Identity Management

Through a roundabout way, I’ve just been looking at TripIt, currently a US application that basically provides a convenient overview of your trip itinerary (and wraps all sort of services around it like advertising, user recommendations, sharing with friends etc). All you have to do is e-mail your booking confirmations / itineraries from any travel company to TripIt and they build your itinerary at TripIt. For people like me who are hopelessly unorganised it is simple, elegant and quick and works across different companies through aggregation.

Hang on a minute. E-mail TripIt your booking confirmation? With all of your travel details, personal details, payment details on it? How valuable is that information? How personal is that information? How much do I trust TripIt with that sort of data?

Now to be fair, TripIt have a clear privacy policy and user agreement prominently on their website:

.

However, this agreement is fairly open and allows for a lot of sharing and reuse of personal data, and open publication of travel dates (burglars – over here!).

Users love this site. They love the functionality and organisation features and all of the enhancements it gives to your user experience…and they don’t seem that worried about sharing this data. As organisations struggling under the burdens of the Data Protection Act in the UK, how do we get the balance right between protecting users and warning them of the dangers, but developing services that can exploit personal(ly) (identifiable) information (PII) to meet user demands? It’s an interesting quandry but I’m keen that it is properly explored as a subject area and not shut-down by overly risk-adverse approaches.

Last week, I spoke at the eema European e-Identity Management Conference. Although intended for “those in business, public sector and government who are involved in the policy, security, systems and processes surrounding identity management”, the high price tag of the conference meant it was very business oriented. This lead to an interesting focus on mobile identity – an area that we haven’t touched on in much detail within JISC – but also to many concepts that we have been exploring in the JISC arena for some years such as federated identity, identity in the cloud etc. etc.

It was of course very satisfying for me to hear Kim Cameron of Microsoft talking about identity federation, interoperability with SAML, and the Cloud Identity Federation Gateway which is part of recent work at Microsoft, including the Identity Software and Services Roadmap. Cameron described identity in terms of claims based access, with a claim as an assertion that is in doubt. He sees it as the business of identity management to validate that claim. The importance of this in the changing environment is that enterprise systems used to be closed, but are now permeable with many interactions outside of the traditional firewall. These are exactly the issues which the education community has been grappling with through its adoption of SAML.

Kim finished by warning people ‘not to be the only person out there with a fax machine’. Given the focus on SAML at the conference, the adoption of the standard seems a sensible way of not being that person.

Overall, it seems as if the commercial world is in agreement with the education sector on its approaches to access and identity management, and in fact the education sector seems to be ahead in many respects in the route it has chosen. The hot topic of the conference was ‘identity in the cloud’ – my immediate reaction to this is that a fully distributed federated identity system does much of this already. We are in the right place.

(Oh, and in case your interesting, my slides on the Tao of Attributes are here, with much thanks to Ken Klingenstein for all the input!).

I’ve come to realise that we are very keen on Services in the education sector, particularly within the UK. By this I mean capital S Services, big monolithic ‘things’ with the sense of tangibility: websites, service levels, staff, physical homes, known server locations – that sort of thing.

I think this is why there is so much focus in the work I currently do on the UK federation itself, rather than the thing that we are actually trying to implement – the SAML standard. OK, I know, standards are dull and boring things for techies and Services are things that real people use. I just wonder how this focus will bear out in the long-term vision of where we are going with access and identity management in a world of web2 and cloud computing?

I’ve always seen the federation structure as a practical delivery model that will change over time. As seen in the slide below and in presentations I have recently given on assurance – federations are as means to an end. They are a convenient, pragmatic, usable way of embedding the SAML standard within the UK education community.

It is important that we don’t get too obsessed with the construct of the federation and remember that it is the standard that is the important thing. I think it is very likely that the structure and central role of the federation will significantly change over the years as metadata aggregation takes on a more distributed model as I have previously discussed. Federated access management has the potential to offer a lot as a distributed service model within the cloud – which is why I disagree somewhat with some of the developments of federations in Europe that are placing a lot of functionality within the federation itself.

Focusing on the standard rather than technologies and applications helps remind us of what has been achieved in the federated access management space – a significant number of countries all converging on SAML. This means that whatever service structures we put in place to help support adoption of the standard in our countries, we should always have the potential to talk to each other. This is a huge achievement, and one that I think goes a little unrecognised in the nitpicking about service delivery. It also means that we have the flexibility to move forward and adapt – SAML allows you to work with new technologies such as OpenID and InfoCard implementations, but also with new platforms such as Google Wave. Standards are the key to moving forward, and that is why we have moved or community towards its adoption, whatever the technological implementation.

This is why I was pleased to see the official announcement of the Kantara Initiative yesterday. Kantara aims to be a global talking shop for all things access and identity management – but based around open source, open standards and open participation. The announcement states that:

“A commitment to open standards means the Kantara Initiative Community will collaborate on projects that make use of all of the identity frameworks, protocols and specifications in the marketplace today. This means solutions could be built based on one or a combination of several IAF, ID-WSF, IGF, Information Card, OAuth, OpenID, SAML 2.0, WS-*, XACML and XDI standards.”

I think that is exactly the right attitude to have, and would encourage you to go and look at the Kantara website. You can also follow ‘Kantarainitiative’ on Flickr, SlideShare and YouTube, and KantaraNews on Twitter.

I’m not going to comment on the rights and wrongs of the election but this does seem almost a test of the power of web 2.0 vs traditional state apparatus. BBC now with reporting restrictions have started providing links to all sorts of citizen journalism. Very useful but the only problem is that if I see John Simpson (a credited BBC Journalist) doing a report, there is a degree assurance as to his identity ( I say degree because even the New York Times hasn’t been immune from made up reports). Some of the stuff I’ve seen on Youtube is authentic but then some I have my doubts about. Even if I have an assurance about the origin ( ie student at Tehran ac uk or the equivalent) it probably wouldn’t help me in this case, as my understanding of Iranian affairs is too poor to make a qualitive assessment of that info. But imagine it was transposed here….video footage or tweet of an incident….. would it help to know it was from a UK Media student?, UK Academic? Academic in a Politics faculty?

Those of you deeply embroiled in the finer details of federation constructions (no, it’s not just me!) cannot have avoided being in a conversation recently about the need to separate the role of Federations as registrars of metadata and the role of metadata aggregation and distribution.

Simply put, Federations add useful assurance and trust qualities to metadata through registration processes. This is particularly important at the moment in the UK federation, which has been focusing in on commercial content provision via the federated model. However, there are use cases where the geo-centric nature of Federations is not helpful.

We looked at such a case within the REFEDS meeting on Sunday at #tnc2009. All those involved in the REFEDS group need to be able to use federated access to use the REFEDS wiki space and the Kantara wiki space (Kantara is the new Liberty Alliance, watch that space!). It does not make any sense for organisations like Kantara and TERENA to attempt to join all of the Federations involved in REFEDS – even the most lightweight agreements still involve a contract signature process that is difficult to obtain in such organisations.

The solution? A metadata aggregation of all of the entities involved in REFEDS. In this sense, we are talking about a real virtual organisation in operation. John Paschoud rightly queried me on how trust will be maintained within such an arrangement without a Federation. There are various ways of adding trust and assurance to this aggregation. Firstly, the metadata aggregator will come from within the REFEDS group and will only aggregate the metadata of members of the group. In this sense, the virtual organisation itself provides the trust assurances through its operation.

The more interesting point is controlling the way in which Service Providers use the aggregated metadata. Well, in the case of TERENA and Kantara I think we can have a reasonable amount of trust through the status and position of the organisations themselves. For other service providers, the simple approach is to provide ‘terms of use’ for the metadata – akin to an open source software license. Leif has described this approach on several occasions, and it seems very likely now that this will be taken forward. It is the driver behind the new focus of eduGAIN.

