Category Archives: General

Storing Information in the Cloud Unconference

One of the first things to strike me about this meeting was that it was in the old UMIST building, which is a fantastic piece of Victorian Gothic complete with a huge hall with stained glass windows.  It’s certainly a very fitting venue for a meeting that brought together records managers, suppliers, archives managers, local councils, cloud experts and publicly listed companies to discuss what storing information in the cloud means for them but more on that later.  The workshop-based unconference was part of a project currently run by the Department of Information Studies at Aberystwyth University and funded by the Society of Archivists, looking into the security, operational and governance issues of storing information in the cloud. Their aim at this one-day workshop-based unconference was to generate debate and to highlight some of the security and governance issues surrounding the storage of information in a virtual environment.  Very helpfully, they used a hash tag of #soacloud for the day and I seem to remember that they were going to archive on Twapper Keeper so I’ll record my impressions here but please do see the feed for the ‘official’ notes.

So, one of the first jobs was for everyone to introduce themselves.  What was particularly noticeable was:

– The diversity of job roles represented at the meeting.  As you can see from above there was a wide range of people represented.  It was fair to say they were mostly from a records management background but that was probably to be expected given the remit of the day and the speakers;

– New titles – many people had new titles or had moved departments and this was particularly the case in universitites.  Conversations over coffee revealed that many people had changed their title to something like, say, digital archives manager, but that practice at their institution and support for the new demands of the role were not changing as quickly, leading to a challenging environment;

– There was a range of experience with the cloud; most people were fairly new to it and had come to the meeting to find out more and explore the challenges and opportunities represented by using it.  Very few had got extensive experience and that was mostly from either selling cloud solutions or working in a consultancy or research role;

The unconference went on to explore three different areas so I’ll structure my post on these areas although it is fair to say that the format and the active discussion amongst participants meant there were often not neat boundaries around these areas.

Security and Legal Issues

I’d like to state for this section that I am not a legal expert and that what follows are discussion points and comment.  The reader should not act in any way on the basis of the information below without seeking, where necessary, appropriate professional advice concerning their own individual circumstances.

One of the first key discussion points was raised here, which was the perpetual issue of how you define the cloud.  What everyone appeared to agree on was that it was important be clear about the definition you use, that there are a lot of definitions around and that the definition of what it is very much affects everything else you say about it.  In terms of this session, it was very much defined by the issues so the focus was on the cloud as it existed on the open internet rather than private clouds such as the GCloud.  My personal opinion is that it would be better to stick with the NIST definition so we’re all talking about the same thing and then specify what aspects you want to cover rather than inventing a new definition;  I find that useful and it prevents starting every discussion with a long debate about definition;

Most of this session focused on a legal assessment of the risks of using the cloud, on the basis that there were already lots of people willing to promote the positives.  Many people, myself included, stressed that there was a need for balance and that presenting all the negatives was just as bad as presenting all the positives.  So, the points in summary were:

– There is a risk v value equation to purchasing a cloud service and consumers are very reliant on trust in the case of the service not being available.  Under a standard contract with most cloud providers then there is not much acceptance of risk and quite often no acceptance at all.  It was quite evident that this caused a great deal of concern to the legal profession compared to a normal outsourcing contract or providing the service internally.  Interestingly, though, many contributors in the room reported that universities negotiated their own contract with cloud service providers, giving them the acceptance of risk they felt was appropriate and there was a feeling that sharing that experience with others would lead to cloud providers amending their terms appropriately.  A good example raised was Leeds Metropolitan University negotiating their own terms for the use of Google Apps (further information on Leeds Met use of Google Apps is here) .  This could be an interesting trend to follow as I feel it goes right to the heart of adoption of cloud by institutions.  However, there were many in the room that felt there were a number of solutions on offer.  As mentioned, some institutions are likely to see value in doing their own legal work given the amount they could save.  There is also potential for collective negotiation where a number of organisations or institutions are happy to agree common terms with cloud providers.  An interesting scenario that was presented was whether there would be some trickledown and what was in place now was based on what cloud providers were used to – if they had enough customers who were high value enough would a revised SLA be possible at a slightly greater cost of the provision of the cloud service.  On a final note, many argued that it was important to understand what it meant to get services from a cloud provider as often the service they offered was better than that provided internally.  Internal services also, often, didn’t come with an SLA or acceptance of risk;

– The cloud is very easy to get into, whether that be storing data on it as a service or storing data as part of the service that is offered (e-mail is a very good example of this).  This is not necessarily a good thing, particularly in light of the standard (and it has to be said understandable in some ways) answer from the legal and IS departments of ‘no’ when they are asked by end users whether they can use the cloud, which tends to lead to users doing it anyway.  What was also highlighted is that those tasked with information management of whatever sort are very often not even consulted, which can be potentially even more catastrophic as information both leaves the organisation and is generated outside the organisation, possibly never to return.  This may seem relatively trivial but data and information is increasingly valuable,  whether that be for re-use, exploitation of IP, transfer into other areas such as industry or to ensure it is appropriately archived for future use in all these areas.  Many reported existing benign neglect around information management that they felt could get worse as the cloud freed up people to find their own solutions that worked for them but not necessarily the greater good.  There were several who felt the answer was to say ‘maybe’ or ‘yes and this provider is great’ and for information management professionals to talk more about what they did and raise awareness of the benefit they brought;

– One risk that was highlighted that I hadn’t even thought of on the legal front was that of data being temporarily in the cloud for processing and what happens to it after that.  We didn’t really explore this but I think it’s an area that bears more analysis;

–  The Data Protection Act (DPA) raised its head, as always in any discussion where government (local and national) and universities were involved due to the high risk of not complying and the issues around being able to meet its provisions if data is stored in the cloud (but also bear in mind this is with the definition of the cloud being ‘on the internet’ so it excludes a private cloud or the proposed government cloud).  There were questions as to whether cloud providers could be certified and whether that would make a difference in compliance; there are certainly examples given over in the US where providers are certified under HIPAA for storage of health data.  The main conclusion here was to make a decision as to what data went into the cloud and was processed there.

Records Management in the Cloud

The ever jovial Steve Bailey took a wry look at the implications of the cloud for records management.  His driving premise was that every principle that records managers had been able to hold to, even through storage of records on electronic media, was broken apart by the cloud because there was no longer one physical location where records could go to be managed (even if records reside on a server in electronic form then they are in one physical location).

The main points of this session were:

– Records managers know very little about managing records in the cloud;

– There is a difference between those who are interested in developing and maintaining a product in the cloud and those whose primary interest is preserving what is in or on that product.  With fragmentation between what is on each format, it is becoming increasingly difficult to search for records in one place.  One subject may have a blog, photos online, mail conversations under many different providers in the cloud and discussion documents online.  Contrast this to Bailey’s example of Samuel Pepys papers that can be found in one place and are professionally archived for future generations.  An interesting quote was ‘maybe Google doesn’t want to be the world’s archivist’;

– Is there a place for an information administrator in this world, similar to a financial administrator for if a company goes under?  The information administrator could make sure that the relevant information be taken and appropriately archived for future use.  Another thought that struck me whilst discussing this was whether we had thought about what happened to all the material we now generate in a Web 2.0 world and how long it was valid for; certainly something to raise with colleagues such as Neil Grindley, who is heading up JISC’s digital preservation and archiving work;

– On the back of this, Bailey suggested that it may be beneficial to have a public-funded web repository for all this stuff so that it could be archived safely.  A contemporary example is who is going to remember what the BIS website looked like before the change of government?  Does anyone care?  Should they?  There was some interest in the Content Management Interoperability Services (CMIS) specification, which could help in this area by ensuring content is interoperable and therefore easier to save.  Certainly the vendors were starting to see some join-up around it and mentioned that tenders were starting to request it ;

– Linked data, as always, got a mention but a very brief one, which I think was driven in part by the people in the room.  It’s maybe a topic that could be covered further (or maybe already has) in terms of its use for finding and helping preserve records;

– Another good question from Bailey was what would happen if some of the big providers start charging; would we start to realise the value in records and the records manager as a decision maker on what to keep and what to get rid if we had to face that choice;

– The final question is what is the difference between records and information.  Users often do not want records management and yet they often need it, unfortunately, often after the fact.  Maybe more needs to be done to get the user to appreciate that and to go to them rather than expecting them to arrive at the records manager’s desk.  Once that starts to happen then perhaps records management will start to get recognised at a senior level and there will start to be an appreciation that information management is just as vital a consideration as other business drivers when procuring systems.  Bailey concluded by putting forward the proposition that maybe there aren’t records managers any more and that the role has become that of an information manager, for which there seemed broad agreement in the room.

