 and the last version is kept for 60 days.
               Backups are first written to disk and then written to 2 tape pools. One
                 tape pool is stored in Indianapolis and one is kept in Bloomington.

   Databases are backed up as follows:
       o A SQL Server full backup of each database is performed daily and written to a
         file server.
       o A SQL Server transaction log database backup of each database is performed
         daily for production databases only and written to a file server.
       o The backup files are kept for 5 days on the file server. Plus, the file server is
         backed up by TSM. So in addition to immediate access to 5 days of backups
         from the file server we have the TSM backups of the file server (as described
         above).
       o Send requests to restore files and databases to che-l@indiana.edu.
       o Restorations may result in additional fees.

   Scheduled Jobs
       o To avoid conflicts with backups and scheduled maintenance, Operating
          system, ColdFusion, SQL Server, and any other jobs targeting the production
          servers in this environment must be scheduled to not conflict with the
          production server backup and scheduled maintenance.
               Backups and scheduled maintenance on production servers occurs
                  from midnight to 6am (8am on Sundays). Therefore, scheduled jobs
                  will not be allowed during these times.
       o To avoid conflicts with backups and scheduled maintenance, Operating
          system, ColdFusion, SQL Server, and any other jobs targeting the
          development and test servers in this environment must be scheduled to not
          conflict with the development and test server backup and scheduled
          maintenance.
               Backups on the development servers occur daily from 6 pm to 9 pm
                  and database backups on the test servers occur daily from 9pm to
                  Midnight. Scheduled maintenance occurs Tuesdays from Noon to 5
                  pm. Therefore, scheduled jobs will not be allowed during these times.
       o When job execution periods overlap and server performance is affected, then
          we may reschedule the jobs involved to spread the load. If this is necessary,
          then we will work with the affected job owners to reschedule the jobs.
       o Sql Server Integration Services (SSIS) packages should be completed before
          9am each weekday. Any SSIS package running after 9am on a weekday that is
          having a negative impact on the CHE environment may be terminated at the
          service provider’s discretion. The service provider will make every effort to
          contact the affected client before, or immediately after, the SSIS package has
          been terminated.

   Scheduled Maintenance
       o If necessary, security updates to development and test servers will occur on
          the Wednesday following the second Tuesday of every month between Noon
          and 5 pm. If necessary, security updates to production severs will occur
          between 12am and 8am the following Sunday. The servers or affected services
          will be down for only the amount of time necessary for the updates – usually
          for only a few minutes.
       o If necessary, other maintenance to development and test servers will occur on
         Tuesdays between Noon and 5 pm. If necessary, other maintenance to
         production severs will occur on the second Sunday of the month between
         12am and 8am.
       o All other scheduled maintenance will be announced at least three days in
         advance. Any maintenance likely to affect the availability of the servers will
         be performed on a weekday between 5am and 8am if possible.

   Emergency Maintenance
      o Emergency maintenance will occur as needed. The first priority will be to
          prevent service loss or to restore service. Consequently, emergency
          maintenance may be performed without advance notice to clients. Clients will
          be notified of the emergency maintenance as soon as possible, before or after,
          as the situation allows.
      o A System Administrator is on call 24 hours a day, 7 days a week. During an
          emergency the system administrator will give their best effort to restore
          service. However, there is no guaranteed response or recovery time during an
          emergency.

   Data Encryption
       o The production web servers have certificates to support SSL.
       o Encryption of direct communications with the database servers provided or
           encryption of communications with any client share must be requested
           explicitly and may require additional fees.

   Virtual Host Names
        o Sub-Domain names are available, for example, ProjectName.indiana.edu.
        o Designer Domain names are available for a fee, for example,
            ProjectName.org.
        o Certificates for virtual host names are also available for a fee.

   Central Authentication Service
       o The Consolidated Hosting Environment supports the use of the Central
           Authentication Server for limiting access to web pages.


   Security Scanning
       o Web applications hosted in the Consolidated Hosting Environment are subject
           to security scanning by the University Information Policy Office. The client is
           responsible for fixing vulnerabilities revealed by a security scan.

Fees

   Note: The fee schedule will change for FY2010.
   Basic service fees
       o Web, Database, and Application:
                  Departments (all campuses): $100 per month
                  Auxiliaries (all campuses): $150 per month
       o   Web only:
                Departments (all campuses): $40 per month
                Auxiliaries (all campuses): $60 per month
       o   Database only:
                Departments (all campuses): $80 per month
                Auxiliaries (all campuses): $120 per month
       o   Application Serving only:
                Departments (all campuses): $80 per month
                Auxiliaries (all campuses): $120 per month
       o   Billing begins when the application goes into production and at the beginning
           of any subsequent fiscal year.
       o   The annual billing rate is 10 times the monthly rate.
       o   The minimum fee is the monthly rate.
       o   An additional fee equal to the monthly rate is incurred each time the service is
           restored for intermittent use.