The long term impact of this approach will be interesting. In the short-term, I think it will only be used for lightweight applications (such as blogs and wikis) in virtual organisations – in short, the role of the geographically organised federation will not be impacted. In the longer-term, this could put an end to the need for Service Providers to join Federations. Service Provider use of the metadata will be controlled by the metadata ‘terms of use’, negating the need for the providers to join up to membership – they can consume the metadata as long as they follow the terms. It could also affect the concerns that some people have regarding the need for Federations to have strict legal liability cover – I feel that this concern has hindered the progress of interfederation agreements, and of course such a focus will always make Federations more static…and more expensive!

This is a fundamental change to the way that federations might operate in the future. I’ve tried to capture some of this thinking in a presentation…more to follow!

Plenary session starts at TNC2009 with a focus on the importance of communities of practise within science infrastructures. This echoes back to the discussions we had in the REFEDS meeting yesterday on the importance of allowing communities to define their identity assurance profiles – I’ve been arguing for sometime that this is not something that federations should be in the business of creating as they do not represent a community of practise.

After the usual dry Geant3 stuff, we get on the session that might explain why I am currently holding 3D glasses in my hands. Jorge Cortell from Kanteron Sytems is here to talk about augmented reality – specifically in healthcare. Augumented Reality is being used in the operating room to project very specific scans on to the patients body. This means that a doctor knows exactly where they need to operate – saving important time when, for example, removing a difficult to locate tumor. Anchoring points are used to ensure the image is located in the correct location on the patients body. This is patient specific – we all have specific anatomical abnormalities. The benefits are less pain, less medication, lower risk, and lower costs.

The day seemed to start well, when we discovered that all the local bus stops in Malaga were advertising the TERENA conference – a marvellous piece of comms work!

Things started to go less well when we realised there was a local bicycle race on that meant our bus was redirected – and we didn’t know where! In the end, flagging down a local taxi was the only option.

The return back to the hotel was slightly more successful, particularly when it was revealed that eduroam was available on the bus!

A lesson for us in the UK – we are struggling to get eduroam live in the JISC London Office…maybe was can hire Malaga Bus Authorities to do the job for us?

There has been talk on a few discussion boards about websites giving login details for some University libraries (home and abroad), to provide non entitled users (if they are illegal – do you still call them users?) access to e-resources. I’m, for obvious reasons not going to post a link here but the pattern seems to be logins providing access a proxy server of an institution and through that any e-resources accessed and authenticated via the proxy route.

Dangers such as this are a reason why, when talking about access management we don’t recommend a proxy solution as necessarily being robust enough for all libraries.

Of course there are a number of things happening here, and obviously enhancing both Authentication and Authorisation with the help of what is arguably the most robust form of federated access (Shibboleth) is a way to mitigate risk. But it is also clear that there is a human element at work here as well, individuals are most probably giving away access details and if you follow the LSE FLAME study, it’s not taking a Jack Bauer style interrogation to get them, but the promise of Mars bar may well be doing the trick.

It may well not be bribery at all, and the key here is to have education of users, to not share information and have systems in place that encourage them not to share that same information (ie having identities that the individual, values).

A number of the sites also seem to have a significant chinese language presence(with a small C) so there could be some cultural factors at play – are the university identities that we do give students equally valued across national boundaries and nationalities? Perhaps but it might be interesting to see some work disproving that argument on any kind of FLAME follow up.

A final thought on security, in movies when the hero is trying to break into a computer system there is always “a back door”. If there is one, the trick is not leaving it open – and from some of the sites I’ve looked at (not necessarily UK) with pages detailing an instructions policy such as “your username is your staff number and your password is your surname”, that door is well and truly off its hinges.

Fan or not, you have to agree that Apple’s position and marketing of its ‘i’ products has been a huge success and has spawned many copy-cat ideas. In a world where everyone was defining product through delivery mechanism (e-content, e-books, e-resources, e-paper) Apple put the individual first. itunes is after all my tunes…and this has continued with the high levels of personalisation available on the i-phone.

I think JISC has a lesson to learn here. We are very good at worrying about the platform and the medium, but the ‘i’ is often missing. As has been noted, I was disappointed by the lack of attention to identity issues in the recent Web 2.0 report, and also by the lack of questions on users and identity in the libraries of the future campaign, which became somewhat embroiled in the Open Access debate. I’m also disappointed that identity issues aren’t on the agenda at the upcoming Digital Content Conference.

I think this is also true in the areas of JISC that are looking at ‘e-content’ or ‘digital content’. We do lots of great stuff with content in JISC – JISC Collections provides huge savings to the community through its negotiations, the digitisation programmes are making lots of content available online that we might not see otherwise surfaced and the OER programme is looking at alternatives to traditional teaching and learning resources. However, most of these programmes are still taking a very conservative approach to resources – these are things where IPR is understood and resolutely managed (if often badly), where licenses can be sought and expressed, where reuse policies are made and enforced and where formal review processes can be applied.

But what about the real user-generated content? What about the i-content? This is not something that can be easily wrapped up in to a ‘learning object’ to be stored and managed in something like Jorum, but does have a very real place to play in the world of teaching and learning. One of the really impressive things about the recent Open Habitat report is the extent to which they have integrated student developed content in to the curriculum.

Most of the i-content I develop on a daily basis does not conform to any of the traditional methods of content management and preservation. Although some people do have Creative Commons style licenses on their blogs, most people I know expect that by putting the content ‘out there’ – on blogs, on twitter, through comments and contributions to fora – that it will be reused and repurposed in a way that could not be managed by any licensing approach. For most people working in this way, I think it simply wouldn’t matter.

i-content is both ephemeral (my tweets disappear after a month) and non-ephemeral (lots of people have probably recorded my tweets in many different ways). It is up-to-date and immediate and out-of-date (such as this description of a presentation I gave in 2004). It is formal (this is a JISC blog) and informal (this is just my thought flow, not an article). When taking all of those issues in to consideration, how can we best capture, preserve and use i-content to support teaching, learning and research?

i-content is being used as part of the learning and teaching process. Many scientists and lecturers currently write blogs and are ‘peer-reviewed’ on these blogs by the comments left by others working in the same field. Others are contributing their thoughts to ensure that wikipedia definitions are up-to-date and accurate. A lot of collaborative research is happening on random collaboration platforms both supported by institutions and openly available on the Internet. If we are only capturing a single output from all of this work in the form of the published article, it seems to me we are doing something wrong. Perhaps it is time to stop worrying about whether Open Access will take off, and start worrying about preserving and using the i-content of all of the authors and researchers we respect within the community. If we can truly make these offerings useful and relevant in the educational sector, and can appreciate the power of peer-review through comments and reputation services…maybe the reliance on the published article will diminish…and maybe the academic libraries will be able to cancel those must have ‘big deal’ journal packages after all.

We are starting to see the first signs of federated access being used as a core decision point in business planning. In this uncertain market, publishers and institutions are having to make decisions about the best possible way to maximise their markets and maximise their spending power.

We’ve recently been helping institutions review their resource lists against federation compliant publishers, and several have mentioned that they are willing to cancel subscriptions to non-compliant publishers. Regrettably, this is often the smaller publishers who perhaps have not had the chance to be able to fully exploit the new technology. I know it is difficult for librarians to even consider cancelling subscriptions to the larger publishers…but there are two major publishers whose names may start with W and I and a major aggregator whose name may also start with I who are still dragging their feet about meeting the customer requirement for federated access. It would be interesting to see what their reaction might be if faced with cancellations because of lack of compliance.

On the aggregator front, we are starting to see signs of the smaller publishers moving away from aggregators because of non-compliance with federated access. I think this is a sensible reaction – don’t let your platform provider dictate your requirements in a market where you might lose custom based on slow-uptake of technologies.

Federated access is definitely the new black and a must have in your technical wardrobe if you want to be taken seriously at the scholarly publishing party.