Thursday, 22 September 2011

Identity and Access Management and the Technology Outlook for UK Tertiary Education 2011-2016 (Part One)

Last week, the NMC Horizon project published its report, Technology Outlook for UK Tertiary Education 2011-2016: An NMC Horizon Report Regional Analysis, produced in collaboration with CETIS and UKOLN. The last ten years have seen massive changes in the ways in which UK tertiary education institutions handle authentication, identity, and access controls, and I would like to take a look at each of the technologies it mentions and discuss whether their adoption will force or encourage further change.

The report groups technologies into three groups of four, the first group being those which are imminent (time to adoption one year or less), then those which are likely to be adopted in two to three years, and finally those which the contributors to the report expect to be adopted in four to five years. I will devote a single post to each group of four. This is post one of the three; go to post two, post three.

Cloud Computing


The report describes this as an almost ubiquitous technology. The main access challenges must therefore have been solved, surely?

However, a quick glance at the project links given in the section to relevant initiatives in the sector shows that access to cloud resources is not as simple as it might be. The Bloomsbury Media Cloud requires an email to request the setting up an account, and considers access to be sufficiently difficult to have created a video in its user guide section to show how to access content (and the video itself is hard to access, giving me a 404 not found error when I tried it). "Investigating and applying authentication methods" is one of the objectives of the project, but I would suggest that more work is needed. But that is better than the second link, to Oxford's Flexible Services for the Support of Research which does not exist at all. They really should have employed a more persistent URL: it has moved from a "current research" directory to a "research" directory, here. This is a far less glossy project, more technical in content, as can be seen from the Installation documentation, which describes access control in the following terms:


"Security Groups: users can define groups with access rules indicating what port can be
accessed from which source IP(s). Multiple Virtual Machines (VMs) can then be instantiated and associated to a defined group. In this way, a security group works analogously to a firewall put in front of one or more VM. Crucially, such a 'firewall' is managed directly by the owner of the VM(s)".

Flexible, but a bit of a challenge for those with little knowledge of virtual machine firewall configuration. The final project link is to HEFCE's funding announcement of shared cloud services for higher education institutions.

So there is still work to be done, in terms of the user experience mainly. Clearly this aspect is of importance to commercial providers of cloud-based services, such as Google docs, and this is inspiring the frequent occurrence of questions on the relevant user mailing lists about the integration of Shibboleth, as a single sign on product used in many tertiary education contexts, with the authentication regimes imposed by these providers.

Mobiles


Again, mobile technology is being adopted rapidly by many institutions. The main IAM related issue is how to ensure security, and it is something which is quite well understood - but that hasn't prevented implementations of other systems having embarrassing security holes which should have been avoided. With mobiles, the issue is more about making sure that known issues are dealt with rather than extensive research to work out what should be done. An introduction to the issues can be found here (among many other places). Since most of the resources being discussed are web based, issues of integration and single sign on are not likely to be important, as they will have been solved for traditional web clients (e.g. by using a standards based SSO solution).

Open Content


In the past, I promoted the idea that even when repositories have open access, there is still a need for authentication and authorisation, unless the repository really allows anyone to anonymously store any item, with no audit trail: a situation which is not likely to happen in the academic community. Similar remarks also hold for open content. The holders of the content will want to retain at least some control over the much of the content being posted. In fact, deposit is likely to be quite restricted, in order to retain a degree of academic respectability and to keep control of intellectual property rights. This is true in the example project links which are given in the report, except for one: P2PU. There, all that is needed to post content, either comments on existing teaching material or a course of your own, is a login. This can be an OpenID identity, or one which is derived from the completion of a registration form.

As is the case with mobile use, there is little new here; developers of open content repositories just need to be sure to apply known security principles correctly to safeguard the holdings that will fill them.

Tablet Computing


Here, the main point is the potential for the use of apps for educational and/or research purposes. This means that the use of apps is the main issue for IAM in this context: how an app (and associated remote data stores if any) handles identity, privacy, security and so on will be the major concern. As with the previous two technologies, it seems that the principal focus for IAM work here will be on developer/deployer education rather than finding something new. Heterogeneity is a potentially serious issue for tablets than less advanced mobiles, because apps can take non-standard approaches to IAM and services provided by institutions will need to be flexible in order to cope: but this should not be at the expense of security and privacy.

Overall, there is an excellent discussion (Part One, Part Two) of what Frank Villavicencio calls the "consumerization of IAM" - the consequences for Identity and Access Management of the explosion in the use of different devices and methods for accessing systems. Although it deals with the commercial market, much of what he says is going to be at least as applicable to FHEIs. With all these new devices and methods for accessing services, a user's multiple roles (as student or employee, as a private individual, as a consumer, etc.) become immensely important, whether they want to merge them or keep them separate. As with much of Identity, the issue is the precise way to manage the trade off between privacy and convenience. The main recommendation of the Identropy discussion is that organisations need to embrace this change, rather than trying to bury their heads in the sand; this is something which applies even more to FHEIs if they want to meet the expectations of their students, who will expect them to live in this decade not the last.

No comments:

Post a Comment