JISC Access Management Team

According to recent reports, nicole is the 11th most likely password in a survey of one million (hacked) user accounts.

This leads me to the following conclusions:

1. My impact on the access management world is so significant, I have become a standard password….OR
2. People called Nicole are generally so dumb they are the most likely to use their own name as their password.

I’ll leave it to you to decide

Given the current economic issues for HEFCE and the education sector as a whole, I read with interest the HEFCE Grant letter for 2010 / 11. The figures are reasonably unintelligible unless you are significantly involved in grant allocations, but the interesting part of these letters is always the wording around the objectives expected of HEFCE. Can we learn anything from this that relates to access and identity management?

The key focus seems to be on greater flexibility, more part-time courses, more modular courses, more partnership courses etc. etc. This does present new challenges, particularly for identity and access management.

Current models of identity management tend to assume that the student’s primary affiliated institution will provide the student with an identity / identities - predominantly an e-mail address and credentials. A more flexible model may make it increasingly difficult to manage such a process, and also raise questions about the importance of such an approach in delivering a service to the student.

The complexity of licensing and assigning authorised rights associated with a license also becomes much more complex. If I am effectively attending four institutions, at what point in time am I authorised to access which resources in which institutions and how will you assign me these rights? Four sets of credentials? We obviously need to do much more work to look at managing multiple affiliations from an access management perspective, and also perhaps the model of institutional licensing for cross-collaboration courses. The upcoming multiple affiliations study final report from LSE and funded by Eduserv will be an interesting read, as will linking services such as the Shintau model.

The overarching model in all of this is ensuring the trust model in federated access. As we look to combine accounts and add authorisations to identities not managed by specific affiliations, how can we assure that these are well managed, revocated at the right point in time, and correctly asserted so we maintain trust? An interesting challenge for all of us I feel!

Now, how are we going to pay for it?!

You’ve probably seen the notice from JANET concerning shib 1.3 -2.0 migration.

“We strongly recommend that sites currently running Shibboleth 1.3 in production plan to upgrade to the current version of Shibboleth well in advance of the announced EOL date. This will protect against the possibility of a forced but unplanned migration from 1.3 should a security issue or incompatibility be discovered after the EOL date has been reached.”

Well the time factor here is June, which given that falls within the teaching calender means for many institutions the next appropriate downtime when they can schedule such a transition is easter. I know of a number of institutions who are already planning what they will do IT infrastructure wise during Easter, so if you are a 1.3 institution get it onto the agenda! In some cases where the library has been pushing the Shib agenda, and the IT dept has been doing the actual work- it might mean flagging the issue again to the IT team. I would be interestedto hear any migration experiences….?

Some advice here.

if I were an Institution with shib 1.3;
I’d migrate to shib 2
if I were a Publisher who has implemented access management with shib;
I’d migrate to shib 2
if I were a publisher who has not implemented access management but said they would in 2010;
I’d go ahead and deploy shib or other SAML compatible product
if I were a member of JISC access management team;
I’d federate everything I use so it wouldn’t matter that I come back after xmas holidays and can’t remember a million passwords…..

So it has been a while since I wrote a blog piece that wasn’t more representative of the mush my mind is in at this time of year than a thoughtful piece on access management. So this is me attempting to tip the balance. Bear with me if it comes out as dribble!

Inspired by some tweets by @m1ke_ellis, I got to thinking about how much a system needs to know about me to make that system effective. The case in discussion was a Virtual Learning Environment - does this need to know that I am a mother, JISCite, author, bad karaoke singer (to plagiarise @m1ke_ellis!) to be able to engage with me effectively?

I have always had a problem with the term VLE as I think very few can be regarded as real learning environments in the pedagogical sense. I think the US term Learning Management System (LMS) is probably more accurate - something that performs a role as the administrative interface to my learning. Thus I need to feed it information that it needs to administrate (address, e-mail, course, preferences) not information about who I am and how I learn. That is the context of this environment.

So, to Carrie Bradshaw the moment, is this all about persona - or personality?

I have often used the term persona on this blog to represent what is often called having ‘multiple identities’. We all have multiple personas to help us interact online in different contexts. I chose to present myself differently within these contexts, so some may include a link to my work blog, others details about my musical preferences etc. etc.

Personality is something slightly different and more elusive, but is the thing that makes me who I am. In a pedagogical environment, this might traditionally be described as my learner type and many systems have attempted to frame themselves differently to recognise the importance of learner type. However, as our identity interactions online become more sophisticated, we need to look at a more specific way of framing this nuance.

A lot of how we are represented and interact online is about what is gleaned from conversations we are having online, and how we are linked to groups and other individuals. Someone is likely to decide to follow on Twitter based on:

• Keywords from my conversations / statements.
• People I follow.
• People who follow me.

