University Information Technology Services Consolidated Hosting Environment Service Agreement October 1, 2011 Overview

snortfearServers

Dec 4, 2013 (3 years and 10 months ago)

82 views

University Information Technology Services

Consolidated Hosting Environment

Service

Agreement

October 1, 20
11



Overview


The
Consolidated Hosting Environment

enable
s

clients to use desired technologies

n
ot
available in any other hosting

environment

provided by
University Information
Technology Services,

for as low a cost as possible, while maintaining an acceptable level
of performance, reliability, and security.
Applications requiring
other levels of

performance, reliability, or se
curity must

be ho
sted elsewhere.


The

unique
features of this hosting

environment are a
Microsoft IIS web server

with the
ability

to serve d
ynamic web pages written using

Adobe

ColdFusion,

Microsoft ASP
,

and

Microsoft

.Net programming languages
;

and a Microsoft Windows Share
with the ability
to serve executables and files
.

The

web pages
,

shared files
,

and
executables host
ed

in this
environment

may access data in a

Microsoft SQL Server

th
at is part of this environment

or may

use other data stores
as desired

by the client

and acceptable to the provider
.


The Consolidated Hosting Environment is available to departments on all campuses of
Indiana University. The clients develop and maintain the applications, and University
Information Technology Servi
ces provides the hardware, software, and system
administration.


This environment is provided by the combined efforts of the

Enterprise Web Technical
Services
, Enterprise Server Administration,
Enterprise Infrastructure
,

Enterprise
Infrastructure Database

Administration
,

Computer Operations, and Support Center
groups of University Information Technology Services. The remainder of this document
describes the environment, and the relationship between the service provider and the
service clients.



Definitions


“Client” refers to the consumer of the services provided by this environment. A client is
the organizational unit and all associated individuals served.

“Provider” refers to the University Information Technology Services groups and
personnel

r
esponsible for providing some aspect of this environment.


“Workspace” refers to the total scope of a client’s use of this environment. A workspace
is

comprised of all file and database space

provided to a client.

“Project” refers to a sub
-
grouping of res
ources within a workspace.

So a “Workspace”

can have one or more

“Projects”.
File and database space

are a
ssociated with a “Project”
.

The primary reason for multiple “Projects” would be security


to compartment access to
files and data to different groups

of people.


Service Agreement


The service provider agrees to:




Provide the Consolidated Hosting Environment 24 hours a day, 7 days a week, except
for maintenance and emergencies.

See the Guidelines section for further information
about scheduled and emergency maintenance.




Provide
a full range of support resources. The service provider responsibilities are
divided between the

Enterprise Web Technical Services (WebTech)
,
Enterprise

Server Administration (ESA)
,

Enterprise Database Administration

(
E
DBA),
Storage
and Virtualization (SAV),
Computer Operations (OPS), and Support Center (SC)
groups within University Information Technology Services (UITS).




The
WebTech

group is the service

owner and primary contact for all clients. The
WebTech

group will introduce new clients to the environment, and provide
general information and consulting services to existing clients.




The ESA group is the system administ
rator for the environment. The E
SA group
will install, configure, and maintain the development, test, and production
hardware and operating system software.




The
E
DBA group is the database administrator for the environment. The
E
DBA
group will install, configure, and maintain the develop
ment, test, and production
database software.




The SAV group will provide virtual servers, allocate additional virtual resources
as needed, and

perform
file and database backups.




The OPS group also monitors server activity and will report problems as
nec
essary to the system administrator.




The Support Center will provide first tier support for the environment.



The client agrees to:




Secure their workspace and data.




Assure your “Contacts”, “Permissions”, and “Access Control Lists” are up to
date. “Contacts”, “Permissions”, and “Access Control Lists” are described in the
Guidelines and Access Control sections of this agreement.




Assure you are not storing the followin
g personal information anywhere in your
workspace without approval of University Counsel, Internal Audit, and the
University Information Technology Security and Policy Office.


o

Social Security Numbers

o

Credit card numbers

o

Financial account numbers

o

Debit car
d numbers

o

Security codes, access codes and passwords

o

Drivers license numbers

o

State identification card numbers

o

HIPAA




Please review the Knowledge Base article

What is sensitive data, and how is it
protected by law?


