Checking ID on Campus
Find a way to balance IT security with academic freedom.
Universities and colleges, known for encouraging the free exchange of ideas, are grappling with ways in which to incorporate identity management solutions into their IT infrastructure without compromising creativity, research or the aura of academia.
So institutions are turning to identity management to protect data by verifying that users are who they claim to be and can access only the information they have been cleared to view or alter. Identity management is composed of policies and technologies that not only assure identity but also determine how an organization will manage, revoke or track identities and their computer use.
In short, identity management makes sure the right people access the right services.
In today’s climate of audits, government and industry regulations and cybercrime, it is not surprising to find more higher education institutions investing in identity management products and services.
Besides ensuring the validity of a user’s name, status and access, successful identity management can improve services because it prevents illicit allocation of bandwidth, reduces the need for individual password protection and allows IT administrators to be more proactive rather than reactive.
“Many campus processes depend on having readily available, well-managed information identifying members of the campus community, their roles and the campus resources they can access,” says Randy Cetin, director of systems and technology services, Campus Information Technologies and Educational Services, at the University of Illinois at Urbana-Champaign. “Identity management solutions can also enable collaboration and secure sharing of electronic resources with other institutions or agencies.”
No. 2 — Identity/Access Management’s ranking as an issue expected to become more significant in 2008
Keys to Success
A good identity management solution often includes software from vendors tweaked with homegrown applications.
The University of Illinois at Urbana-Champaign selected IBM Tivoli Directory Integrator and Tivoli Directory Server as the foundation for its identity management system. Today, the university is in the first phase of identity management — the creation of a foundation for an extensible solution that maintains existing functionality, improves data accuracy and does not interrupt current business practices, Cetin says.
Future phases will address new functionality, such as timely and secure sharing of resources with external collaborators, Cetin adds.
“There are a number of solutions available, but we wanted something that gave us more flexibility with integration of data from many different sources without the need to significantly change business practices,” he says. “This was important because of the decentralized nature of the Illinois campus and the recognition that identity data originates from many different campus units. The Tivoli products allowed us to bring all the data sources together into a single repository with minimal changes to existing processes.”
Indiana University uses Microsoft Identity Integration Server (MIIS) and Windows Server’s Automated Deployment Services (ADS), along with MIT Kerberos, a suite of free software published by the Massachusetts Institute of Technology that lets the user and server verify each other’s identity.
“We have several technologies employed. MIIS is core to our tracking of people and managing identity,” says Dennis Cromwell, associate vice president, enterprise infrastructure at Indiana University. “It runs our provisioning and deprovisioning service. We use MIT Kerberos and Microsoft ADS to handle authentication. ADS groups and an LDAP [Lightweight Directory Access Protocol] directory drive our authorization services. We tie this together with in-house developed applications.”
Join the Gang
Another driver for identity management among higher education institutions is the reality that many campuses share resources, such as research and libraries. That spirit of collaboration generates a greater need for identity management.
The University of California — consisting of 10 campuses and many other locations, five medical centers and three laboratories — wanted to provide its autonomous membership with an efficient, yet unobtrusive, way to ensure identity management, says David Walker, director of advanced technologies, Information Resources and Communication, at the Oakland, Calif.-based university system.
“We see a clear and great need to be able to share resources, and one of the things we need to do is identify users of these systems,” Walker says. “Without incorporating identity management, campuses would not know users’ validity or scope of access.”
Five years ago, the university system began working on a public key infrastructure (PKI) system, he said. However, by the time the organization arrived at the fourth year of this project, it realized PKI — which relies heavily on directories — was not the best fit for the University of California’s autonomous campuses and decentralized IT management structure.
That put the university back at square one when it came to being able to ensure students and faculty were who they said they were without having to deal with logins and passwords on an application-by-application basis.
“Now we really had the problem we predicted we would have four years ago,” Walker says.
Rather than duplicate work, the University of California employed some of the results from InCommon Federation, an association of higher ed institutions formed to create and support a common framework for authorization and authentication (see sidebar). Walker says all the University of California campuses must join InCommon, but the university did not want to eliminate the campuses’ autonomy.
“We’re leveraging what campuses have already implemented,” Walker says. “In a state the size of California, it doesn’t make sense to do identity management centrally. You need local people to check licenses and so forth. A lot of capabilities need to be well aligned with what’s going on at each campus.”
Triple A
Authentication, authorization and access control are building blocks of identity management.
Gaining Strength
Whether they choose to customize or roll out a commercial identity management package, or they tap their internal resources to create a solution, the need for these solutions is all too clear, say IT professionals in higher education.
Without this approach, schools must continue to rely on individual logins and passwords, often stuck on Post-It notes or otherwise easily identifiable. Finding the financial resources to implement these identity management solutions might be more difficult.
“It’s better to take the identification management outside of the individual applications,” says Walker. “The explosion of applications is not going away.”
Neither is the need to successfully balance access, security and privacy. Identity management fits with any campuswide initiatives to fulfill that goal.
“One other beneficial outcome of the Illinois identity management project is establishment of a high- level governance team for identity-related policies and priorities,” Cetin says. “The team will also help ensure that privacy, confidentiality and security can be appropriately balanced to carry out campus business while honoring the rights of all members of our community.”
Something in Common
Higher education institutions do not have to face the identity management challenge alone. Professionals from a number of leading colleges and universities are working together as the InCommon Federation (www.incommonfederation.org) to create and support a common framework for trustworthy shared management of access to online resources in support of education and research in the United States.
The federation uses the standards-based open source middleware application Shibboleth for its authentication and authorization framework. Its members include Stanford University, Cornell University, Penn State, New York University, the University of Washington and all the University of California campuses.
A Multisize, Multiphase Project
Rather than seeking a one-size-fits-all identity management solution, colleges and universities are picking the best offerings from multiple providers in order to best meet their security requirements.
“We have a set of technologies that address many of these aspects and we continue to adjust to keep up with the demands of the university and its constituents,” says Dennis Cromwell, associate vice president of enterprise infrastructure at Indiana University. “We do not believe a single vendor or single solution provides all the answers.”
Identity management must complement existing security technologies and practices and actually improve the user experience by eliminating the need for multiple login names and passwords, Cromwell says. Some colleges and universities are tying commercial applications with internally written programs to seamlessly integrate identity management into their infrastructure. Others are integrating several vendors’ programs to come up with an identity management program.
Institutions also see identity management as a project best implemented in phases.
“During the first phase, we’re building the foundation of an extensible identity management solution that maintains all existing functionality, improves data accuracy and doesn’t interrupt existing business processes,” says Randy Cetin, director of systems and technologies services for Campus Information Technologies and Educational Services at the University of Illinois at Urbana-Champaign. “Subsequent phases will focus on new functionality, including timely and secure sharing of resources with external collaborators.”
Educational institutions can depend on existing relationships with vendors and solution providers, their internal IT expertise and the published results of their counterparts at other schools in order to deliver an appropriate, expandable and secure identity management solution for their community.
