In the recent EDUCAUSE book The Tower and the Cloud,



Similar documents
Configuring Additional Active Directory Server Roles

Making training work for your business

CREATIVE MARKETING PROJECT 2016

IT Support n n support@premierchoiceinternet.com. 30 Day FREE Trial. IT Support from 8p/user

WHERE CHANGE IS POSSIBLE

Authentication - Access Control Default Security Active Directory Trusted Authentication Guest User or Anonymous (un-authenticated) Logging Out

One Goal. 18-Months. Unlimited Opportunities.

(VCP-310)

leasing Solutions We make your Business our Business

A guide to School Employees' Well-Being

Enhancing Oracle Business Intelligence with cubus EV How users of Oracle BI on Essbase cubes can benefit from cubus outperform EV Analytics (cubus EV)

PUBLIC RELATIONS PROJECT 2016

ContactPro Desktop for Multi-Media Contact Center

Baan Service Master Data Management

Ideate, Inc. Training Solutions to Give you the Leading Edge

INDEPENDENT BUSINESS PLAN EVENT 2016

Agency Relationship Optimizer

Silver Lining of Cloud Computing

To c o m p e t e in t o d a y s r e t a i l e n v i r o n m e n t, y o u n e e d a s i n g l e,

Professional Networking

Advancement FORUM. CULTIVATING LEADERS IN CASE MANAGEMENT

client communication

The Canadian Council of Professional Engineers

Assessment of the Board

QUADRO tech. PST Flightdeck. Put your PST Migration on autopilot

Domain 1: Designing a SQL Server Instance and a Database Solution

Diploma in Secretarial Administration

ODBC. Getting Started With Sage Timberline Office ODBC

FOCUS 2015 PATHWAYS EXTRAORDINARY EXPERIENCES COMMUNITY CONNECTIONS OPERATIONAL EXCELLENCE STRATEGIC PLAN. INSPIRE n TRANSFORM n CONNECT

College of Nursing and Health care Professions

Agenda. Outsourcing and Globalization in Software Development. Outsourcing. Outsourcing here to stay. Outsourcing Alternatives

Flood Emergency Response Plan

LEASE-PURCHASE DECISION

TIAA-CREF Wealth Management. Personalized, objective financial advice for every stage of life

Wells Fargo Insurance Services Claim Consulting Capabilities

What is IT Governance?

SOCIAL MEDIA. Keep the conversations going

Message Exchange in the Utility Market Using SAP for Utilities. Point of View by Marc Metz and Maarten Vriesema

INVESTMENT PERFORMANCE COUNCIL (IPC) Guidance Statement on Calculation Methodology

CCH Accountants Starter Pack

E-Plex Enterprise Access Control System

Security Functions and Purposes of Network Devices and Technologies (SY0-301) Firewalls. Audiobooks

3G Security VoIP Wi-Fi IP Telephony Routing/Switching Unified Communications. NetVanta. Business Networking Solutions

A GUIDE TO BUILDING SMART BUSINESS CREDIT

France caters to innovative companies and offers the best research tax credit in Europe

InventoryControl. The Complete Inventory Tracking Solution for Small Businesses

The Forgotten Middle. research readiness results. Executive Summary

Document Control Solutions

Domain 1: Identifying Cause of and Resolving Desktop Application Issues Identifying and Resolving New Software Installation Issues

Biometrics for Patient Identification A US Case Study

A Balanced Scorecard

The Masters Certificate in Risk Management & Business Performance

Supply Chain Management

e-trader user guide Introduction

Domain 1 - Describe Cisco VoIP Implementations

IntelliSOURCE Comverge s enterprise software platform provides the foundation for deploying integrated demand management programs.

Safety Requirements engineering and Proof of implementation

How To Find FINANCING For Your Business

Bank Secrecy Act. Job-specific BSA tracks Related case studies Suggested courses

Impact your future. Make plans with good advice from ACT. Get Set for College 1. THINK 2. CONSIDER 3. COMPARE 4. APPLY 5. PLAN 6.