Cloud and Security

Paul Miller’s presentation went down a well worn road for me so I’ll let you pick up on it from the twitter feed. Key points that stood out for me that he made were:

– Software as a Service (SaaS) started off by providing most of what people wanted for most of the time for most of what they need and targeted those who were never going to use that service outside the cloud.  So, Google Docs is OK as a basic word processor but I am not going to leave MS Word for it.  Interestingly, though, SaaS is now starting to offer features that the incumbents have always had and is catering for more of what users want.  So where next?  There weren’t any answers but it was an interesting thought experiment as to what could happen;

– Cloud SaaS offers rapid iteration, which is good for the user but bad for those supporting the user.  I’m not too sure that it is even good for the user.  Sure they get lots of new features but do they know what they are?  Do they suffer from feature deluge?  I’d certainly agree that support can be problematic if new features arrive without the time to develop training for users and appropriate knowledge in a support team;

– Understanding what you put on the cloud is vital.  There is the perception that the cloud is insecure based on the security model you would want for personal data but if what you are putting on there is ideas for papers or general ‘fluff’ do you really need to have high levels of security? I think this proved problematic for the audience but I can see Paul’s point and mostly agreed with it.  An interesting counter argument was that the reason many staff did not have e-mail in the cloud whilst their students did was that they had a legal link to their institution so whilst staff interests would be served by going to the cloud, maybe those of the institution weren’t and selecting what data mattered to the institution was just too difficult;

– An interesting point from earlier was a discussion over how auditing could be used to verify the security of a cloud facility.  Many argued that a cloud facility could be a lot more secure than an internal facility and that auditing, to some extent, reduced that security because it meant allowing people into the data centre who could then potentially compromise it, even unintentionally.  Do we need certification to overcome this need to have an independent audit of security?  Which ones do we trust?  Is audit very much depdendent on what the use is so do we need to audit differently for different uses?  Does is matter that we know someone who has ‘touched the hardware’ or are we happy to trust that the provider has carried out the appropriate checks?  There is also the question of distinguishing between access, storage and use – audit often needs to answer who is doing these things and in a virtual environment is this even possible?

– The penultimate point to run through is around the fear of having your information in the cloud and out there available for all to get at.  There were a number of good arguments made that the sheer volume of stuff in the cloud tended to mitigate against anyone being able to find what was yours, a sort of security by obscurity.  This even applied to agencies that had legal powers to look at what you had (there is often concern, for example, that the US spies on data held in facilities located there).  Another mitigating factor that was mentioned was around the interest these agencies had in data located on the cloud; going back to an earlier argument, what is held is often a large volume of stuff that no-one other than the user has that much interest in.  If that can be held on the cloud then it makes a lot of sense.  The more sensitive data can then be held elsewhere;

– A good point to come back to finish off this section was around what people expected out of security and their perception of security as opposed to the reality of it.  There was a great meme in here about trust and how even if an institution had many users on its network, making it less secure, it was something they owned and felt they trusted more than a network they did not own and yet had far fewer users on it; the harsh fact is that most networks and servers are compromised by people and the more of them you have with access the more likely it is to happen.  In a lot of ways, I think the cloud is a very secure place but it is vital to ensure you ask the right questions to be sure that you can answer the right questions about those who have been trusted with what you have put there.

So, I promised to cover off why the building was so appropriate at the start of the post and I’ll do that here in conclusion.  When the UMIST building was erected on Sackville Street in Manchester it represented a triumph of knowledge and certainty when it was opened in 1902.  Everything generated in the building was appropriately filed and managed and you can no doubt still find it today as a a result of those people who sifted records from information and diligently archived what was important.  Are we going to be able to come back to the same building in 100 years time and have that same certainty about finding information that we’ve stored in the cloud?

Audiences

Increasingly at JISC we are asking projects to look at who their audiences are and what the audience would like from the project.  I thought I’d write a post to explain what it is we are looking for as I realise it can be quite a confusing area.  I’d also welcome comments from those who are grappling with this at the moment so we can improve the advice we give and hopefully make it a positive experience for all concerned.