(
http://kb.iu.edu/data/augs.html
).

If you have any quest
ions
about whether your data
can
legally
be hosted on CHE, please inform the service
provider.
Some sensitive data (like

FERPA data
) can be hosted with restrictions.







Maintain their workspace in accordance with the terms of this agreement.




The Consolidated Hosting Environment is shared by many clients. In order to
provide a maintainable and acceptable level of performance, reliability, and
security; the configuration
of all applications is standardized. The client may
request deviations to the standard but the provider reserves the right to deny any
request for customization.




Maintain their workspace to not adversely affect other client applications.




All client a
pplications must not adversely affect other client applications. If a
client application does adversely affect other client applications, the provider may
remove the offending client application from service.




Maintain their workspace to be compatible with

environment upgrades.




Every software component employed in the environment will be patched,
updated, or upgraded promptly. The client is responsible for making any changes
necessary to their application to get it to function in the patched, updated, or
upgraded environment.




Use the following procedures to make changes.




The Consolidated Hosting Environment is composed
of
development, test, and
production areas. The client must develop only in the “development” area,
and
adequately test in the “test” are
a before moving changes to the production area,
and only make tested changes to the production area.




The first time files are moved into

“production”, clients must submit a
change
request to
chehelp@indiana.edu

at least two weeks in advance. The actual date
and time will be determined by the client and provider at least one week in
advance.




T
he first time database objects are moved into

“production”, clients must submit a
change request to
chehelp@indiana.edu

at least two weeks in advance. The actual
date and time will be determined by the client and provider at least one week in
advance.




Routine f
ile changes can be made to the “production”
environment by

using the
web based self
-
administration tool or by

submitting a change request to
chehelp
@indiana.edu
.

Requests must clearly specify the source and destination
for all files.




Routine d
atabase
object

changes can be made to the “production” environment
by

using the web based self
-
administration tool or by

submitting a change request to
chehelp
@indiana.edu
. Requests must clearly specify the source and destination

for all
database
objects

(see “Guidelines: Database Requests” for more
information).




Other changes can be made by
submitting a change request to
chehelp
@indiana.edu
. R
equests must clearly specify
the
changes desir
ed. The
actual completion date and time will be

determined upon review of each

individual request
.




Any new component, software, or device that is needed by the new or modified
scripts must be made available to the provider in advance for evaluation. If the
provider approves the new component, software, or device for use and a license is
necessary, three

licenses must be provided for the development, test/staging, and
production environments. Once installed, the client will be responsible for obtaining
updates as necessary.




The client must
notify the provider of any anticipated “significant” changes in
usage,
such as a dramatic user base increase or the need for a dramatic increase in disk
space,

in order to ensure the environment has the re
sources to accommodate the
changes
.




Designate at least one contact that can answer or find answers to any administ
rative
or technical question related to the client workspace.



Guidelines



Intended Clients

o

IU Departments on all campuses

o

IU faculty and staff

o

IU students only when sponsored by IU faculty or staff

o

Vendors only when sponsored by IU faculty or staff



Contacts and client access to the environment

o

The client must designate at least one individual as a contact for all matters
related to their use of this service. The provider will only act on requests made
by or approved by a designated contact.

o

The clie
nt is completely responsible for controlling access to their workspace.

o

The client is responsible for developing and maintaining their content for the
entire application life
-
cycle. The client is also responsible for adapting their
application to changes t
o the environment such as software and hardware
updates and upgrades.



Initiating Service

o

Express interest to
WebTech

(
chehelp
@indiana.edu).

o

Include a proposed name for the project and the network id and email address
for the primary contact.

o

Development
w
orkspaces

are available within a week.



Ending Service

o

The client may end their use of the service at any time.
WebTech

reserves the
right to end service to any application which violates any IU Policy, this
Service Agreement, or adversely affect
s the perf
ormance of other users
.

o

When a client ends their use of the service, the provider will archive all files
on the file share and a complete backup of the database, and a copy of the
archive will be made available to the client. The provider will keep a copy
of
the archived
Project

for one year.