BaanERP. BaanERP Windows Client Installation Guide

The Social Business System - connecting people and content

A Guide to Better Postal Services Procurement. A GUIDE TO better POSTAL SERVICES PROCUREMENT

On Interoperability Issues of Electronic Signature. Pavol Frič

Software Engineering Guest Lecture, University of Toronto

Information Security Compliance

On-Premise CRM to Salesforce Migration - Benefits, Challenges and Best Practices

*The most important feature of MRP as compared with ordinary inventory control analysis is its time phasing feature.

Platform Solution. White Paper. Transaction Based Pricing in BPO: In Tune with Changing Times

Domain 1: Configuring Domain Name System (DNS) for Active Directory

6. p o s I T I v e r e I n f o r c e M e n T

INVESTING IN SOCIAL CHANGE TOOLS FOR SOCIAL INNOVATION

FIRE PROTECTION SYSTEM INSPECTION, TESTING AND MAINTENANCE PROGRAMS

Savings and Retirement Benefits

Five Effective Testing Practices to Assure Meaningful Use of Electronic Health Records

Transcription:

By Jack Suess ad Kevi Morooey Idetity Maagemet & Trust Services Foudatios for Cloud Computig I the recet EDUCAUSE book The Tower ad the Cloud, Richard Katz orgaized a set of essays by higher educatio commuity leaders who explored the emergece ad impact of cloud computig. The book, which uses a broad defiitio of cloud computig, compelligly highlights how the Iteret-based techologies of cloud computig are chagig higher educatio. Katz, i his itroductory chapter, stresses that istitutios eed to develop a cloud strategy, ad he argues that istitutioal leaders, especially CIOs, must build ito their strategic plaig the role of virtualizatio, software-as-a-service (SaaS), ope resources, shared commuity ifrastructure, ad commercial cloud computig offerigs. 1 Icreasigly, IT orgaizatios will move from providig IT services locally to becomig a itegrator of IT services some provided locally ad others provided outside the istitutio. As a result, istitutios must immediately begi to pla for shared services ad must uderstad the essetial role that idetity maagemet ad trust services play i makig itegratio possible. Jack Suess is Vice Presidet of Iformatio Techology ad CIO at the Uiversity of Marylad, Baltimore Couty. Kevi Morooey is Vice Provost for Iformatio Techology ad CIO at The Pesylvaia State Uiversity. Morooey is Vice-Chair ad Suess is Treasurer of the ICommo Steerig Advisory Group, for which they co-chaired a subcommittee that recetly looked at optios for advacig federated trust services i the higher educatio commuity. Illustratio by Steve McCracke, 2009 2009 Jack Suess ad Kevi Morooey September/October 2009 Educause review 25

