I thought: I could put together a quick blog post linking to some of the blogs which I follow, and spend a little time trying to fill gaps in the list. But while doing a little searching I found the Planet Identity blogroll (which I'd not seen before) and 360tek's list of blogs. Nothing I could post would be anything like as comprehensive. But there's still scope for a post, though...
Planet Identity aggregates over 170 blogs, with about 30 on 360tek's list most of which are on the Planet Identity list). I presume the former is no longer updated (it's on an old Sun server, not moved to Oracle). Blogs tend to be evanescent, and it's no surprise that some of the links in the blogroll are dead, or that others have not been updated in over two years. Many of the corporate bloggers have been amalgamated into a single company blog, which suggests to me some developing maturity in the identity market - these companies are making themselves more "corporate", which unfortunately often makes the blogs less interesting. A few of the blogs listed are inaccessible to me as someone pretty much restricted to English language writing, to my shame. My interests are also pretty much UK centred, and I'm not particularly into the latest marketing release from commercial vendors - mainly because getting identity management right is at least as much about good business processes as it is about technology. I'll just list some of the best of those which seem to be live (and which I didn't already know - or did know, but had just been too lazy to pick up and follow).
Where the blog author (if a single person) is also on twitter, I have listed their twitter ID as well as the blog URL.
Identity Networks: The blog of Ingrid Melve, Federation Manager for Feide - a FAM slant, and well worth reading (one of the blogs I really should have been following already)
Identity Woman: Although recent posts are taken up with the naming policies of Google+ (the spate of discussion over pseudonyms on the network being sparked off because Google would not allow an account in the name of Identity Woman), there is a lot of interesting material on this blog about user-centric identity.
Identity Happens: A great blog which is more technical than most of the others in this list. Not updated all that frequently.
Racingsnake: Robin Wilton's personal blog, focusing mainly on public policy relating to security and IAM. He also blogs at Gartner.
Ian Yip's Security and Identity Thought Stream: Good stuff here, too; interest in why technical security problems arise in the first place from Ian Yip.
I use Akregator to read most of the blogs I follow, and I have a fair number of Identity and Security blogs in there. A lot of security bloggers talk about identity - it has become massively important in IT security now that people have started to realise just how insecure most systems become if identity management is compromised.
eFoundations: Not all IAM, but always interesting blog from Pete Johnston and Andy Powell at Eduserv.
UK Access Management Focus (formerly JISC Access Management Team blog): Essential reading if you want to know what's happening in IAM in UK higher education. Maintained by Nicole Harris, a former LSE colleague of mine.
Kim Cameron's Identity Blog: thoughtful posting about identity (from, unsurprisingly, Kim Cameron), most recently (at the time of writing) about how disintermediation might affect identity.
Light Blue Touchpaper The blog of the security research group at Cambridge University: they often have something interesting, or even controversial to say (particularly if you believe in bank security). Posters here include Steven Murdoch.
Talking Identity, from Nishant Kaushik: He works for Identropy, so some content is cross posted from their corporate blog. Sensible and pretty authoritative stuff here (and, indeed, there).
Stephan's Ramblings: Another former colleague, who blogs about security generally.
Schneier on Security: Bruce Scheier, security guru (author of one of the best technical books on cryptography), describes himself as "head curmudgeon at the table". Fascinating comment, and a weekly squid-related post.
Naked Security, the Sophos blog on IT security, has timely posts on most current security stories. Perhaps less identity content than the ones above, but helps to keep up to date.
Not all essential reading comes in blog form, even in 2011, though these web sites also provide feeds.
The security tag at Slashdot Any Slashdot story tagged as "security" can be seen here, which includes just about any IAM related discussion on the place to go for computer geekery.
Security coverage at The Register Some may not like the jokey tone of "El Reg" (as it calls itself), but they cover a lot of interesting stories in an idiosyncratic way. The Identity stories have a subject feed here.
Electronic Frontier Foundation: Fighting for rights in the digital world, many of which have some connection to identity.
I follow some other relevant people on twitter:
Robert Garskamp, of IDentity.Next
Christopher Brown, of JISC - eResearch Programme Manager responsible for the Access & Identity Management programme
Rhys Smith, of Cardiff University and JANET, who worked on the Identity Project and the Identity Toolkit with me
John Chapman, also at JANET
RL "Bob" Morgan, University of Washington and Shibboleth (most people involved in Shibboleth seem not to tweet or blog)
I hope this list is useful - but I've probably missed some obvious and interesting blogs...
Showing posts with label IAM. Show all posts
Showing posts with label IAM. Show all posts
Tuesday, 25 October 2011
Saturday, 1 October 2011
Identity and Access Management and the Technology Outlook for UK Tertiary Education 2011-2016 (Part Three)
Recently, the NMC Horizon project published its report, Technology Outlook for UK Tertiary Education 2011-2016: An NMC Horizon Report Regional Analysis, produced in collaboration with CETIS and UKOLN. The last ten years have seen massive changes in the ways in which UK tertiary education institutions handle authentication, identity, and access controls, and I would like to take a look at each of the technologies it mentions and discuss whether their adoption will force or encourage further change.
The report groups technologies into three groups of four, the first group being those which are imminent (time to adoption one year or less), then those which are likely to be adopted in two to three years, and finally those which the contributors to the report expect to be adopted in four to five years. I will devote a single post to each group of four. This is post two of the three; go to post one, post two.
Augmented Reality
This particular technology has no interesting identity component that I can see - it's just going to be the usual issues of data ownership and, possibly, privacy. However, the nature of augmented reality is such that it is likely to lead to all sorts of new applications which may have privacy issues - in particular, those which allow visitors to tag the online information to add comments, or even graffiti to the augmented presence.
Collective Intelligence
In the educational context, the key point (clear in the example project links given in the report, though strangely not actually mentioned in the main text) is curation of the collected information, as learners and researchers have a need for accuracy. This in turn necessitates some form of identity management, otherwise the curation itself will need curating. This should already be well understood, as it is crucial to much open data already available, so there will be no excuse for not managing it sensibly by 2015.
Smart Objects
This is the use of unique identifiers embedded with an object which can be used (for example) to provide a linkage to a point on the Web. The current technologies for doing this are mainly RFID tags and QR codes. The sample uses discussed in the report don't seem to me to be of huge relevance for most forms of tertiary education specifically, though they will be useful for such tasks as keeping track of sample materials in labs, or the location of medical cameras and sensors in patients. Again, there seems to be nothing much new here in terms of identity.
Telepresence
The future of video conferencing is telepresence, which has had some high profile demonstrations; the name suggests the point, which is to make it appear to each participant that the others are present at a shared conference space (which may of course be a purely virtual location). As with smart objects, I have some difficulty thinking of applications for this technology specific to the education sector (surely it isn't going to enhance remote learning all that much?). I also experienced the nightmare which was UK higher education videoconferencing about a decade ago - too little bandwidth even in the dedicated video suite needed made it unusable, less good than Skype video calls are now. And I know how difficult the Open University found it when they first made it a requirement for some of their courses for students to have access to a fairly basic standard of computer equipment. So my feeling is that the date suggested for this is rather optimistic, as institutions will be conservative about the widespread adoption of something which has high bandwidth and processing requirements without extremely clear benefits for students and researchers. Small scale adoption where it's useful to research, possibly - the final use suggested for the technology is for the exploration of locations difficult or impossible for human beings to access. Generally, though, my feeling is that the report is being optimistic over the timescale needed for the hardware and bandwidth requirements to be sufficiently easy to meet.
This is a technology with clear identity elements - the participants in a conference will be identified to be able to take part (in the main), and will be releasing large quantities of information about themselves to the other participants. That said, it seems unlikely that most uses will provide any new or even particularly unusual use cases for IAM.
General Conclusions
Overall, it seems to me that there is little which is likely to provide new challenges for IAM in the adoption of any of these technologies. However, there is ample scope for developers to get the IAM components wrong for components of both the tools needed to deliver the technology and of applications which are built to make use of them for education and research. This is especially important as many of those involved in delivering the applications and tools will not be experts in IAM themselves. We often see elementary errors in security particularly: while I was typing this, I was alerted to a blog post linking to a paper about insecurities in Chrome browser extensions - exactly the kind of problem which a software developer can create through lack of thinking through the implications of what they're doing, or by trying to re-invent the wheel because they don't know that others have done it before them.