Consulting and Troubleshooting Services

o

Consulting and troubleshooting services are available upon request to
WebTech
.

o

Response time will vary based on personnel resources

and volume of requests
pending.

o

In general,
all clients will have

the same priority for services.

o

The service provider reserves the right to reprioritize pending requests for
servic
es as circumstances may require.

o

There is no additional fee for routine consulting and troubleshooting services.
Extensive consulting and troubleshooting services may result in additional
fees.



Database Requests

o

To restore a back
-
up of a client database, please indicate the source server

and
date of the back
-
up to be used, and the target server of the back
-
up. A
database restore will replace the target database.

o

Due to the complexity of some database designs, it may not always be
possible for EDBA to move individual objects from one CHE
database to
another (for example, if a table has multiple dependencies) as these moves are
extremely time
-
consuming and can place the client’s data at risk. In these
cases, EDBA will, at the client’s request, move the database object(s), but it is
incumben
t upon the client to provide EDBA with a script for reassigning any
special attributes the object may possess (most commonly


identity, foreign
keys, triggers, and/or primary keys). Facilities are available within the CHE
administration page for storing a
nd executing these scripts.

o

Temporary elevation of production level permissions to database owner can
be granted if the client wishes to move these objects themselves by sending a
message to
chehelp
@indiana.edu
.




E
mergency communications




o

In case of an emergency, the client must first consult their devel
oper to
resolve the problem.

o

If the problem cannot be resolved by the client's developer, then the client
may contact
che
help
@indiana.edu

for assistance. If the report is made during
normal business hours, then the problem will be investigated. If the problem is
reported outside of normal business hours, then the problem will be

investigated the next business
day.

o

If the
problem is identified outside of business hours, then clients or users may
contact the Support Center. If the Support Center is closed, then clients or
users may report the problem to Operations. The Support Center or Operations
will report the problem to
the System Administrator. The System
Administrator will only be able to perform high level functions such as
res
tarting a problematic server.

o

When clients or users report a problem to
chehelp
@indiana.edu
, Operations
,
or the Support Center, the following information is needed:




That the application is part of the Consolidated Hosting Environment
.



The name of the application
.



The name, email address, and phone number of who to contact during
troubleshooting
.



A
description of the problem, including details such as:

o

The complete URL to the problem page
.

o

The UNC path to the share containing the file with the problem
.

o

The server and database name if the problem is a database
connection
.

o

A description of the aberrant

behaviors
.

o

You may refer your users to the KB article
http://kb.iu.edu/data/arrv.html

for
instructions for user problem reporting for the Consolidated Hosting
Environment.




Virus Protection

o

Clients are respo
nsible for assuring their files do not contain viruses.

o

The service provider may periodically scan files for viruses.



Data Backup and Restoration

o

Trivoli Storage Manager

(TSM)

is now used for backups and restores.

o

Files on file shares are backed

up as fo
llows:



First, TSM copies all

your files
and keeps that copy of each file until
you modify or delete it
.



The previous

13

versions of

your files are each kept for 30

days

from
the day a new version is created
.



When you delete a file
up to 13 versions are
kept for 30 days, as
above,

and the last version is kept for 60 days.



Backups are first written to disk and then written to 2 tape pools.
One
tape pool is stored in Indianapolis and one is kept in Bloomington.





Databases are backed up as follows:

o

A
SQL Se
rver f
ull backup

of each database is

performed daily

and written to a
file server
.

o

A
SQL Server t
ransaction log database backup

o
f each database is

performed
daily

for production databases only

and written to a file server
.

o

The backup files

are kept for 5
days

on the file server
.

Plus, the file server is
backed up by TSM. So in additi
on to immediate access to 5 day
s of backups
from the file server we have the TSM backups

of the file server

(as described
above).

o

Send requests to restore files

and databases

t
o
chehelp
@indiana.edu
.

o

Restorations may result in additional fees.




Scheduled Jobs

o

To avoid conflicts with backups and scheduled maintenance, Operating
system, ColdFusion, SQL Server, and any other jobs targeting the
production
servers in this environment must be scheduled to not conflict with the
production server backup and scheduled maintenance.