Oe of the most tagible areas where this shift from local provider to cosumer is playig out is i the provisio of e-mail services. At most istitutios, e-mail is still cosidered a missio-critical applicatio ad is fudametal to admiistratio, teachig, ad research. Failures or outages i e-mail systems severely disrupt the day-to-day operatios of the campus. Not surprisigly, sice the aoucemet of Google Apps for Educatio i 2007, the subject of e-mail outsourcig has bee a costat discussio topic o the EDUCAUSE CIO costituet group list. Likewise, i a July 2008 EDUCAUSE Ceter for Applied Research (ECAR) survey, early 20 percet of the 351 respodig colleges ad uiversities had outsourced their studet e-mail to a commercial provider. 2 What may be surprisig about this developmet is how seemigly well the trasitios have goe. Obviously, there have bee issues, but wheever questios about the process have bee posed to the CIO costituet group list, the overwhelmig respose has bee that the cetral IT orgaizatio is deliverig service as good as or better tha whe e-mail was hosted locally. E-mail has bee the service most discussed by the CIO commuity i movig from locally operated to cloud-based applicatios, but it represets othig more tha the visible part of the iceberg. Over the last few years, hosted applicatios, sometimes referred to as softwareas-a-service (SaaS), have take off. Istitutios ca ow procure exterally hosted services that support residetial housig maagemet, evet maagemet, faculty productivity reportig, facility maagemet, istitutioal assessmet, studet billig services, parkig services, learig maagemet, emergecy otificatio, ad alumi services to ame just a few. As the web becomes the commo user iterface, cosortiums ad state uiversity systems are deployig admiistrative solutios that support a shared ifrastructure for multiple istitutios to operate their huma resource maagemet, payroll, fiacial, ad studet iformatio services. Although the list of potetial exterally maaged services is log, ad growig each day, most istitutios are utilizig oly a few. I may istaces, the decisio to procure these services was drive ot through ay coheret IT strategy but by campus departmets makig local decisios ad procurig these services with varyig degrees of cetral IT ivolvemet. I some cases, the decisio is made by idividuals, such as faculty, who may procure a hosted service, such as WebAssig, as part of the requiremet for their course. The beefits to istitutios i utilizig the hosted applicatios are ofte focused o deploymet ad cost: Faster deploymet cycles: days or weeks versus moths or years to develop or implemet a applicatio locally Lower iitial cost: paid for o a aual basis, with o large upfrot cost for hardware ad implemetatio I the last five years, istitutios have begu to effectively utilize exteral services for missio-critical eeds through a evolvig set of stadards ad techologies. Virtualizatio. The advet of highquality virtual operatig systems has allowed exteral service providers to achieve ecoomies of scale. They ca use virtualizatio software to ru multiple orgaizatios o the same physical ifrastructure as if each were idepedet. This allows the exteral service provider to leverage ecoomies of scale ad reduce the cost ad maagemet overhead. extesible Markup Laguage (XML). XML provides a stadard way to share iformatio ad data. By utilizig XML, a exteral service provider ca implemet oe stadard method for the iterchage of data betwee the istitutio ad the service provider. Web 2.0 techologies. Web techologies ow allow web-based applicatios to have sophisticated user iterfaces. Exteral service providers adoptig these web stadards ca provide access to ay perso coectig to the service with a stadards-compliat browser. Network badwidth cost reductio. Over the last decade, the higher educatio commuity, led by regioal ad state etworks, has leveraged its collective buyig power to greatly reduce the cost of commodity Iteret badwidth. 3 As a result, most istitutios ca procure adequate badwidth ad do ot see commodity badwidth as a issue whe utilizig exteral services. These four compoets make it possible for exteral service providers to offer cost-effective ad compellig hosted services. But it is importat to recogize I the last five years, istitutios have begu to effectively utilize exteral services for missio-critical eeds through a evolvig set of stadards ad techologies. 26 Educause review September/October 2009

that these techologies have eabled service providers ot service cosumers. The challege for IT orgaizatios is to itegrate these disparate services i a coheret ad effective maer. Issues such as autheticatio, access cotrol, ad the user experiece i movig from oe hosted service to aother are all importat factors for log-term success. What has bee missig is a way for istitutios to quickly ad effectively itegrate these exteral service offerigs. At preset, may exteral services require a separate userame ad password combiatio that is stored by the exteral service provider. Maagig the creatio ad deletio of users, esurig applicatio access rights, ad itegratig the exteral services ito the broader campus computig eviromet are all left to the istitutio. Worse, exteral service providers ted to differ i their approaches to these actios, requirig istitutios to develop ad maitai multiple methods as they add ew exteral services to their offerig. To support both local ad exteral service-delivery models, istitutios eed a comprehesive approach to idetity maagemet ad trust services a approach that allows exteral service providers to leverage campus idetity maagemet ad trust services. This comprehesive approach should focus o three activities: 1. Developig a idetity maagemet system. The umerous articles writte about the developmet of idetity maagemet systems ca serve as useful startig poits. 4 I additio, a umber of commercial products such as Microsoft s Idetity Lifecycle Maager (http://www.microsoft.com/ilm) ad Su Idetity Maagemet (http:// www.su.com/software/idetity/) ow make this task less dautig tha i the past. 2. Creatig a stadard set of attributes for each perso. Persoal attributes have bee defied by the eduperso schema (http://middleware.iteret2.edu/eduperso/), developed by the Middleware Architecture Committee for Educatio (MACE) ad the higher educatio academic commuity i cosultatio with outside groups such as the America Associatio for Collegiate Registrars ad Admissios Officers (AACRAO). The eduperso schema lists some commo elemets, such as campus role or userame, that ca be requested by outside applicatios. 3. Eablig exteral access through a federatio such as ICommo. Workig to lik idetity providers (such as higher educatio istitutios) with service providers (such as other higher educatio istitutios, commercial etities, ad govermet/ogovermet agecies), ICommo (http://www.icommofederatio.org/) presetly uses two commuity-developed products: the XML-based Security Access Markup Laguage (SAML) 5 ad Shibboleth (http://shibboleth.iteret2.edu/), a web-based service 28 Educause review September/October 2009