So if attributes about me define my persona, what defines my personality? I think it is a mix of:

• Attributes / Persona.
• Environment Context.
• Relationships.

There have obviously been some development in all of these fields, but a formalised approach to the relationships part of personality is still to emerge. Friend of a Friend is an interesting but minimal impact approach, and there have been other tools such as PeopleAggregator and many different ways of ranking and rating the outputs of individuals.

It may not be possible to create a tool to capture this difficult area of our online identity, and of course communities tend to be very self selecting and resistant of categorisation. However I still think it is an interesting part of our personalities in online interactions that is to be further explored.

Have decided to create a record of the JISC London office Christmas parties for prosperity. This only goes back to 2003, so if you have any further information, please do let me know.

2003 - Boulevard Brasserie. Highlight was Leona and Liam dancing on tables in the Corner Store and the infamous baby photos quiz.

2004 - Now closed Italian restaurant in Soho. Highlight for me was being rung repeatedly between 11 - 1 am with people wishing me merry Christmas. I was a very nine months pregnant and curled up at home!

2005 - Tas and the White Hart. A very tame year, although Paul Gambercini put in an appearance to help us with the Christmas Music Quiz

2006 - Bond Themed Party at the City Inn in Westminster. Warning, the bar is very expensive. Freddie’s wig and Sarah’s Bond villainess hat were to be appreciated. Much memory loss all round.

2007 - Selfridges Hotel, Oxford Street. There were other people there so we had to behave ourselves. Highlights were my hair looking decent for once thanks to hours in the hairdressers and Mel and Al dancing to Valerie. First introduction of the fiendishly difficult Whetstone Quiz.

2008 - La Clique, London. A suitable camp venue for jiscites! Keith wins the Whetstone Quiz. Again.

2009 - 1940’s, Flim Noir and The Queens Arms. ????

Post our FAM09 event, feeling a little bit like a child post the Xmas excitement, where all the stockings have been emptied, all the presents have been opened up and played with and specifically in my case the entire turkey has been devoured.

So to alleviate that feeling Nicole has asked me to write a blog (my first one) about the organisation of this event.

Basing my organisation of the FAM09 event around the fundamental principles of my ‘other’ favourite federation which are “the values of universal liberty, equality, justice, peace, and cooperation”. (cheeky quote from Wikipedia, I was never allowed to do this in my studies : ) Wikipedia not being an authorative source, albeit its usefulness for Star Trek facts)

Universal Liberty
We decided very early on in the organization of this event that we would throw off the feudal shackles of a heavily paper based event by creating a ‘green event’ as we all need to ‘go green’. I believe it sets a good example as our primary importance within our community is online resources. We received extremely positive feedback on this. I think aided by the fact our delegates received a pretty 2GB USB stick upon registration.

Equality
It was important for us to make sure that all delegates needs were met ‘techie’ and ‘librarian’ alike. We intentionally organized our main and parallel sessions so people received information that they found useful but equally didn’t exclude or pigeon hole the delegates into feeling they had to attend a particular session.

Justice
Using a combination of our website, Google site and the #FAM09 tag for the tweeting of our event gave all our delegates fora to contribute through giving opinion and feedback in an environment they felt comfortable with.

Peace
Keeping all our delegates happy and relatively ‘peaceful’ I think is crucial to a successful event and this was achieved at this event through wine, food and most importantly a good wireless connection.

Cooperation
It is our hope that sharing the delegate list and enabling all of you to network in a relaxed environment, has potentially created a more open, transparent and cooperative environment which will further your interest and participation in the Access Management Federation.

One of the highlights of this event for me was seeing the excitement on the faces of our delegates when they walked into a room full of Wii and other assorted games and started playing them all immediately, and knowing that this was without question the perfect after dinner entertainment for this group.

Important things, I learnt;
• Never underestimate the importance of wireless and wine at an access management event
• Never call someone a geek until they self proclaim it
• There is more than one kind of zombie

The enjoyment in organising this event was only surpassed by attending it and meeting the community who work so hard in contributing to my other favourite federation.
Live long and shibbolise!

Well, OK, not that great but I like alliteration

For #FAM09, we decided to make use of the Google Sites facility to manage all of our information flow around the event. We did mount information formally on the JISC website, but there is much richer information on the JISC FAM09 Google Site. This was really part of an experiment on my part as I wanted to know how efficiently Google could support our information requirements, as information is their business!

We were already using Google Docs to manage most of our information. Normally, I would then use the JISC website for the programme+BOS Surveys for the registration+slideshare for slides (copied to the JISC website)+a.n.other for audio / video+this blog+possibly something like Ning for delegates to talk about the event. Given that the JAM team is not overly resourced, I wanted to make life a lot easier for myself, so decided to see if Google could duplicate most of this functionality with a reasonable amount of ease.