Backups and scheduled maintenance on production servers occurs
from midnight to 6am (8am on Sundays). Therefore, schedule
d jobs
will not be allowed during these times.

o

To avoid conflicts with backups and scheduled maintenance, Operating
system, ColdFusion, SQL Server, and any other jobs targeting the
development and test servers in this environment must be scheduled to not
c
onflict with the development and test server backup and

scheduled
maintenance
.



Backups on the development servers occur daily from 6 pm to 9 pm
and database backups on the test servers occur daily from 9pm to
Midnight. Scheduled maintenance occurs Tuesdays

from Noon to 5
pm. Therefore, scheduled jobs will not be allowed during these times.

o

When job execution periods overlap and server performance is affected, then
we may reschedule the jobs involved to spread the load. If this is necessary,
then we will wor
k with the affected job owners to reschedule the jobs.

o

Sql Server Integration Services (SSIS) packages should

be
completed before
9am each weekday. Any SSIS package running after 9am on a weekday that is
having a negative impact on the CHE environment may
be terminated at the
service provider’s discretion. The service provider will make every effort to
contact the affected client before, or immediately after, the SSIS package has
been terminated.




Scheduled Maintenance

o

If necessary, security updates to deve
lopment and test servers will occur on
the Wednesday following the second Tuesday of every month between Noon
and 5 pm. If necessary, security updates to production s
evers will occur
between 12am and

8am the following Sunday. The servers or affected servic
es
will be down for only the amount of time necessary for the updates


usually
for only a few minutes.

o

If necessary, other maintenance to development and test servers will occur on
Tuesdays between Noon and 5 pm. If necessary, other maintenance to
production severs will occur on the second Sun
day of the month between
12am and

8am.

o

All other scheduled maintenance will be announced at least three days in
advance. Any maintenance likely to affect the availability of the servers will
be performed on a w
eekday between 5am and 8am if possible.




Emergency Maintenance

o

Emergency maintenance will occur as needed. The first priority will be to
prevent service loss or to restore service. Consequently, emergency
maintenance may be performed without advance notic
e to clients. Clients will
be notified of the emergency maintenance as soon as possible, before or after,
as the situation allows.

o

A System Administrator is on call 24 hours a day, 7 days a week. During an
emergency the system administrator will give their

best effort to restore
service. However, there is no guaranteed response or recovery time during an
emergency.




Data Encryption

o

The production web servers have certificates to support SSL.

o

Encryption of direct communications with the database servers

provided or
encryption of communications with any client share must be requested
explicitly and may require additional fees.



Virtual Host Names

o

Sub
-
Domain names are available, for example,
ProjectName
.indiana.edu.

o

Designer Domain names are available for
a fee, for example,
ProjectName
.org.

o

Certificates for virtual host names are also available for a fee.



Central Authentication Service

o

The Consolidated Hosting Environment supports the use of the Central
Authentication Server for limiting access to web pag
es.




Security Scanning

o

Web applications hosted in the Consolidated Hosting Environment are subject
to security scanning by the University Information Policy Office. The client is
responsible for fixing vulnerabilities revealed by a security scan
.

Fees



Basic service fees

o

Web, Database, and Application:



Departments (all campuses): $100 per month



Auxiliaries

(all campuses): $150 per month

o

Web only:



Departments (all campuses): $40 per month



Auxiliaries

(all campuses): $60 per month

o

Database only:



Depart
ments (all campuses): $80 per month



Auxiliaries

(all campuses): $120 per month

o

Application Serving only:



Departments (all campuses): $80 per month



Auxiliaries

(all campuses): $120 per month

o

Billing begins when the application goes into production and at t
he beginning
of any subsequent fiscal year.

o

The annual billing rate is 10 times the monthly rate.

o

The minimum fee is the monthly rate.

o

An additional fee equal to the monthly rate is incurred each time the service is
restored for intermittent use.



Virtual
web site hosting

o

No additional fee



Secure Socket Layers (SSL) hosting

o

Cost of certificate

(free)



Additional disk space fees

o

All workspaces include 5

GB of disk space. The space includes:



Script, image, and data files on file share



Database data, log, and backup files



Development, test, and production


o

The cost for additional disk space is:



$
4

per
year

for each additional 1 GB of space

o

Charges for additional file spaces are based on average monthly usage during
the previous fiscal
year.

o

There is no monthly fee for additional disk space
.