To set the background, looking in much more detail at audiences has recently become important for JISC.  Back in the ‘Thousand Flowers’ days we knew broadly who the audience was for projects and it was sufficient to broadly outline who the key stakeholders were (which, note, could be a larger group than the audience).  What was important was to get small projects out there experimenting with the technology and passing those lessons on to quite a broad audience who would pick up what was of interest to them.  Some projects would fail as a result of not quite connecting with their audience or simply not having an audience but that was all part of the risk-taking we did for the sector.  Fast forward to today and we are commissioning some very large projects and we are getting some of those to go along what we call the Development to Service route.  What this means is that we are interested in how they go from being a good idea to being something that can be used by others.  Unfortunately JISC can’t support all of those projects so we have to know which ones are of particular interest and for the others we’d like to help them find funding from other sources.   This is where knowing who could use the service and who would be interested in funding it proves to be vital.

So, how do you go about doing that?  I’ve tried to combine some do’s and don’ts below from projects that have been both successful and unsuccessful in finding audiences to use them.

DO:

– Get engaged with your community through events, mailing lists, blogs, etc and find out what they think about your idea and who they think would find it useful.  They are also likely to have some useful input into what you need to do.  A good recent example is my last post that I did on OpenID; the JISC-SHIB list are actively discussing its conclusions and helping suggest how we can take it forward;

– Identify named communities, institutions, companies and organisations who would be interested in your project.  It is so much easier if you can name members of your audience.   So, for example, my NAMES project is working very closely with the British Library.  That is so much better than saying the audience is ‘those in the academic community who would be interested in an authoritative registry of academic names’;

– Work with those named entities to establish their interest in your project.  They could well help with testing intial demos and prototypes or be able to offer some financial asssistance or resources in other areas such as connections to other similar initiatives or those who could help you;

– Talk with your programme manager who may be able to suggest useful people to get in touch with or audiences it may be useful to engage with;

– Put the work in on your project plan to identify key named audiences, record who those are and come back and revisit these, changing them as necessary;

– Get a demo or prototype out early so your potential audiences can see what it is you are doing and get to grips with it;

– Come along to JISC organised events such as Andy McGregor’s Developer Happiness Days  or the JISC Conference as they provide a good opportunity to talk about what you are doing and find more potential named interested parties for your audience;

DON’T:

– Define your audience so widely that it will be impossible to take practical action to engage with them.  If you’re aiming at ‘the UK academic community’ or ‘those interested in repositories’ then you need to be doing some more work;

– Skimp on engaging with your audience and getting their feedback.  You need their interest even if JISC are doing the funding as it provides evidence that what you are doing is useful;

– Use surveys as a substitute for engaging with your audience or finding it.  Surveys are useful but they can’t be used on their own;

Hopefully that is helpful and if you have something to add to the above then please post a comment.

Less of the XML

I’m sitting in another conference where I’ve seen several presentations that are littered with XML that is then dissected ad nauseam.  Now, I’m sure that they are very valuable for the people who are presenting them and we’re all familiar with the pride with which we talk about our new ‘baby’.  Unfortunately, it switches off the bulk of the audience (I’m not just talking about myself, btw – there are several people who feel the same way).  So, if you’re a developer or technical manager then please resist the temptation to put XML in your presentation.  Diagrams to show how your system works are good (animated ones even better).  Short, concise slides that outline where your solution could be used and how it helps the user are good.  Short demonstrations of your system working are good.  Sharing all that lot on a site like SlideShare or on a website (which is what we do at JISC) is even better.

If you do this then you avoid the demoralising prospect of people switching off from what you are presenting altogether (and, yes, this even applies to technical people).  If someone wants to see exactly what is in the XML you output or  take in then you can safely rest assured that they’ll ask you about it over coffee.

IDM2008

Given this is my second blog entry in as many days you’re either in for a treat or the tedium continues; I leave  you to decide.  I’d also add that due to train issues, this and the above entry WERE written separately but offline as there doesn’t yet appear to be a 3G service that provides continuous coverage on the journeys I make; if anyone can suggest one then please comment below.

So,  today was IDM2008, billed as an opportunity for those from business and government to get together and share their experiences on identity management.  I was the representative from higher and further education and giving a presentation on Innovation, which outlined what we had done on the Access Management Federation and subsequent developments.

