Password protected: identity management can keep an IHE safer, but making these systems easy to use can be tricky.ALTHOUGH IT CAUSES IT SUPPORT EMPLOYEES TO CRINGE cringe intr.v. cringed, cring·ing, cring·es 1. To shrink back, as in fear; cower. 2. To behave in a servile way; fawn. n. An act or instance of cringing. , with reason, people sometimes recall passwords by writing them on Post-It Notes and sticking them to a computer monitor. In the past at Chippewa Valley Technical College Chippewa Valley Technical College is one of the 16 technical and community colleges in the Wisconsin Technical College System, centered in Eau Claire, Wisconsin. It serves an eleven-county area with the largest campus located in Eau Claire (actually home to three separate campuses: (Wis.), that tactic would have begun to obscure the screen. Before its identity management (IdM) strategies were made more cohesive by bringing together disparate systems on campus, faculty and staff frequently had at least seven passwords to remember. "There just wasn't a uniform system," says Chief Information Administrator Adam Stavn. "We began evaluating some of the products we had in place and integrating those with [Microsoft's] Active Directory." The college implemented "single sign-on An identification system that lets users log into multiple Web sites on the Internet with one username and password. Single sign-on systems are also used within an enterprise, enabling users to access all authorized resources in the local network using the same username and password. " for about half its software and systems, which allows users to log in once to a webpage that acts as a portal to several applications. "Mainly, it wasn't so much about the technical pieces, since there are many products available and we could always build something if we needed it," Stavn notes. "Instead, the hardest part was getting end users to understand new policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . It was more than a cultural change; it was a paradigm shift A dramatic change in methodology or practice. It often refers to a major change in thinking and planning, which ultimately changes the way projects are implemented. For example, accessing applications and data from the Web instead of from local servers is a paradigm shift. See paradigm. ." With more and more colleges and universities divulging security breaches, network lockdown Lockdown A specified period when an employee of a public company is barred from selling - and occasionally buying - their company's stock. Notes: These types of equity transaction restrictions can be imposed by securities regulators or underwriting firms if a company has has become a pressing concern everywhere. In its "2006 Current Issues Survey," EDUCAUSE identified security and identity management as the top IT issue for higher ed institutions. The survey report predicts that the challenge to keep information safe will become even more crucial in an increasingly digital world. Security controls that route network traffic, create extensive logs, and do high-level intrusion detection See IDS and IPS. are vital, but equally important for IHEs is the ability to verify system users. If someone can easily pose as a student or administrator and surf through sensitive databases, it puts the entire institution at risk and makes online data vulnerable to further breaches. But meeting institutional needs can sometimes be tricky when it comes to making the user experience an easy one. As Chippewa administrators found, securing multiple systems and requiring numerous levels of authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. can be frustrating for users--and lead to more support costs in the long run. As institutions work to keep data and networks safe, they're learning to balance user needs, implementation challenges, and funding limits, and finding there's much more to IdM than setting up a password protection scheme. Management Office Although IdM is necessary for institution-wide security, the tactic has other benefits for IHEs as well, including compliance with federal mandates like the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when , the Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a United States federal law codified at 20 U.S.C. 1232g, with implementing regulations in title 34, part 99 of the Code of Federal Regulations. , and the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition . Most colleges and universities have already stopped using Social Security numbers to identify individuals, due in part to legislation that mandates the utilization of other identification methods. In addition to boosting security and privacy, IdM systems can also bring more budgetary and resource efficiencies into an institution--through lowered support costs, better communication among departments, and a more cohesive on-campus system. But seeing IdM'S benefits and putting in a crackerjack crack·er·jack also crack·a·jack adj. Slang Of excellent quality or ability; fine. [Probably from crack, first-rate + jack. system can be two different things. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the network infrastructure research and advisory firm Burton Group, IdM isn't just technology, but a set of business processes, policies, and supporting architecture for the creation, maintenance, and use of digital identities. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , an institution's CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. had better have significant openings in his or her schedule, because the meetings will be ongoing. "In creating a workable system, you're trying to balance the needs of many people and meet goals of collaboration without sacrificing security and privacy," says Dan Nanto, software architect in the Information Technology Services department at Vanderbilt University Vanderbilt University, at Nashville, Tenn.; coeducational; chartered 1872 as Central Univ. of Methodist Episcopal Church, founded and renamed 1873, opened 1875 through a gift from Cornelius Vanderbilt. Until 1914 it operated under the auspices of the Methodist Church. (Tenn.). When Nanto came to Vanderbilt in 2005, he found a homegrown home·grown adj. 1. Raised or grown at home. 2. Originating in or characteristic of a locality: "Rock is homegrown music in the United States, evolved from blues and country and Tin Pan Alley" account provisioning service that didn't have very strong documentation and was difficult to maintain. In helping to create an industry-standard system that provided more security and used a central provisioning setup, he learned that getting the right technology was the easy part. "The biggest issue in making a major shift like this is the politics," he says. "People working here had built the system, they believed in it, and they were used to using it. It was hard for them to see that doing it any other way would be better." Vanderbilt rolled out the first phase of a new IdM system from Sun Microsystems Sun Microsystems, Inc. (NASDAQ: JAVA[3]) is an American vendor of computers, computer components, computer software, and information-technology services, founded on 24 February 1982. in December 2006, and the plan is to redirect management from the older system to the new. Taking the implementation in phases has helped soothe the political wrangles, Nanto says, but he's still not sure that a "big bang big bang Model of the origin of the universe, which holds that it emerged from a state of extremely high temperature and density in an explosive expansion 10 billion–15 billion years ago. " approach wouldn't be better in the long run. "Doing everything at once would alleviate the support problems of trying to have two different authentication systems," he says. "But we have to make sure that however we do it, everyone is involved in the decision and agreeing that this is the right direction. You can't make a decision as an island; you can't surprise people with big changes." Beyond getting cross-institutional buy-in, creating a system that can handle the changing roles of those who are in the network can be another significant hurdle. For example, a prospective student--let's call him Joe Campus--might be given a certain level of access within the network in order to "look around" at university resources while making his decision. If Joe becomes a student, another level of access is needed, and then the process gets even trickier if Joe gets an on-campus job, takes a few classes at another school, gets hired as a teacher's assistant, goes on to grad school, and finally graduates, becoming an alumnus ALUMNUS, civil law. A child which one has nursed; a foster child. Dig. 40, 2, 14. . At each level, Joe will have access to different databases and systems, ranging from library resources to grading systems to alumni records. Now take Joe and multiply him by 10,000 or more. Then add in visiting professors, temporary staff members, volunteers, consultants, and vendors. The ensuing en·sue intr.v. en·sued, en·su·ing, en·sues 1. To follow as a consequence or result. See Synonyms at follow. 2. To take place subsequently. mix can be daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin for the technology staff at the IHE IHE Integrating the Healthcare Enterprise IHE Institutions of Higher Education IHE International Institute for Infrastructural, Hydraulic and Environmental Engineering (historical acronym only, replaced by: IHE Delft, the Foundation) , particularly given the high turnover rate within the system. "Companies might tout their identity management systems, but at no company will you find a turnover rate of 25 percent per year or more," says Barry Ribbeck, director of systems architecture and infrastructure at Rice University (Texas) and co-chair of the EDUCAUSE Identity Management working group. "Also, companies can assign usernames based on HR paperwork. At colleges and universities, you usually depend on self-assertion, which can become challenging." In other words, how can an institution know that potential student Joe Campus is really who he claims to be? And, later, if that same person decides to be known as Joseph Campus, multiple records might be created. Often universities develop unique identifiers to make sure that people are tracked in a way other than their names, Ribbeck explains. Social Security numbers can't be used, but IHE-supplied numbers can be, as long as other security and privacy controls are in place to prevent hackers from matching up those identifiers with other information. Rice is making great strides after years of not addressing IdM concerns, Ribbeck adds. The institution has it easier than some, with its smaller population of faculty, staff, and students. A security officer has been hired to put polices and procedures in place. One of the largest goals at Rice is to expand user awareness of identity issues, which Ribbeck says can be difficult. "People have grown up in a culture where everything is open and free," he notes. "They like the collaborative aspect of the university network, but they really have to relearn Verb 1. relearn - learn something again, as after having forgotten or neglected it; "After the accident, he could not walk for months and had to relearn how to walk down stairs" how to protect themselves. We have to teach students, faculty, and staff the basics of identity protection. Otherwise, they're going to get burned." Fresh Process When communicating the need for better IdM to those on campus, the education tends to extend to lessons on personal computing Refers to users working on their own computers rather than a terminal to a mainframe. Sometimes, the term refers to using computers at home for work and/or entertainment in contrast to business use only. See personal computer. devices, notes Harlan Jorgensen, director of computing resources at Northwestern College Northwestern College can refer to:
"One of the biggest issues we face is students bringing in their own machines and logging on to the network," he says. "It can be difficult, because they need clean access, but we have to make sure that machine isn't a danger to the network." Northwestern has implemented technology from eTelemetry that helps to manage and identify user activity. Jorgensen is currently in the process of writing more policies that address provisioning, account access, and IdM. In the past, he says, college officials felt confident because they had put up a strong intrusion detection system This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. and solid firewalls, but then they gradually came to realize that those who resided within the college could be just as dangerous as those who were locked out. "We found that some students were finding ways around our rules in order to do file sharing Copying files from one computer to another. See peer-to-peer network, file sharing protocol and file and printer sharing. ," he says. To boost communication about new policies and help inform students in particular about IdM issues and general use of computing resources, Jorgensen and others on the technology staff are working with a student development council. The group is assisting helping to create policy and to decide when network privileges should be yanked because of abuse. Having students make such decisions for other students helps keep end users in mind when changing technology or implementing new procedures, Jorgensen says. Student involvement can also be a boon for creating new programs around sign-on changes, since students are certainly not shy in voicing their opinions. "Our goal is to have a high level of service for users," he adds. "One way to meet that goal is to find out what that means for users and what they expect." At many IHEs, user acceptance can be boosted through increased automation, says Dinesh Bahad, senior director for education at Sun Microsystems. Robust provisioning systems that work behind the scenes can cut down on the number of passwords needed and, more importantly, remove users that shouldn't be in the system. "There needs to be a certain level of self-service, where users can go in and identify themselves and their roles and make sure they're not in the system twice," says Bahad. "But there should also be provisioning done at a level invisible to the user." Systems like those available from Sun and other vendors can help assign access levels and deprovision accounts from departing employees or those who've been granted temporary access. But that automation could result in conflicts from multiple systems joining together. "There is much more complexity in a college or university system than one managed by an enterprise, so automation can be more useful at a school than at a company," says Bahad. "But keep in mind that the complexity might not necessarily be a technology problem. It may be a human problem that arises from employee and student systems mixing together." Automation shouldn't be implemented for its own sake, Bahad adds, but rather because it solves existing difficulties like overly complex records management and IdM issues. That kind of switch to a vendor-driven system is in progress at Northwestern University Northwestern University, mainly at Evanston, Ill.; coeducational; chartered 1851, opened 1855 by Methodists. In 1873 it absorbed Evanston College for Ladies. (Ill.), which is implementing Sun technology to replace a homegrown system that it's had in place for the past decade, according to Thomas Board, director of Information Systems Architecture at the university. "We wanted an easily modifiable system," he says. "Our home-grown technology couldn't be maintained confidently and couldn't be changed fast enough to meet the needs of the institution." Relying on a vendor will also give Northwestern more of an opportunity to implement industry standards, Board notes, and create a system that is easier to use for those on the network. In the past, the university relied on its Admissions and Human Resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. departments to supply user identities for the system, but that tended to create duplication that could be frustrating for users. "The real payoffs of identity management will come in the form of additional institutional processes that address how departments operate together, how policies are written, and what level of collaboration and openness is expected," says Board. He adds, "For any institution, this should be the top item for discussion. If you don't have centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. ID management--if you have it distributed across the institution--you need to be taking a hard look at changing that over the next couple years." Strong Protection In general, IHEs seem to be rising to the challenges inherent in the IdM process, says David Murray David Murray may refer to:
Study beyond the level of secondary education. Institutions of higher education include not only colleges and universities but also professional schools in such fields as law, theology, medicine, business, music, and art. . For those contemplating a fresh start for their IdM system and policies, or those who want to make their procedures stronger, Murray recommends beginning from the point of business priorities, rather than just fretting about potential security breaches and putting systems in place to prevent them. "If you start by looking at technology, you fall into the mode of reacting rather than acting," he says. "It can feel so big that it's overwhelming." He advises that administrators break down IdM into manageable pieces, starting with the development of milestones and objectives. Working with IT services, a CIO should look at account provisioning, policy development, centralizing cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. authentication, and creating a technology plan that makes sense for the IHE, rather than mimics what's being done elsewhere. Also, Murray notes, schools should understand their limitations as well. "It's not practical to try and manage all the identities that are in the network, or Jail who] want access," he says. "Some universities are like small cities, with visiting researchers and all kinds of complexities. And those cities are tied to others, if a school has a partnership with another university or college." The breadth of IdM could make some CIOs and IT teams yearn for the days when all they had to do was remind staffers to stop using Post-It Notes for password management. But if they see IdM as a journey rather than a destination, it might help to advance toward steady improvement. Elizabeth Millard is a freelance writer based in Saint Louis Park Saint Louis Park, city (1990 pop. 43,787), Hennepin co., SE Minn., a suburb of Minneapolis; settled 1854, inc. 1886. There is printing and publishing, machining, food processing, and the manufacture of rubber products and furniture. , Minn., who specializes in covering technology. IT Security Attitudes in--and Recommendations for--Higher Ed Among higher education IT directors: * 93% report that executive administrators are supportive or extremely supportive of IT security initiatives, although there can be barriers around funding. * 28% note that faculty are not supportive of security initiatives, mainly due to lack of awareness and an expectation that exceptions be made for individuals. * 31% report that students are not supportive of the initiatives, from lack of awareness and a disregard for the rules and policies of an institution. Improve IT security attitudes by: * Presenting formal business cases to administrations when seeking budgetary increases for security enhancements. * Examining the total financial impact of a major security breach, including costs associated with staff downtime, and communications to those affected. * Improving authorized access policies to reduce outside threats to networks. * Managing and monitoring the number of devices hooking up to the network. * Boosting funding for security training and awareness programs. SOURCE: Second annual "Higher Education IT Security Report Card," released by CDW-G CDW-G CDW - Government (formerly Computer Discount Warehouse - Government) in conjunction with Eduventures; www.cdwg.com/higheredsecurity Resources Aladdin, www.aladdin.com/etoken Bluesocket, www.bluesocket.com CertAlert, www.certalertsoftware.com Cybertrust, www.cybertrust.com Enterasys Networks This article or section contains information about scheduled or expected future events. It may contain tentative information; the content may change as the event approaches and more information becomes available. , www.enterasys.com EDUCAUSE "2006 Current Issues Survey," www.educause.edu/2006SurveyResources eTelemetry, www.etelemetry.com Laurus Technologies, www.laurustech.com Mirage Networks, www.miragenetworks.com SunGard Higher Education, www.sungardhe.com Sun Microsystems, www.sun.com TouchNet, www.touchnet.com VeriSign, www.verisign.com |
|
Printer friendly
Cite/link
Email
Feedback
Reader Opinion