Training and Experience

o

Developers must have the proper training and experience to use the
environment effectively.

o

Classes covering the web design, database design, ASP/.Net and ColdFusion
fundamen
tals are available from IT Training and Education.


Access Control

Access is controlled by
Active Directory (ADS)
domain groups. There is a group for the
following roles: “Developers, Users, and Readers”. The groups have the following
permissions. In
addition, there are two database server logins available for use.

Web Server File Permissions



Deve
lopment

Test


Production

ADS
\
IU
-
CHE
-
ProjectName
-
Developers

Change


Read


none

ADS
\
IU
-
CHE
-
ProjectName
-
Users


none


none


none

ADS
\
IU
-
CHE
-
ProjectName
-
Readers


none


none


none


Database Server Permissions



Development


Test and Production

ADS
\
IU
-
CHE
-
ProjectName
-
Developers

database owner


datareader

ADS
\
IU
-
CHE
-
ProjectName
-
Users


datareader and datawriter

datareader and datawriter

ADS
\
IU
-
CHE
-
ProjectName
-
Readers


datareader


datareader

SQL Server
\
ProjectName
-
Owner


database owner


datareader and datawriter

SQL Server
\
ProjectName
-
User


datareader and datawriter

datareader and datawriter


Application Server File Permissions


Development

Test


Production

ADS
\
IU
-
CHE
-
P
rojectName
-
Developers

Change


Change


Change

ADS
\
IU
-
CHE
-
ProjectName
-
Users


Change


Change


Change

ADS
\
IU
-
CHE
-
ProjectName
-
Readers


Read


Read


Read


Change



members of a group with this access can create, modify, delete, and read files.

Read


members of a

group with this access can only read files.

Database Owner
-

members of a group with this access can create, alter, and drop
database objects in addition to reading and writing all data in the database.

Datareader
-

members of a group with this access can

read data in all tables in the
database.

Datawriter
-

members of a group with this access can write (insert, update, and delete)
data in all tables in the database.


Web Site and Virtual Directory Settings

Web accessibility is controlled by web site or
virtual directory settings. These settings
determine the type of file that can be served from a folder and the users that can access
the folder. The use of .htm or .html files requires read access to the folder containing
them. Any folder that allows read
access to .htm and .html files also allows read access to
many other file types. The use of .cfm, .asp, or .aspx files requires "Scripts Only" execute
permission on the folder containing them. Also, a folder may be set to "Require Secure
Socket Layers" to
ensure the use of SSL is mandatory and not optional.

In addition, access to each web accessible folder can be controlled by user account. By
default the anonymous web user account (iusr_servername) has access to all web
accessible folders. However, you ma
y want to remove access by the anonymous web user
in order to control access by Windows Integrated Security. This would require a user to
have an ads domain account in order to log on. You would have to request these
configuration changes to use Windows In
tegrated Security to protect your web accessible
folders.

You also have the ability to use the Central Authentication Service (CAS) to control
access to web accessible folders. Placing a file named CasIsapiSecurity.txt (the file can
be empty) in any folder

would force any user to have a CAS ticket to access the folder. If
the user doesn’t have a CAS ticket they are redirected to the CAS server to log on using
their network id. You do not have to request configuration changes to use CAS to protect
your web a
ccessible folders.

The default web site and virtual directory configuration settings are:

Web server application configuration defaults:


Enable session state: on

Session timeout: 20 minutes

Enable buffering: on

Enable parent paths: on

Asp Script Timeout:


90 seconds

Documents Defaults: none


Directory Security Defaults:

Anonymous web access (iusr_servername): read

access to all folders



Integrated Windows Authentication: on

Folder permissions: read and scripts execute access to all folders


.Net Framewor
k Defaults:


All .Net applications will be configured to use the Framework version 1.1 by default.
This can be changed to other versions upon request.


ColdFusion Defaults
:


Debugging IP addresses on development

and test

server: none

Data sources:
Project
s

for clients using ColdFusion have a data source name configured
for use. The data source name is the same as the
Project

name or has the form
LocalProjectNameMssql. Additional data source names are available upon request.



Approval


An email response
from a client contact accepting this agreement is all that is required. A
signed copy of this agreement can be provided upon request.