   Virtual web site hosting
        o No additional fee

   Secure Socket Layers (SSL) hosting
       o Cost of certificate

   Additional disk space fees
       o All workspaces include 1 GB of disk space. The space includes:
                Script, image, and data files on file share
                Database data, log, and backup files
                Development, test, and production
       o The cost for additional disk space is:
                $4 per year for each additional 1 GB of space
       o Charges for additional file spaces are based on average monthly usage during
           the previous fiscal year.
       o There is no monthly fee for additional disk space.
   Training and Experience
       o Developers must have the proper training and experience to use the
           environment effectively.
       o Classes covering the web design, database design, ASP/.Net and ColdFusion
           fundamentals are available from IT Training and Education.



Access Control
Access is controlled by Active Directory (ADS) domain groups. There is a group for the
following roles: “Developers, Users, and Readers”. The groups have the following
permissions. In addition, there are two database server logins available for use.

       Web Server File Permissions            Development        Test              Production
       ADS\IU-CHE-ProjectName-Developers      Change             Read              none
       ADS\IU-CHE-ProjectName-Users           none               none              none
       ADS\IU-CHE-ProjectName-Readers         none               none              none

       Database Server Permissions            Development                 Test and Production
       ADS\IU-CHE-ProjectName-Developers      database owner              datareader
       ADS\IU-CHE-ProjectName-Users           datareader and datawriter   datareader and datawriter
       ADS\IU-CHE-ProjectName-Readers         datareader                  datareader
       SQL Server\ProjectName-Owner           database owner              datareader and datawriter
       SQL Server\ProjectName-User            datareader and datawriter   datareader and datawriter

       Application Server File Permissions    Development        Test              Production
       ADS\IU-CHE-ProjectName-Developers      Change             Change            Change
       ADS\IU-CHE-ProjectName-Users           Change             Change            Change
       ADS\IU-CHE-ProjectName-Readers         Read               Read              Read

Change – members of a group with this access can create, modify, delete, and read files.
Read – members of a group with this access can only read files.
Database Owner - members of a group with this access can create, alter, and drop
database objects in addition to reading and writing all data in the database.
Datareader - members of a group with this access can read data in all tables in the
database.
Datawriter - members of a group with this access can write (insert, update, and delete)
data in all tables in the database.


Web Site and Virtual Directory Settings

Web accessibility is controlled by web site or virtual directory settings. These settings
determine the type of file that can be served from a folder and the users that can access
the folder. The use of .htm or .html files requires read access to the folder containing
them. Any folder that allows read access to .htm and .html files also allows read access to
many other file types. The use of .cfm, .asp, or .aspx files requires "Scripts Only" execute
permission on the folder containing them. Also, a folder may be set to "Require Secure
Socket Layers" to ensure the use of SSL is mandatory and not optional.

In addition, access to each web accessible folder can be controlled by user account. By
default the anonymous web user account (iusr_servername) has access to all web
accessible folders. However, you may want to remove access by the anonymous web user
in order to control access by Windows Integrated Security. This would require a user to
have an ads domain account in order to log on. You would have to request these
configuration changes to use Windows Integrated Security to protect your web accessible
folders.
You also have the ability to use the Central Authentication Service (CAS) to control
access to web accessible folders. Placing a file named CasIsapiSecurity.txt (the file can
be empty) in any folder would force any user to have a CAS ticket to access the folder. If
the user doesn’t have a CAS ticket they are redirected to the CAS server to log on using
their network id. You do not have to request configuration changes to use CAS to protect
your web accessible folders.

The default web site and virtual directory configuration settings are:

Web server application configuration defaults:

Enable session state: on
Session timeout: 20 minutes
Enable buffering: on
Enable parent paths: on
Asp Script Timeout: 90 seconds
Documents Defaults: none

Directory Security Defaults:
Anonymous web access (iusr_servername): read access to all folders
Integrated Windows Authentication: on
Folder permissions: read and scripts execute access to all folders

.Net Framework Defaults:

All .Net applications will be configured to use the Framework version 1.1 by default.
This can be changed to other versions upon request.

ColdFusion Defaults:

Debugging IP addresses on development and test server: none
Data sources: Projects for clients using ColdFusion have a data source name configured
for use. The data source name is the same as the Project name or has the form
LocalProjectNameMssql. Additional data source names are available upon request.


Approval

An email response from a client contact accepting this agreement is all that is required. A
signed copy of this agreement can be provided upon request.

				
DOCUMENT INFO