The potential problems are compounded because the hardware being used by students and staff is going to be more and more their own rather than under the control of the institution, with all the potential for poor security as self-support becomes the norm. The multiplicity of devices and the fragmentation of the software market that it entails will make it much harder to make fixes; the days when an institution can have a "standard build" on every PC with a single supported web browser which can be updated at need from central servers are numbered. As the report concludes, "The computer is smaller, lighter, and better connected than ever before, without the need for wires or bulky peripherals. In many cases, smart phones and other mobile devices are sufficient for basic computing needs, and only specialized tasks require a keyboard, large monitor, and a mouse. Mobiles are connected to an ecosystem of applications supported by cloud computing technologies that can be downloaded and used instantly, for pennies. As the capabilities and interfaces of small computing devices improve, our ideas about when — or whether — a traditional computer is necessary are changing as well."
It is also possible that some applications built for education using these technologies could present some challenges for IAM. It seems likely that no one will now be able to predict the uses to which these technologies can be used, and I'd suspect that the most interesting uses will be ones that no one has yet invented. There may well be other technologies which will prove more revolutionary in tertiary education in the UK than any of the twelve listed here, but which we don't know about.
A common thread to many of the technologies is linking individuals or information - and sharing is obviously a potential source of privacy issues. Indeed, the tone of the report seems to suggest that within the next few years, privacy will be an outmoded idea; we will all be willing to share just about everything online. Is this true, or even likely? While naive users continue to share everything that occurs to them without caring about or understanding security settings (e.g. on Facebook), there is at least some evidence that many users are now thinking more about what they post and what it might mean for them later on, when read by a prospective employer, for example. The recent "nym wars" (usefully summarised here with discussion relevant to how privacy should be seen in the future) show that many people put a high value on privacy and the possibility of keeping a real world identity secret in particular. To the list of challenges summarised at the end of the report, I would add the investigation of the developing attitudes to privacy and how they should affect implementation and use of the technologies from this report in tertiary education.
The report groups technologies into three groups of four, the first group being those which are imminent (time to adoption one year or less), then those which are likely to be adopted in two to three years, and finally those which the contributors to the report expect to be adopted in four to five years. I will devote a single post to each group of four. This is post two of the three; go to post one, post two.
Augmented Reality
This particular technology has no interesting identity component that I can see - it's just going to be the usual issues of data ownership and, possibly, privacy. However, the nature of augmented reality is such that it is likely to lead to all sorts of new applications which may have privacy issues - in particular, those which allow visitors to tag the online information to add comments, or even graffiti to the augmented presence.
Collective Intelligence
In the educational context, the key point (clear in the example project links given in the report, though strangely not actually mentioned in the main text) is curation of the collected information, as learners and researchers have a need for accuracy. This in turn necessitates some form of identity management, otherwise the curation itself will need curating. This should already be well understood, as it is crucial to much open data already available, so there will be no excuse for not managing it sensibly by 2015.
Smart Objects
This is the use of unique identifiers embedded with an object which can be used (for example) to provide a linkage to a point on the Web. The current technologies for doing this are mainly RFID tags and QR codes. The sample uses discussed in the report don't seem to me to be of huge relevance for most forms of tertiary education specifically, though they will be useful for such tasks as keeping track of sample materials in labs, or the location of medical cameras and sensors in patients. Again, there seems to be nothing much new here in terms of identity.
Telepresence
The future of video conferencing is telepresence, which has had some high profile demonstrations; the name suggests the point, which is to make it appear to each participant that the others are present at a shared conference space (which may of course be a purely virtual location). As with smart objects, I have some difficulty thinking of applications for this technology specific to the education sector (surely it isn't going to enhance remote learning all that much?). I also experienced the nightmare which was UK higher education videoconferencing about a decade ago - too little bandwidth even in the dedicated video suite needed made it unusable, less good than Skype video calls are now. And I know how difficult the Open University found it when they first made it a requirement for some of their courses for students to have access to a fairly basic standard of computer equipment. So my feeling is that the date suggested for this is rather optimistic, as institutions will be conservative about the widespread adoption of something which has high bandwidth and processing requirements without extremely clear benefits for students and researchers. Small scale adoption where it's useful to research, possibly - the final use suggested for the technology is for the exploration of locations difficult or impossible for human beings to access. Generally, though, my feeling is that the report is being optimistic over the timescale needed for the hardware and bandwidth requirements to be sufficiently easy to meet.
This is a technology with clear identity elements - the participants in a conference will be identified to be able to take part (in the main), and will be releasing large quantities of information about themselves to the other participants. That said, it seems unlikely that most uses will provide any new or even particularly unusual use cases for IAM.
General Conclusions
Overall, it seems to me that there is little which is likely to provide new challenges for IAM in the adoption of any of these technologies. However, there is ample scope for developers to get the IAM components wrong for components of both the tools needed to deliver the technology and of applications which are built to make use of them for education and research. This is especially important as many of those involved in delivering the applications and tools will not be experts in IAM themselves. We often see elementary errors in security particularly: while I was typing this, I was alerted to a blog post linking to a paper about insecurities in Chrome browser extensions - exactly the kind of problem which a software developer can create through lack of thinking through the implications of what they're doing, or by trying to re-invent the wheel because they don't know that others have done it before them.
The potential problems are compounded because the hardware being used by students and staff is going to be more and more their own rather than under the control of the institution, with all the potential for poor security as self-support becomes the norm. The multiplicity of devices and the fragmentation of the software market that it entails will make it much harder to make fixes; the days when an institution can have a "standard build" on every PC with a single supported web browser which can be updated at need from central servers are numbered. As the report concludes, "The computer is smaller, lighter, and better connected than ever before, without the need for wires or bulky peripherals. In many cases, smart phones and other mobile devices are sufficient for basic computing needs, and only specialized tasks require a keyboard, large monitor, and a mouse. Mobiles are connected to an ecosystem of applications supported by cloud computing technologies that can be downloaded and used instantly, for pennies. As the capabilities and interfaces of small computing devices improve, our ideas about when — or whether — a traditional computer is necessary are changing as well."
It is also possible that some applications built for education using these technologies could present some challenges for IAM. It seems likely that no one will now be able to predict the uses to which these technologies can be used, and I'd suspect that the most interesting uses will be ones that no one has yet invented. There may well be other technologies which will prove more revolutionary in tertiary education in the UK than any of the twelve listed here, but which we don't know about.
A common thread to many of the technologies is linking individuals or information - and sharing is obviously a potential source of privacy issues. Indeed, the tone of the report seems to suggest that within the next few years, privacy will be an outmoded idea; we will all be willing to share just about everything online. Is this true, or even likely? While naive users continue to share everything that occurs to them without caring about or understanding security settings (e.g. on Facebook), there is at least some evidence that many users are now thinking more about what they post and what it might mean for them later on, when read by a prospective employer, for example. The recent "nym wars" (usefully summarised here with discussion relevant to how privacy should be seen in the future) show that many people put a high value on privacy and the possibility of keeping a real world identity secret in particular. To the list of challenges summarised at the end of the report, I would add the investigation of the developing attitudes to privacy and how they should affect implementation and use of the technologies from this report in tertiary education.
Tuesday, 27 September 2011
Identity and Access Management and the Technology Outlook for UK Tertiary Education 2011-2016 (Part Two)
Recently, the NMC Horizon project published its report, Technology Outlook for UK Tertiary Education 2011-2016: An NMC Horizon Report Regional Analysis, produced in collaboration with CETIS and UKOLN. The last ten years have seen massive changes in the ways in which UK tertiary education institutions handle authentication, identity, and access controls, and I would like to take a look at each of the technologies it mentions and discuss whether their adoption will force or encourage further change.
The report groups technologies into three groups of four, the first group being those which are imminent (time to adoption one year or less), then those which are likely to be adopted in two to three years, and finally those which the contributors to the report expect to be adopted in four to five years. I will devote a single post to each group of four. This is post two of the three; go to post one, post three.
Game Based Learning
This is the first of the second set of technologies, due for adoption in two or three years. As far as access is concerned, there are two points to make. First, since in the tertiary education context, games used for learning will presumably be connected to courses, the access policies will basically match those for existing VLE services. Indeed, it is likely that if adoption is widespread, many institutions will wish to embed games in their VLE, if they use one. So there should be existing processes which determine who has access to a game (at several levels: to play, to access scoring and other records, and to manage it), and there should be existing procedures to implement whatever is required for access for those people who should be permitted it - adding identifiers to an access control list from an student information system database, for example.
The second point is that how access controls are enforced will depend on the game environment and its implementation. The links given in the report are not explicit about how their games are implemented, though one of them is clearly using Flash, and another is embedded into social networking and will presumably also use Flash. Other candidates for game development will include HTML5. It seems likely to me that most of these games will be browser and/or app based, and so will have authentication methods which are of these types, which could utilise existing methods such as Web SSO technology for authentication.
As with the technologies in the first part of the report, there will be privacy requirements which will need to be insisted on in the development of games. In many online games, users are interested in league tables for players; will these be shareable? If games have a collaborative element, how will the information sharing required for this work - and how will it affect assessment? What about the sharing of hints and tips - another activity common in gaming communities?