that supports autheticatio for remote service requests for trust services. Through these three activities, istitutios ca work with local ad exteral service providers to create a commo stadards-based approach to autheticatio. I additio, because the fial autheticatio is performed through a local campus service itercoected to Shibboleth, istitutios have much better security cotrol. The followig sectio offers a more detailed explaatio of how these three activities fit together. A Primer o Idetity Maagemet Systems Figure 1 provides a model for a local idetity maagemet system. For this example, the yellow cloud i the middle should be cosidered the idetity maagemet system. At the top, the dark-gree area focuses o policy ad goverace. The first step is to develop a process that verifies ad establishes the idetity of a perso who has bee give college/ uiversity credetials. At most istitutios, this requires developig a process to review a official govermet-issued idetity card (such as a driver s licese) i order to validate that the accout credetials are beig assiged to the appropriate perso. Because colleges ad uiversities are complex commuities with may differet groups, it is importat for the campus leadership team to develop policy o how members of the commuity will be added to the idetity maagemet system. O the lefthad side, the light-gree area idetifies some of the may recordkeepig systems that may be sources of iformatio for the idetity maagemet system. These source systems look for Figure 1. A Model Framework for a Idetity Maagemet System Policy ad Goverace Presidet Provost Registrar Establish idetity Huma Resources Faculty Affairs CIO Determie policy... Source Systems HR faculty, staff Persos Maage Idetity Accouts Systems ad Services Busiess systems SA studet, postdoc Fiace PI, approver Courses istructor, erolled Reflect & Joi Groups Orgaizatios Privileges Autheticate Authorize Provide Federate Network services Library...... Federated parters Erich idetity Apply policy Schools Departmets Projects Maage Groups Programs Teams Source: Developed by A West, of Iteret2, ad Ly McRae, of Staford, ad used with permissio from Iteret2. Users Maage Privileges... 30 Educause review September/October 2009

Oe key beefit of a idetity maagemet system is the ability to maage the complexity of higher educatio. specific kids of trasactio evets ad trigger whe a update eeds to occur i the idetity maagemet system. For example, someoe was hired or termiated i the huma resource system, or a studet was added to a specific course. Oe key beefit of a idetity maagemet system is the ability to maage the complexity of higher educatio. As a case i poit, if a campus hosts a umber of summer cofereces, the people attedig these cofereces eed to have a accout to utilize the computer facilities or possibly to autheticate for access to the Iteret. Therefore, a mechaism is ecessary so that the coferece orgaizers ca add people to the idetity maagemet system as coferece guests, with a date for whe access will be automatically tured off. This delegatio back to the departmet overseeig the busiess fuctio provides better customer service ad demads less from the IT orgaizatio. O the far right, the top laveder box idetifies some of the specific iteral systems ad services to be maaged through the idetity maagemet system. From the set of defied systems ad services provided, data elemets ca be idetified that must be preset i the idetity maagemet system. Oe key decisio to make whe developig the idetity maagemet system is how quickly to propagate the chages that occur i the various systems of records. For some situatios, such as turig off access whe a employee is termiated, chages may eed to be updated i the idetity maagemet system very quickly. I may situatios, a sigle daily update from the source system to the idetity maagemet system will be sufficiet. It is importat to work with the busiess process owers to uderstad the risks ad requiremets. Although there is a tred to move to real-time updates of the idetity maagemet system from the source systems, it is always possible to develop specific busiess processes that provide a workaroud should that ot be the case (for example, a huma resources represetative may call someoe i the IT orgaizatio to have a accout password reset whe a employee is termiated). The blue box at the bottom, Maage Groups, is at the heart of a idetity maagemet system. Groups provide the flexibility for maagig access ad offerig collaborative services. Groups ca be geerated based o a attribute about a perso, or groups ca be formed ad hoc, whe idividuals eed to collaborate ad use shared resources. Idetifyig the groups that a perso belogs to ca be essetial to defiig which resources a perso ca access. I may cases, the group memberships are used by the campus portal to idetify the services a perso should be able to access. Idetifyig the groups to create requires cosultatio with busiess process owers ad is ofte drive by the services beig providig. Whe settig up groups, a istitutio should begi by readig a descriptio of the eduperso schema. The eduperso schema has a affiliatio attribute ad lists some stadard affiliatios that have bee idetified to date. The permissible values iclude the 32 Educause review September/October 2009

With the advet of web services, the model of applicatios maagig all aspects of the applicatio security is begiig to prove uworkable. followig: faculty, studet, staff, alum, member, affiliate, employee, ad library-walk-i. 6 The red box, Maage Privileges, is a key box to cosider. Presetly, may services (or applicatios) maage privileges withi the specific logic of the applicatio. With the advet of web services, the model of applicatios maagig all aspects of the applicatio security is begiig to prove uworkable. The emergig model of web services, also kow as service-orieted architecture (SOA), utilizes fuctioality from outside the applicatio to perform busiess processes ad is requirig idustry groups to rethik their approach to applicatiolevel security. At preset, the World Wide Web Cosortium (W3C, http://www.w3.org/) is developig stadards for this. O aother level, Web 2.0 collaboratio tools such as wikis ad blogs require that access maagemet be dyamic ad ot require the cetral IT orgaizatio to itervee. Oe iterestig pilot project is COmaage (http://middleware.iteret2.edu/co/), a tool that ca use the idetity maagemet system to allow users to set up collaboratio spaces. These collaboratio spaces work across istitutios by leveragig federated idetity maagemet (discussed below). Fially, the bottom laveder box o the right, Federated Parters, refers to exterally hosted services or iteristitutioal services beig shared. The idea is to have a stadard method, as part of the idetity maagemet system, for supportig these services. As a ew exteral service is idetified, use of this method would quickly set up a mechaism to provide access to that service. A example of such a method beig used today is ICommo. As oted earlier, ICommo works to lik idetity providers with service providers. Participats iclude more tha 116 higher educatio istitutios, 41 sposored parters (commercial service providers), ad six federal agecies ad oprofit groups. ICommo coordiates commo defiitios ad guidelies for security ad privacy ad for data 34 Educause review September/October 2009

