Get real: the security of your network users' digital identities has become crucial. It's time to look at authentication technology. (Technology).With hundreds of millions of people using the Internet every day, the task of creating and managing digital identities has become a major challenge for operators of online information services See Information Systems. . Many of those Internet users have, in fact, multiple identities (as employees, students, subscribers, customers)--roles, and relationships that need to be accurate, trustworthy, and secure. And each digital identity has its own life cycle, with attributes, credentials, and access permissions changing sometimes daily. Being able to establish authoritatively the identity of network users is the technical domain of "authentication"--the bedrock of Internet-based transactions. But colleges and universities have historically favored openness of network accessibility over security concerns. For the most part, authentication of users has been accomplished at the threshold At the Threshold, whose son Lil E. Tee won the 1992 Kentucky Derby for W. Cal Partee, died March 23 of a stroke at Purdue University School of Veterinary Medicine in West Lafayette, Ind. The 21-year-old stallion stood at Wayne Houston's Stoney Creek Horse Farm near Mooreland, Ind. of particular applications--primarily e-mail for faculty and students, and enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. systems (ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. ) for staff and administrative users. License agreements with software and content providers have been enforced by limiting access by IP domain. Right now, some IHEs require all computers used on the campus network to be registered, but many more do not. There are signs, however, that the protection of digital identities is becoming a higher priority on campuses. The University of Colorado-Boulder, for one, set a first-week-of-2003 deadline for encrypted authentication of all e-mail, telnet, and FTP FTP in full file transfer protocol Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to sessions, with the goal of ensuring that no username-password pairings are sent over the network as plain text, which is vulnerable to theft via electronic eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. . TOO MANY IDENTITIES Identity information is typically maintained inside each information service or software application at an institution. Passwords and PIN numbers are assigned and managed by the keepers of e-mail library, course management systems (CMS (1) See content management system and color management system. (2) (Conversational Monitor System) Software that provides interactive communications for IBM's VM operating system. ), ERPs, and departmental LANS LANS Local Area Network Server (Cisco) LANS Landelijk Actieplatform voor Nationalistische Studenten LANS Leadership Alliance National Symposium LANS Los Angeles AFB Network Support (DOD) . What's more, security practices vary widely in methods and rigor rigor /rig·or/ (rig´er) [L.] chill; rigidity. rigor mor´tis the stiffening of a dead body accompanying depletion of adenosine triphosphate in the muscle fibers. , even on the same campus. To cope with the number of different passwords to remember, many users use the same password for each system that gives them the chance to choose their own. Others write down their passwords in notebooks or carry them on paper in their wallets. Both of these measures undermine good password discipline by worsening the extent of any breach of secrecy. Then, in the background, IT staff tending separate repositories of identity information duplicate services, wasting valuable time and talent. Still, for all their effort, the institution's information services are not more secure. Each password-authenticated transaction is only as secure as the practices and standards for that particular application. FINDING A CORE FOR IDENTITY The good news is that valuable tools for identity authentication are actually in widespread use. Kerberos, a server-based generator of encrypted, temporary certificates of identity, was developed at MIT MIT - Massachusetts Institute of Technology and is an open-standard component found in most authentication software. (For more on Kerberos, head to web.mit.edu/kerberos/www/krb5-1.2/index.html) Lightweight Directory Access Protocol (protocol) Lightweight Directory Access Protocol - (LDAP) A protocol for accessing on-line directory services. LDAP was defined by the IETF in order to encourage adoption of X.500 directories. (LDAP (Lightweight Directory Access Protocol) A protocol used to access a directory listing. LDAP support is implemented in Web browsers and e-mail programs, which can query an LDAP-compliant directory. ), another open standard, is used as a repository for storing identity profiles and corresponding access privileges. The most commonly used commercial products implementing these tools are Microsoft Active Directory and Exchange Server (www.microsoft.com). On many campuses, these products were initially adopted to provide e-mail and network account management, but have since gained added value Added value in financial analysis of shares is to be distinguished from value added. Used as a measure of shareholder value, calculated using the formula:
Kerberos and LDAP also figure in the emerging Public Key Infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ) method of user authentication, which uses encrypted "certificates" to vouch for properly identified network users. At Dartmouth College, Kerberos has been in use since the mid-1980s to allow different directory systems--including some custom written at Dartmouth--to share user credentials. A pilot project currently under way at Dartmouth uses Entrust's PKI software (Entrust Authority, Directory, and Entelligence products; go to www.entrust.com) to authenticate digital signatures for electronic payroll authorization. The library hopes to adopt this same PKI solution to substitute for IP address checking when granting access to vendor-supplied information products. To date, Dartmouth has invested approximately $50,000 in the development of its PKI capability and estimates that the eventual campuswide expansion could run to $500,000. FEDERATED IDENTITY The Internet2 Shibboleth Shibboleth (shĭb`ōlĕth), in the Bible, test word that the Gileadites made the Ephraimites pronounce. As Ephraimites could not say sh but only s Project is a collaborative effort to build an inter-institutional standard for authentication, wherein each user's home campus is responsible for original authentication (For more information, head to www.shibboleth.internet2.edu). Once that identity has been established, it is certified to other schools participating in the technical framework established under Shibboleth. This "federated Connected and treated as one. See federated database and federated directories. " approach to authentication retains local control of private information while allowing network users to access resources on other campuses. For example, a student taking a course at another college may need to use licensed information sources. Shibboleth aims to use the student's home-campus authentication to satisfy the access requirements at the campus where that student is a visitor. INTEGRATED SERVICES Princeton University has embarked on an ambitious initiative to unify its various portals into a meta-portal with a single sign-on. More than 42 Web sites with a "princeton.edu" destination address provide online services at the university; resources are scattered, requiring campus community members to visit multiple Web sites to find the information they need. The meta-portal project is being built on the platform of Sun Microsystem's (www.sun.com) Open Network Environment (Sun ONE). The architecture of Sun ONE connects an identity management platform with an applications and Web services integration service, giving users seamless access to resources that actually reside in different systems. David Koehler, director of Information Systems at Princeton, explains that the challenge is to build service components that are shared among applications rather than built individually into each of them. The goal is to make gradual investments in the Sun ONE architecture, concentrating on flexible and automated access to existing digital assets. DEVICE-INDEPENDENT AUTHENTICATION In 2001, Harvard Medical School Harvard Medical School (HMS) is one of the graduate schools of Harvard University. It is a prestigious American medical school located in the Longwood Medical Area of the Mission Hill neighborhood of Boston, Massachusetts. began implementing a campuswide authentication and access policy management solution for wireless devices. The basic requirements were that it be browser-based, support SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. (Secure Sockets Layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. ) encryption/security, support Harvard's standard ID and PIN authentication practices, and have a menu interface for end users. Wireless LAN Gateway products from Bluesocket (www.bluesocket.com) were adopted for the project. Today, users of wireless laptop computers and PDAs connect to the network anywhere on the "HMS HMS abbr. Her (or His) Majesty's Ship HMS (Brit) abbr (= His (or Her) Majesty's Ship) → Namensteil von Schiffen der Kriegsmarine Wireless Quad" through a single, authenticated login. Steve Martino, director of IT Computing and Network Infrastructure at the school, says, "We wanted to ensure continued access when a wireless user leaves his local network and comes within access range of another network." It was also important that the wireless authentication solution use Harvard's existing LDAP service and that it authenticate users, and not hardware devices. Wireless networks are ideal in medical settings, as medical students/doctors move among multiple facilities including classrooms, labs, patient treatment rooms, library, and operating rooms. The ability to maintain network connectivity while on the move is valuable; the need to keep track of users' identities and authorizations could not be allowed to tie users to specific devices and work sites. RETURN ON INVESTMENT Central authentication for multiple applications is coming first to major research institutions and only very slowly to other IHEs. Single sign-on at schools with only three or four campuswide applications (e-mail, CMS, ERP) is still widely regarded as a convenience. And security still ranks behind open access in the design of most campus networks--although most network administrators find themselves spending more of their time addressing security issues. Eliminating the need to administer multiple authentication schemes is one pathway to better security management and greater network staff productivity. But there are two further benefits in campuswide authentication that IHEs need to consider, according to Mark Resmer, chief technology officer at eCollege (www.ecolleae.com). One is risk avoidance: the need to protect against unauthorized access to licensed resources. Another is confidentiality: FERPA FERPA Family Educational Rights and Privacy Act (aka the Buckley Amendment) FERPA Fédération Européenne des Retraités et des Personnes Agées (French) and other statutes require protection against unauthorized access to institutional databases, which is hard to enforce when a campus has multiple, independently administered authentication spaces. Is the time right for you to be moving those authentication initiatives forward? Never better, say those in the know. Tom Warger is a consultant for Edutech International (www.edutech-int.com.). |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion