«  •  »

“There is always a backdoor”

May 27, 2009 in Authentication, Authorisation, Identity Management by markwilliams

There has been talk on a few discussion boards about websites giving login details for some University libraries (home and abroad), to provide non entitled users (if they are illegal – do you still call them users?) access to e-resources. I’m, for obvious reasons not going to post a link here but the pattern seems to be logins providing access a proxy server of an institution and through that any e-resources accessed and authenticated via the proxy route.

Dangers such as this are a reason why, when talking about access management we don’t recommend a proxy solution as necessarily being robust enough for all libraries.

Of course there are a number of things happening here, and obviously enhancing both Authentication and Authorisation with the help of what is arguably the most robust form of federated access (Shibboleth) is a way to mitigate risk. But it is also clear that there is a human element at work here as well, individuals are most probably giving away access details and if you follow the LSE FLAME study, it’s not taking a Jack Bauer style interrogation to get them, but the promise of Mars bar may well be doing the trick.

It may well not be bribery at all, and the key here is to have education of users, to not share information and have systems in place that encourage them not to share that same information (ie having identities that the individual, values).

A number of the sites also seem to have a significant chinese language presence(with a small C) so there could be some cultural factors at play – are the university identities that we do give students equally valued across national boundaries and nationalities? Perhaps but it might be interesting to see some work disproving that argument on any kind of FLAME follow up.

A final thought on security, in movies when the hero is trying to break into a computer system there is always “a back door”. If there is one, the trick is not leaving it open – and from some of the sites I’ve looked at (not necessarily UK) with pages detailing an instructions policy such as “your username is your staff number and your password is your surname”, that door is well and truly off its hinges.