These three elemets ICommo, SAML, ad Shibboleth are chagig the way istitutios maage their relatioships with exterally hosted solutios. iterchage, ad it validates that both parties are who they commit to be ad are actig i good faith. This iformatio is the ecapsulated i meta-data that is icluded withi certificates allowig the idetity provider ad the service provider to share iformatio. ICommo supports the sharig of iformatio i real time usig stadards such as SAML, developed by Iteret2 through the efforts of the higher educatio commuity ad the Orgaizatio for the Advacemet of Structured Iformatio Stadards (OASIS, http://www.oasis-ope.org/who/), ad through webbased commuity-source tools such as Shibboleth. Oe of the importat aspects of this techology is that it was desiged to support the academic value of privacy by ecouragig service providers to request the miimal amout of iformatio ecessary to support a trasactio. A example of how this works is accessig a electroic database that icludes cotet licesed for faculty ad studet access. Whe someoe tries to access this cotet, the system will validate if the perso is a authorized faculty member or studet ad will share just that high-level iformatio with the cotet provider. These three elemets ICommo, SAML, ad Shibboleth are chagig the way istitutios maage their relatioships with exterally hosted solutios. May campuses ow ecourage or require exterally hosted service providers to become members of ICommo or to agree to joi ICommo as part of their procuremet requiremets. I additio, these three elemets facilitate the process so that exteral providers ca become service providers to additioal istitutios. For example, i 2006, the Uiversity of Califoria Office of the Presidet implemeted UCTrust (http://www.ucop.edu/irc/itlc/uctrust/). By havig the idividual istitutios of the Uiversity of Califoria system joi ICommo, the Uiversity of Califoria system office could deploy, across the etire system, a applicatio that provided employees with access to retiremet iformatio. Also i 2006, the Virtual Library of Virgiia (VIVA) licesed cotet from the Public Broadcastig System (PBS) ad used these three elemets to support distributio to close to 400,000 studets. 7 Idetity Maagemet ad Iformatio Security Iitially, idetity maagemet was thought of separately from iformatio security ad was focused o directory services. The idetity maagemet ifrastructure was developed ad desiged for provisioig services, especially cetralized autheticatio. Usig the lightweight directory access protocol (LDAP), istitutios of higher educatio focused o developig a comprehesive directory service of all members i the commuity, pullig data from a variety of source systems. Usig the autheticatio service built ito LDAP, istitutios were able to create a sigle autheticatio system for the istitutio. The sigle autheticatio system led to the developmet of web sigle sig-o tools that facilitated automatic sig-o across distict web applicatios. The relatioship betwee idetity maagemet ad iformatio security is focused o three distict areas: autheticatio, access maagemet, ad compliace. Autheticatio, the process of esurig that users are who they say they are, is cetral to security. A major beefit of likig idetity maagemet with iformatio security programs is the process of validatig idetity. This process, ofte called idetity proofig, requires that users establish their idetity by providig credetials that cofirm they are who they say they are. This idetity proofig is doe as part of the policies ad procedures for the idetity maagemet system ad may be oversee by the iformatio security officer for the istitutio. Alteratively, the iformatio security officer may work closely with other offices, such as user services, to make certai this is doe accordig to policy. Access maagemet is focused o provisioig services based o group membership or specific attributes that qualify oe for access to a applicatio or service. For example, based o their role, faculty members may automatically be provisioed to have access to certai admiistrative fuctios, such as advisig. Maitaiig applicatio security is a area that may istitutios struggle with because it requires iter-office commuicatio regardig the ebb ad flow of people assumig differet roles throughout the istitutio. Leveragig idetity maagemet to automatically provisio applicatio security is a major beefit. Compliace, especially i support of legal madates ad auditig requiremets, is a critical compoet of a iformatio security program. A cetralized idetity maagemet ifrastructure that cotrols autheticatio ad applicatio security provides a sigle poit for security compliace loggig ad auditig. Ofte, these audit reports ad security logs are reviewed by the iformatio security officer. As istitutios seek to follow iformatio security stadards, such as ISO 27002, they will fid that idetity ad access maagemet is oe of the core compoets of their iformatio security program. Federated Idetity Maagemet ad ICommo Federated idetity maagemet is the practice of usig idetifyig credetials i oe domai or orgaizatio to access assets i a differet domai or orgaizatio. Idividual orgaizatios idetify employees, parters, customers, ad so o, ad they build iteral processes aroud 36 Educause review September/October 2009

