Get real: the security of your network users' digital identities has become crucial. It's time to look at authentication technology. (Technology).
But colleges and universities have historically favored openness of network accessibility over security concerns. For the most part, authentication of users has been accomplished at the threshold of particular applications--primarily e-mail for faculty and students, and enterprise resource planning systems (ERP) for staff and administrative users. License agreements with software and content providers have been enforced by limiting access by IP domain. Right now, some IHEs require all computers used on the campus network to be registered, but many more do not. There are signs, however, that the protection of digital identities is becoming a higher priority on campuses. The University of Colorado-Boulder, for one, set a first-week-of-2003 deadline for encrypted authentication of all e-mail, telnet, and FTP sessions, with the goal of ensuring that no username-password pairings are sent over the network as plain text, which is vulnerable to theft via electronic eavesdropping.
TOO MANY IDENTITIES
Identity information is typically maintained inside each information service or software application at an institution. Passwords and PIN numbers are assigned and managed by the keepers of e-mail library, course management systems (CMS), ERPs, and departmental LANS. What's more, security practices vary widely in methods and rigor, even on the same campus. To cope with the number of different passwords to remember, many users use the same password for each system that gives them the chance to choose their own. Others write down their passwords in notebooks or carry them on paper in their wallets. Both of these measures undermine good password discipline by worsening the extent of any breach of secrecy. Then, in the background, IT staff tending separate repositories of identity information duplicate services, wasting valuable time and talent. Still, for all their effort, the institution's information services are not more secure. Each password-authenticated transaction is only as secure as the practices and standards for that particular application.
FINDING A CORE FOR IDENTITY
The good news is that valuable tools for identity authentication are actually in widespread use. Kerberos, a server-based generator of encrypted, temporary certificates of identity, was developed at MIT and is an open-standard component found in most authentication software. (For more on Kerberos, head to web.mit.edu/kerberos/www/krb5-1.2/index.html) Lightweight Directory Access Protocol (LDAP), another open standard, is used as a repository for storing identity profiles and corresponding access privileges. The most commonly used commercial products implementing these tools are Microsoft Active Directory and Exchange Server (www.microsoft.com). On many campuses, these products were initially adopted to provide e-mail and network account management, but have since gained added value because the LDAP service underlying them can be used for user authentication by many other software packages.
Kerberos and LDAP also figure in the emerging Public Key Infrastructure (PKI) method of user authentication, which uses encrypted "certificates" to vouch for properly identified network users. At Dartmouth College, Kerberos has been in use since the mid-1980s to allow different directory systems--including some custom written at Dartmouth--to share user credentials. A pilot project currently under way at Dartmouth uses Entrust's PKI software (Entrust Authority, Directory, and Entelligence products; go to www.entrust.com) to authenticate digital signatures for electronic payroll authorization. The library hopes to adopt this same PKI solution to substitute for IP address checking when granting access to vendor-supplied information products. To date, Dartmouth has invested approximately $50,000 in the development of its PKI capability and estimates that the eventual campuswide expansion could run to $500,000.
The Internet2 Shibboleth Project is a collaborative effort to build an inter-institutional standard for authentication, wherein each user's home campus is responsible for original authentication (For more information, head to www.shibboleth.internet2.edu). Once that identity has been established, it is certified to other schools participating in the technical framework established under Shibboleth. This "federated" approach to authentication retains local control of private information while allowing network users to access resources on other campuses. For example, a student taking a course at another college may need to use licensed information sources. Shibboleth aims to use the student's home-campus authentication to satisfy the access requirements at the campus where that student is a visitor.
Princeton University has embarked on an ambitious initiative to unify its various portals into a meta-portal with a single sign-on. More than 42 Web sites with a "princeton.edu" destination address provide online services at the university; resources are scattered, requiring campus community members to visit multiple Web sites to find the information they need. The meta-portal project is being built on the platform of Sun Microsystem's (www.sun.com) Open Network Environment (Sun ONE). The architecture of Sun ONE connects an identity management platform with an applications and Web services integration service, giving users seamless access to resources that actually reside in different systems. David Koehler, director of Information Systems at Princeton, explains that the challenge is to build service components that are shared among applications rather than built individually into each of them. The goal is to make gradual investments in the Sun ONE architecture, concentrating on flexible and automated access to existing digital assets.
In 2001, Harvard Medical School began implementing a campuswide authentication and access policy management solution for wireless devices. The basic requirements were that it be browser-based, support SSL (Secure Sockets Layer) encryption/security, support Harvard's standard ID and PIN authentication practices, and have a menu interface for end users. Wireless LAN Gateway products from Bluesocket (www.bluesocket.com) were adopted for the project. Today, users of wireless laptop computers and PDAs connect to the network anywhere on the "HMS Wireless Quad" through a single, authenticated login. Steve Martino, director of IT Computing and Network Infrastructure at the school, says, "We wanted to ensure continued access when a wireless user leaves his local network and comes within access range of another network." It was also important that the wireless authentication solution use Harvard's existing LDAP service and that it authenticate users, and not hardware devices. Wireless networks are ideal in medical settings, as medical students/doctors move among multiple facilities including classrooms, labs, patient treatment rooms, library, and operating rooms. The ability to maintain network connectivity while on the move is valuable; the need to keep track of users' identities and authorizations could not be allowed to tie users to specific devices and work sites.
RETURN ON INVESTMENT
Central authentication for multiple applications is coming first to major research institutions and only very slowly to other IHEs. Single sign-on at schools with only three or four campuswide applications (e-mail, CMS, ERP) is still widely regarded as a convenience. And security still ranks behind open access in the design of most campus networks--although most network administrators find themselves spending more of their time addressing security issues. Eliminating the need to administer multiple authentication schemes is one pathway to better security management and greater network staff productivity.
But there are two further benefits in campuswide authentication that IHEs need to consider, according to Mark Resmer, chief technology officer at eCollege (www.ecolleae.com). One is risk avoidance: the need to protect against unauthorized access to licensed resources. Another is confidentiality: FERPA and other statutes require protection against unauthorized access to institutional databases, which is hard to enforce when a campus has multiple, independently administered authentication spaces. Is the time right for you to be moving those authentication initiatives forward? Never better, say those in the know.
Tom Warger is a consultant for Edutech International (www.edutech-int.com.).
|Printer friendly Cite/link Email Feedback|
|Date:||Feb 1, 2003|
|Previous Article:||Crisis management demystified: here's how to prevent a crisis from ruining your institution's reputation. (People & Politics).|
|Next Article:||E-payment as advantage: one online payment pioneer's 'solution evolution' may form a road map for your own IHE. (Online).|