The day featured the following presentations;

·         Graham Morrison on getting Kerberos to solve the Home Office’s issues of ‘seamless authentication’ across a range of different systems.  I liked this one for a number of reasons.  The first was that it was using what was already there and proven to work, which I think is important in identity and access management (IAM).  Next, it has been kept simple – you can’t get much more simple than using Kerberos to issue a ticket to authenticate the user (the Ticket Granting Ticket) and a ticket to authorise them to do ‘stuff’ (the Session Ticket or TGS).  Finally, it deals with levels of assurance but only gets into heavyweight biometrics and role-based access control, etc when it needs to;

·         David McIntosh (hope I spelt that right) presenting on biometric technologies and SITC.  The former taught me that your ear echoes back any sound that is played into it in a unique way to you; interesting but not particularly useful unless you want to biometrically identify someone in a quiet environment.  The latter could be more widely useful to JISC as it is a body consisting of SMEs that would like to engage with universities;

·         Jim Slevin on Manchester Airports IDM systems.  A very topical presentation as the authentication of a user can now be carried out by National Identity Card, which has caused quite a stir in the papers this morning.  More interestingly, their focus was on delivering a capability, not a solution, which I think we should focus more on.  You can actually do something with a  capability;

·         Joe Baguely presented on AD as an identity store.  The sub-title was ‘are you mad?’ and I think this summed up many people’s impression of doing this but Joe presented a very convincing argument to re-use what is already in place with Active Directory (AD) and carried out a rather unsubtle plug for his organisation, which does this and I am not going to repeat here.  I also quite liked the idea of Segregation of Duties or SOD – I’ve known it as a concept but having an acronym somehow makes me feel so much better;

·         Fraud and IDM by Logica.  I quite liked the abstract for this so attended.  I didn’t entirely regret it but found out more interesting facts about fraud than necessarily the business case for IDM, which is why I’d originally gone;

·         Dave Nesbitt on how to avoid an identity trainwreck.  Whilst this was saying what we all know such as getting senior level sponsorship, having clear priorities on what is going to be done agreed with key users, iteratively deploying rather than going for big bang and technology is difficult, it’s the human stuff that is difficult, it’s all worth repeating.  Even the take home message was worthwhile: ‘IDM is many small projects to constantly improve your infrastructure that never end’;

·         David Bowen looked at how identity management worked at Great Ormond Street Hospital.  I didn’t learn much from this but had a sharp intake of breath on the mention that single sign-out is more difficult but more valuable than single sign-in.  On the Shib front I don’t think we are ever going to get there and we shouldn’t be trying given the issues, IMHO;

·         Yours truly was next up and if you read this blog and the stuff on what I do on the JISC site then you’re going to know what was presented;

·         Conn Crawford went through how local authorities approach identity management but specifically what Sunderland have been doing.  It was great to see Conn again.  He has a knack of connecting up a range of identity management ‘stuff’ to do really valuable things in the community.  What he has done ranges from federated solutions right the way through to user-centric identity management and he was presenting on the Let’s Go Sunderland portal he has put together that allows kids from a disadvantaged background to load up a smart card with activities they can attend.  They have an allowance every month and sign up for activities but the smart thing is that they also tell the portal what they are interested in, which gives the resource providers some anonymised marketing info back and hence an incentive to offer their resources to the scheme.  This is a great example of making personalisation work whilst protecting the individual;

·         Alan Coburn presented on Glow, a teaching and learning portal for Scottish schools.  I think the most interesting thing out of this was that schools wanted to sign up for it, hence there were a great number of users, and that they had used Shib but not the federation.  It turns out the latter was due to specifying it before the federation existed;

·         Hellmuth Broda had the rather unenviable task of being last up and went through Liberty Alliance.  All very good stuff but nothing new for me.  What was of more interest was his company’s creation of batches of unique codes that could be attached to 2D bar codes, RFID tags and text messages; basically, name a media and it could be attached.  The potential was huge as these codes linked to specific actions such as vouchers, one time visits to web sites, etc.  More info on this is at www.firstondemand.com;

 

Thanks also go to Professor Gloria Laycock, who did a great job chairing the meeting to the extent that we even finished early!  All in all, a useful day and there were quite a few contact I met during the day that I’ll follow up further.  Well worth a look next year if you are interested in identity management outside the education sector.