Strategic ad Practical Steps If your campus does ot have a idetity maagemet system i place, you should leverage the resources of the EDUCAUSE Idetity Maagemet Workig Group (http://www.educause.edu/idmworkiggroup) to build a successful busiess case ad a project pla for implemetig oe. I particular you should focus o the followig three tasks: 1. Establish a data goverace process to oversee idetity maagemet. If your istitutio does ot have a IT goverace or data goverace process, you should covee seior leaders ad critical stakeholders to esure that the strategic eeds are well uderstood ad that the ecessary resources are available. 2. Coduct a risk assessmet, icludig a ivetory of applicatios or services. It is sometimes difficult to make the case for a comprehesive idetity maagemet system or to assig resources util you kow the extet of the istitutioal risk. A risk assessmet will help the istitutio to egage busiess process owers ad to ivetory existig systems ad may lead to the discovery of redudat efforts for autheticatig access to services. 3. Pla for the establishmet of a eterprise idetity maagemet system. The risk assessmet is likely to surface fidigs that will require remediatio ad the allocatio of resources. A pla that idetifies ecessary steps, priorities, resources, ad timelies will help you keep the buildig of the idetity maagemet system o track. As part of this pla, campuses should implemet the requiremets associated with the eduperso attribute defiitio. Oce the idetity maagemet system is i place or the project has begu, the campus should cosider takig the followig two steps: 1. Joi ICommo. ICommo provides a stadards-based method for coectig idetity providers ad service providers. By joiig ICommo, members of the higher educatio commuity ca demostrate to service providers that this is a preferred method for service providers to adopt. 2. Require, i procuremet RFPs, that service providers support ICommo. By selectig vedors based o their support for ICommo, colleges ad uiversities will use their collective buyig power to build a marketplace for federated trust services. those idetities ad the degree of assurace to which they ca attest the idividual is who he or she purports to be. With federated idetity maagemet, various orgaizatios agree o how they will trust other orgaizatios practices for idetifyig ad assurig idividuals. A simplistic example of a federatio at work is a iterstate highway system. If someoe is issued a driver s licese i oe state i the Uited States, all other states have agreed to recogize both the perso s certificatio ad his or her kowledge of drivig laws, eablig the driver to access all state highways ad iterstate highways. Orgaizatios must have robust, trustworthy idetity maage- met practices i place before they ca develop ad desig services ad parterships that leverage federatio. With such practices i place, a orgaizatio is i a positio to cosider both assertig its idetity ito other realms ad acceptig other idetities ito its ow. A trust federatio like ICommo plays at least two importat roles i a olie trust eviromet. ICommo acts as a scalig factor i relatioships, eablig orgaizatios to maage their trust relatioships i a scalable maer. If all federatig orgaizatios had to maage their trust relatioships o a oe-by-oe basis, there would be tremedous duplicatio of effort. By becomig a member of a trust federatio such as ICommo, orgaizatios ad istitutios leverage the etwork effect of a commuity of trust. Ad this leads to a secod role of I- Commo: the establishmet of stadards for idetity maagemet practices amog participatig istitutios. More techically, federated idetity maagemet is focused o maagig the exchage of attributes, called meta-data, betwee idetity providers ad service providers. The meta-data describes what attributes will be shared ad what level of assurace must be i place for a coectio to be allowed. This process leverages Shibboleth to share messages usig SAML. Through a hadshakig process, the service provider ad the idetity provider exchage iformatio to validate that the perso requestig this service is eligible. ICommo fuctios as the lead i egotiatig a commo set of requiremets betwee idetity ad service providers. The basic ICommo requiremet for idetity providers assumes that istitutios have made some effort to validate idetity but may ot have doe a formal review agaist a govermetissued ID. ICommo is workig with the Natioal Sciece Foudatio (NSF) ad the Natioal Istitutes of Health (NIH) to support a higher level of assurace, called ICommo Silver, that will require validatio of a govermet-issued ID. ICommo also orgaizes workgroups to determie the meta-data that will be shared ad works to distribute the appropriate certificates ecessary for this iformatio exchage to occur. Without a cetral service such as ICommo, each istitutio would be left o its ow to egotiate with service providers, ad the process would ot scale. The Challeges As higher educatio istitutios begi to fudametally rethik the way they provide services, they face a umber of ew challeges, mostly aroud idetity ad access maagemet. The first ad perhaps most arduous challege is how to ecourage pervasive adoptio of best practices i idetity maagemet amog campuses ad istitutios. A successful idetity ifrastructure 38 Educause review September/October 2009

A successful idetity ifrastructure requires thikig holistically about idetities ad the iterdepedecies that exist. Higher educatio is well positioed to be a leader i creatig this marketplace ad i establishig a set of best practices that support the expasio of federatiobased trust services. At the same time, if the higher educatio commuity fails to collectively embrace ad adopt these trust services, the resultig systems will udoubtedly focus o commercial trasactios, at the expese of supportig research ad academic eeds. requires steppig outside of the departmetal ad divisioal silos used for applicatios ad thikig holistically about idetities ad the iterdepedecies that exist. It requires thikig about service provisioig ad the ed-user experiece i the broadest sese ad lookig at trasactios differetly takig ito cosideratio the various iterdepedecies amog groups providig services ad developig processes, ifrastructures, ad policies that break dow silos ad sustai the ew eviromet. Aother challege is buildig support for the beefits of federatio without a atioal madate. I the Uited Kigdom ad Switzerlad, the atioal govermet has supported ad madated the use of federatio. I the Uited States, this is ot the case. The Uited States eeds elighteed istitutioal leaders to embrace the federatio, just as they have embraced the Iteret. With these elighteed istitutioal leaders will come the service, trasactio, ad iformatio providers. The Opportuities The higher educatio commuity has bee a pioeer i promotig the developmet of campus etworks ad i leveragig the Iteret to support the academic missio. Those of us i the higher educatio commuity take great pride i our early role i shapig the Iteret ito what it is today ad i cotiuig to push to advace the state-of-the-art. ICommo represets the commuity comig together to solve oe of the most vexig issues faced today: how do we establish ad maage trust services o the 40 Educause review September/October 2009

