I have had several in-depth conversations with Service Providers over the last couple of days regarding concerns that institutions are not taking their obligations seriously enough in terms of identity management and in relation to devolved authentication processes. I thought it would be worth capturing some of the discussions here.

My first point is that Service Providers to institutional libraries have always been reliant on the institution to provide accurate information about valid end users for their services. This is not a new concept within a devolved approach, but the very nature of devolved authentication often means that errors (such as bad revocation or credential re-use policies) are more easily uncovered than with service provider or centralised access management systems. So, we should to some extent be pleased if more errors are being uncovered - it means the process is working.

Institutions are often simply not aware enough of the obligations that are put on them in terms of good identity management processes when they sign up to a licensed resource. More work needs to be done to get the license terms and conditions out of a dusty filing cabinet and in to the general consciousness of institutions.

The discussions have reinforced my faith in the policy approach of the UK federation, and its importance in addition to traditional licenses such as the JISC Model License. It is also reinforces the importance of ’section 6′ of the UK Access Management Federation Rules of Membership and I would urge all institutions to seriously considering signing up to it, and all service providers to review whether it should be a requirement of access. It is this section that truly places an obligation on institutions to demonstrate best practice in identity management.

Service Providers cannot expect institutions to demonstrate best practice unless there is a clear requirement - either in the license for the resource or within a policy document such as the UK Access Management Federation Rules of Membership.

Any devolved authentication system should have robust documentation in place to ensure that it is clear whether or not institutions using that system are following good practice in terms of identity management, and what accountability and traceability Service Providers can expect.

Overall, it is important that both institutions and Service Providers are taking identity management processes seriously, and it does worry me that Identity Management only makes number 10 on the UCISA Top Concerns list. To quote Lemony Snicket, We Are Very Concerned.

There is very little I can say about the very public example of identity mismanagement that hasn’t already been said, but it is worth noting the various reports detailing the loss of 25 million personal records relating to child benefit such as that in the Guardian and rather cheekily on e-bay.

Pertinent points have to be the fact that the data was not encrypted, the dangers of storing all data in a central location and the fact that security is only ever as good as your lowest common denominator (read junior employee!).

Mark writes:
Second part of our Institutional Support process, for Universities and Colleges seeking support to help set them up as IdPs, went out today. We know its not going to be a magic bullet to cure all issues that Institutions are having but like the best DNA treatments these days, it is tightly targetted. Traditionally, we (JISC) have been very good at getting historically early adopter institutions to, and you’ve guessed it - “early adopt”. The support model we are trying here goes beyond that. I sense (and please contact me if I’m wrong) that alot of FE institutions are fence sitting regards Access Management. Hopefully the institutions that get help through JIAMSP will really highlight the fact that Federated Access Mangement is both obtainable and desirable for all - and worth coming down off the fence for. We also know how small the window of opportunity is to get large scale IT projects done within the College academic calender, so another part of the support is an attempt to target by time - Institutions can choose slots as to when they would like to move forward, if they are applying for support. Questions (and with this kind of support modal, there really should be some) please.

Jane writes:

In this podcast interview, Mark Williams from the JISC Access Management Outreach Team talks to Philip Pothen about the importance of federated access management and how this will enable better collaboration and sharing of common resources between institutions. Mark talks about the choices and challenges for institutions but also the opportunities federated access management can bring in the way of access to online resources and collaborative projects. He also highlights the support available to institutions through case studies, the business case toolkit and other materials on the JISC and UK federation websites, Netskills upskilling workshops and support available through 3rd party providers.

To listen to the full podcast interview please visit:

www.jisc.ac.uk/news/stories/2007/10/podcast15markwilliams