30-5-10

I visited Paul Walk over at UKOLN recently to talk about Shared Infrastructure Services (SIS), amongst other things, and one idea that came out of that discussion was the 30-5-10 idea.I’ll set a bit of background before ploughing into the idea itself.  Most projects at JISC do some really useful stuff that researchers, educationalists, developers and a whole range of other audiences can take and use for themselves  (in response to the cynics, we also do really useful stuff for the other projects that can’t necessarily be used straight away but it helps get us along the process to things that can be used ;-)).  The problem we often face is that the stuff we produce isn’t used because it might not be communicated in quite the right way  or the target audience may well not be aware of it.  As a programme manager that can get very frustrating because sometimes you see an alternative widget that isn’t as good that is being used simply because the project staff or organisation they are working for are better at promoting it. So, we come to 30-5-10.  It’s intended for software or services that can be quite easily demonstrated.  So, good core candidates are some of the SIS projects and projects like NaCTeM.   The idea is this:

  •  30 seconds to get across what your project or the service(s) within your project do.  This could be used at a JISC meeting, when you’re at a conference or wherever you meet other people that might be interested in what you are doing.  The reason for 30 seconds is that within that time you should be able to get across what your project or service does in a sufficiently compelling way that it piques the interest of those who may want to use it so they want to know more.  So, if we take NaCTeM’s Termine service, the 30 seconds could go something like ‘Termine is a service supplied by the National Centre for Text Mining in Manchester to extract meaningful terms from a piece of text or a corpus of texts that are submitted to it.  It uses advanced text mining techniques to ensure that those terms are very accurate relative to the area that the body of text was submitted from.  Termine also ranks the occurrence of terms.  Possible uses include automated metadata extraction to tag the articles submitted.’.  I’m sure that if someone from NaCTeM sees this they will have a few corrections but it gives you an idea of what you would say;
  • 5  minutes to outline how to solve a problem your audience have. So you have the person or audience’s interest.  What next?   You have a dialogue with them to understand how your widget could solve a problem they have, which makes what you have done relevant to them.  This involves actively listening to what they say so they spend more time talking than you do?  There’s  a lot on active listening on the web so I won’t try to cover it here but if you’re asking open questions like ‘What kind of things that you’re doing do you think my widget would be useful for?’ as opposed to ‘Do you think this is useful?’ then you’re onto a good start; try to ensure you’re not asking questions that have yes or no answers.  In my text mining example above, I’m a stressed new programme manager who hasn’t much time to understand the background to committee papers so term extraction helps me by pulling out the key terms that I can then research on the web, making me seem knowledgeable (well, more so than Sarah Palin 😉 );
  • 10 minutes to set up a quick demo that produces results.  Even if your service or project is quite complex and has lots of configuration options, you need to be able to have something a developer can integrate pretty quickly and 10 minutes is a good target.  My term extraction example above is to some extent a bit unfair in some ways; I can submit text online and get answers in substantially less than 10 minutes but it would be good if I could do that in a RESTful way, which I can’t currently;

So there it is.  I’d welcome comments from projects or others about how do’able or sane this is but please bear in mind that the whole premise behind this is to quickly get potential users to a point where they have experienced your solution and are interested in taking it further.  They are then likely to have the patience to get to grips with that SOAP interface or spend a little more time discovering the nuances of what you’ve put together.

Ubiquity

There’s quite a lot of buzz around Ubiquity at the moment, which is probably most simply described as an attempt by Mozilla to take the mashup out of the domain of the web developer and into the hands of the user.  The product allows a user to create their own mashups without having to be fluent in web scripting and coding; all they need to do is install the appropriate client on their browser (currently Firefox only) and then type in what they want to do.

The applications demonstrated in the demo are fairly simple at this stage but it’s easy to see how they could have quite a lot of use in education to help take the drudge out of some common tasks and to open up what we’re doing about combining services.  So, as an ex social scientist I seemed to spend quite a lot of time combining stats together and then displaying them on a map; it would be great if a I had a ‘widget’ that would do that for me and take some of the spadework out.  That then frees me up to do a bit more of the interesting research that I really want to do.

Add a little more and it’s a tool that could become extremely useful.  It’s all built on an open source license so there is potential for Grease Monkey type extensions that allow further extensions.  We are slowly and painfully seeing the freeing up of data under Open Access and a revival in the citizen scientist as a result (see here) .   Then we have tools and standards such as OAuth and OpenSocial that are allowing us to selectively release data about us and permissions to help these services do something for us.

Ultimately, I think it’s worth watching what Ubiquity is doing over at Mozilla Labs because it could start opening up some mainstream avenues for really useful mashup tools that save the researcher and educationalist a lot of time and let them get on with what they’d like to do.

It’s all about the Process and Training

If you haven’t read the recent reports on the root causes of government data loss and you deal with personal data at your institution then you really should.  They highlight that whilst the technology was adequate for the job both the training, culture and process were far from adequate.  If you only read one report, though, then this should be it.  The data handling review gives some good pointers on how process, training and cultural adptation are vital to ensure that personal data is handled sensitively and appropriately.  It’s a message we relayed through the Identity Project and as we store more and more personal data about staff and students then we need to have measures in place to ensure that everyone who deals with it knows how they should be handling the data so that the end user gets the experience they deserve and can be secure in the knowledge that their identity is safe.

Software Usability

We’re currently in the process of sorting out a new intranet at JISC so that programme managers, amongst others, can very easily access information about the ever-increasing portfolio of projects that we deal with every day.  For those who have dealt with JISC for a while, you’ll know that this is massively long overdue and should provide what we need to help cope with our own data deluge ;-).

So, it was with a great deal of happiness that I saw one of the first areas that was covered was usability.  Again, for those of you who know me it’s a subject that I regularly get up onto my soapbox about as I think it’s absolutely critical for good quality software.  Even the best written code can be let down by a shonky user interface that hasn’t involved the user but is ‘functionally perfect’; it’s not the greatest of starts and often leads to a system being dropped before it even gets off the ground.  We’re now into the second round of providing input into the usability of the system and I’m really hoping that what I’ve seen so far makes it through to the final system and we get an intranet that is both usable and useful.

This brings me onto usability and JISC-funded projects.  Whilst we are always going to cover bleeding edge software that’s going to be sub-Alpha, never mind perpetual Beta, we’re increasingly funding projects to deliver software for use by users rather than proof of concept.  That means usability is really, crucially important and that the user has to be involved.  If I had one piece of advice to give to new projects producing software to be consumed by users (and some of my own projects are doing this as we speak) then it would be to get the usability right and adoption by any community will be a lot easier.  It’s a lesson a good deal of successful open source products such as Firefox have learnt and thrived on; I’m hoping it’s one that my own and  several other projects within e-Research learn too.

Risk

Without a doubt, one of the areas that can most benefit the projects we commission is the effective management of risk and yet it comes up time and time again as being a problem area. The most common response is to repeat what is in the template project plan or to come up with some standard risks that seem to do the job. So, I’m not going to be surprised to see in my next project plan something along the lines of ‘staff may leave the project’. This really isn’t doing anyone any favours, least of all the project, and my standard advice is to think very simply and list out all the ‘bad things’ that could happen in the project, how likely they are to happen, what would be the impact if they did happen and what the project is then going to do to avoid them. Generally, about 10-15 minutes of thought on this leads to the risk section being completed far more effectively and hopefully to us avoiding some of those ‘bad things’.

I’m mentioning this because in this week’s Computing there is a whole section dedicated to risk, which starts with how to address it (see http://www.computing.co.uk/computing/analysis/2216492/damage-limitation-3990558) and there is a comment piece on one of the webinars they run that was on managing risk (see http://www.computing.co.uk/computing/analysis/2216502/managing-risk-people-process-3990563). Both are worth a look as they contain some good practice that can be used in any project, not just business projects.

To Wiki or not to Wiki?

There’s always quite a lot of discussion as to what to do with wikis and never more so than at JISC, where we have projects using them and we quite often use them ourself.  My personal experience has been that they can be extremely useful but only if they are used properly.  One of the most frustrating aspects for me is when information is put into a wiki and it’s very difficult to either find it or read it and there are other issues such as finding what has changed since the last version, which is quite often poorly managed.  However, on the positive side, a wiki can be a great way of collaboratively authoring a document and what I’ve found useful is to use a mailing list or Skype conversation (hey, or even talking with people 😉 ) to frame up what needs to be on the wiki and then put it in there and have an editor who can bring the whole thing together at the end from comments that have been added below the text.   So, wikis can be very useful when they are blended with other means of getting discussions into a form that can be used for calls, project documentation and programme documentation.  It would be good to hear from others about what they feel works best.