Iteret? Icreasigly, our work is less about just passig data ad more about buildig value. ICommo represets a way for the commuity to build shared services that we ca leverage. There is o debate about the explosive iovatio that has occurred as a result of buildig the Iteret. If the promise of federated idetity ca be realized, a similar explosio i iovatio will occur. The Iteret Society (ISOC) has determied that the issue of trust is both importat ad crucial for the log-term growth ad success of the Iteret. 8 Just as the higher educatio commuity s adoptio of the Iteret i the 1980s helped to demostrate the potetial of the Iteret, the commuity s adoptio of federated trust services is eeded ow to demostrate ad ulock the potetial of trust services. With budgets uder pressure as they are today, leveragig ew ways of providig services is essetial to success. Ubiquitous adoptio of stadardized trust-based approaches to federatig idetities will ulock the opportuities to be foud i coectig people to people, ad people to iformatio. By joiig ICommo ad adoptig federated trust services, colleges ad uiversities will be able to shape this edeavor to meet their eeds gaiig vedor support for providig ew stadards- ad cloud-based applicatios that ca be leveraged, allowig researchers to use trust-based services to easily traverse etwork defeses that ow block their research, ad providig ew ways of sharig cotet across istitutioal boudaries for teachig ad learig. Through the higher educatio commuity s collective support, iformatio ad people will be able to discover each other with trust, ad ew collaborative busiess models based o federatig idetities will emerge to meet the commuity s eeds. Notes 1. The Gatherig Cloud: Is This the Ed of the Middle? i Richard N. Katz, ed., The Tower ad the Cloud: Higher Educatio i the Age of Cloud Computig (Boulder, Colo.: EDUCAUSE, 2008), pp. 22 23, <http://www.educause.edu/thetoweradthe cloud>. 2. Mark C. Sheeha ad Judith A. Pirai, Spreadig the Word: Messagig ad Commuicatios i Higher Educatio, EDUCAUSE Ceter for Applied Research (ECAR) Research Study, vol. 2, o. 9 (2009), Key Fidigs: <http://et.educause.edu/ir/ library/pdf/ekf/ekf0902.pdf>. 3. Data from the Quilt CIS (http://www.thequilt.et/ proj-cis/) aual survey show the cost per megabit has dropped by over 400 percet from 2003 to 2008. 4. For example, see Bria L. Hawkis, What Higher Ed Leaders Need to Kow about IdM, EDUCAUSE Review, vol. 42, o. 5 (September/October 2007), pp. 84 85, <http://www.educause.edu/library/ ERM07510>, ad see Norma B. Hollad, A West, ad Steve Woroa, A Report o the [EDUCAUSE] Idetity Maagemet Summit, November 2 3, 2006, <http://www.educause.edu/resources/ AReportotheIdetityMaagemet/154436>. 5. Prateek Mishra, ed., Differeces betwee OASIS Security Assertio Markup Laguage (SAML) V1.1 ad V1.0, OASIS draft, May 21, 2003, <http://www.oasis-ope.org/committees/dowload.php/3412/ sstc-saml-diff-1.1-draft-01.pdf>. 6. Iteret2 Middleware Architecture Committee for Educatio, Directory Workig Group, eduperso Object Class Specificatio, Jue 30, 2008, <http:// middleware.iteret2.edu/eduperso/docs/ iteret2-mace-dir-eduperso-200806.html #edupersoaffiliatio>. 7. See VIVA Virgiia! ICommo case study, April 8, 2008, <http://www.icommofederatio.org/ docs/eg/ic_casestudy_viva_2008.pdf>. 8. The Iteret Society, Trust ad the Future of the Iteret, August 2008, <http://www.isoc.org/ isoc/missio/iitiative/docs/trust-report-2008.pdf>. 42 Educause review September/October 2009

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information