My observations?

• Ease of Use: Google Sites is pretty easy to use, and has some nice built in tools like the ability to create different types of pages such as html pages, announcement pages, document pages, and widgit pages. None of the team had used Google Sites before and we all picked it up pretty quickly.
• Look and feel: Google Sites has a number of templates that you can chose from, and there are a variety of tools available for editing the templates. I managed to get ours looking a bit JISC-y. It would be nice to be able to create a formal JISC template, but I couldn’t see a way of uploading your own template. The urls for pages are fairly sensible, and you can chose to have word or number strings for pages.
• Forms: the forms function was very helpful and the outputs automagically created an Excel spreadsheet in our Google Docs. This was so much better and easier to manage than out normal form system so was a really big win.
• Upload: it is fairly easy to embed a document from your Google Docs into a Google Site. Making sure that all of the permissions are set so that people can download or embed in other sites (particularly presentations) was more complex and I had to revisit permission in both Google Docs and Google Sites several times before I got this right - leading to some requests for documents to be shared with delegates (sorry all). It was better than previously as Google does now let you set share permission across a whole folder of documents, but still annoying. The biggest grumble was the document page template on the Google Site. This doesn’t link to Google Docs at all and you have to physically upload files on to the Sites area. an unnecessary and annoying duplication. The presentation facilities aren’t as advanced or pretty as slide share, but the convenience of not having to upload on yet another site was helpful.
• Access Management: this was one of the most disappointing features of the site. To even be able to leave a comment, you needed to be logged in, and the only way to log in was with a Google ID. This was despite the fact that the site was fully open. Given this was a federated access event, this was a big fail for me.
• User Profiles: this really links in to the point above, but it was not possible to create a proper user profile on the site. This really cut down on some of the interaction features that I would expect from a site like Ning. However, at events I have attended in the past where Ning has been used, actual meaningful use of the functions have been low. Is this really in demand as a facility?

So overall, it was a helpful, if not completely professional approach to managing all the information for the event. I still have to finalise some details - I want to pull in some RSS feeds and look at embedding some other tools but it worked pretty well. I will really need to consider the access management, document management and template issues before using again. I’m also slightly worried now the Developer Happiness Days have gone all website posh on me…must keep up with the Jones’!

One of the most impressive presentations at Educause2009 was given by Lawrence Lessig. Not surprising really, given his track record for being brilliant, but it really was a very refreshing view of the world we live in. Lessig of course played a critical role in the establishment of Creative Commons and still argues strongly and favourably for the ethos of Commons. The core points being:

• Copyright law was established in a world that was not impacted by the capabilities of the Internet. UK Copyright Law for example was established in 1710, and the latest version is the Copyright, Designs and Patents Act of 1988. That’s 21 years without any significant changes.
• Copyright law has a time and place to protect the rights of individuals. Lessig does not believe that educators and scientists should try and enforce copyright in the same way that performing artists do - it is inappropriate to our field.

It struck me immediately that there were many similarities between his arguments regarding Copyright Law, and the arguments being had in the FAM community at the moment around Data Protection. The Data Protection Act in the UK is somewhat newer that copyright laws, having been established in 1998. I don’t think that the basic concepts and key principles of data protection are wrong - you can read up on them on wikipedia if you are interested in a crash course. It is important that our personal information is protected. However, in a world where people will give away all their personal information to Facebook without a bat of an eyelid, is our current law - or the typical interpretation of our current law in some areas - forcing our institutions to offer a service to its users that can’t compete with the Web 2.0 world?

There are two things that worry me:

1. The definition of what personal data actually constitutes. It is often argued that an IP address - with no other data attached to it - is still personal data, or personally identifiable information (PII) to use the lingo. This seems bewildering and I wonder if a bunch of lawyers merely saw the name ‘address’ and decided it was the same as my postcode?
2. Issues around consent. The crux of the DPA is that if you want to pass PII, then you must have explicit consent from the end user. Again, it is argued that educational institutions cannot pass PII because they simply cannot prove that they have consent, or provide tools that will allow users to effectively remove consent. This is a real bind for organisations wanting to make good use of the personalisation possibilities of federated access. The commercial world operates very well with simple tick boxes at the end of forms - we seem to be making this much more difficult for educational institutions than we need to.

Lessig’s excellent presentation is available on the Educause website (it starts a good half hour in so fast forward!) and if you would like to know more about consent management please do come along to the session at #FAM09!

being a Federation catalyst goes to Nicole Harris (and I2 and SWITCH).

The award really shows how far access management has come, with parts of the UK experience considered so embedded that they have become informative history as Norman Wisemans excellentpresentation at Educause demonstrates.