Learning Analytics
Essentially, this describes the analysis of the large quantities of data generated by student activity on the Internet - including activity not necessarily considered to be part of a course, such as social network activity. Stated like this, as it is in the report, it is immediately clear that there are implications for student privacy in this work. Employees already complain about similar activities (on a smaller scale) by their employer, such as the monitoring of Facebook use (one of the issues on the US-based Privacy Rights Clearinghouse Workplace Privacy worksheet, to pick just one example of a discussion of this practice; one particular service offering to do this for employers is discussed on ReadWriteWeb).
There are other issues, too. As one of the links from the report says, "Both data mining and the use of analytics applications introduce a number of legal and ethical considerations, including privacy, security, and ownership". It then goes on to suggest that these concerns will decrease over time, due to the introduction of new tools and "as institutions are forced to cope with greater financial constraints that will make the careful targeting of available resources increasingly important". I am not sure I agree, particularly outside the US - privacy has long been much more important to legislators in Europe. It will be interesting to see how this develops in the UK, and how students over the next few years feel about it. And learning is not the only field in which analytics of this type could be used: how about research assessment in 2016? Or your annual appraisal in 2015?
New Scholarship
This topic is really about the use of non-traditional means of publishing for research (blogging, podcasting, etc.) basically, rather than (or, more usefully, alongside) peer reviewed academic journals. This is really an extension of traditional methods of exchanging ideas within the academic community (but consuming less coffee). It is actually a change which has been going on for quite a while: when I was a graduate student in the early 1990s, worldwide communication by email for special interest groups was just beginning to be embraced by members of the department.
The interest for IAM is not in the authentication side of things; shared access blogs, authenticated comments, and so on are all commonplace. There are two issues that immediately come to mind Firstly, the question of how controlled such new media are, and how an institution can protect its reputation. The LSE, where I worked until recently, was embroiled in controversy over just this issue earlier in 2011. Of course, universities have been embarrassed by the utterances of their staff for many years; people don't need a blog in order to say controversial things. But it is becoming harder to even keep track of the places where an institution needs to check to find out what those who are affiliated to it are saying in public. After all, a director doesn't want to discover a budding problem only when a tabloid reporter contacts them.
The second issue is one of authenticity. How is it possible to be sure that a blogger is really the person you think he or she is? Linking published journal articles to individuals is hard enough, without having to manage every staff member's personal blog or blogs - hence the ongoing Names project. This is an issue which is only going to become more difficult.
Semantic Applications
This technology is about the intelligent use of material from online sources, usually the open Internet but possibly including protected content, to make connections between items of data automatically, without intervention from human researchers. (This is also, and perhaps better, known as Linked Data.) This may not seem to have any identity component whatsoever, but in fact there are two issues: data provenance (ownership and authenticity), as discussed above, and allowing access for the intelligent applications to closed content. The second of these is a technical issue, and should be readily soluble in the timescale suggested for the adoption of semantic technology, two or three years.
It's fairly clear that many of the promoters of Linked Data are not keen on the use of closed content, but there is no particular reason why (parts of) the data processed need to be accessible to everybody on the Internet; obviously the ability to use it for widespread use will be compromised, but that may well be considered a small price to pay (see also the entry on the topic in the Structured Dynamics Linked Data FAQ).
Thursday, 22 September 2011
Identity and Access Management and the Technology Outlook for UK Tertiary Education 2011-2016 (Part One)
Last week, the NMC Horizon project published its report, Technology Outlook for UK Tertiary Education 2011-2016: An NMC Horizon Report Regional Analysis, produced in collaboration with CETIS and UKOLN. The last ten years have seen massive changes in the ways in which UK tertiary education institutions handle authentication, identity, and access controls, and I would like to take a look at each of the technologies it mentions and discuss whether their adoption will force or encourage further change.
The report groups technologies into three groups of four, the first group being those which are imminent (time to adoption one year or less), then those which are likely to be adopted in two to three years, and finally those which the contributors to the report expect to be adopted in four to five years. I will devote a single post to each group of four. This is post one of the three; go to post two, post three.
Cloud Computing
The report describes this as an almost ubiquitous technology. The main access challenges must therefore have been solved, surely?
However, a quick glance at the project links given in the section to relevant initiatives in the sector shows that access to cloud resources is not as simple as it might be. The Bloomsbury Media Cloud requires an email to request the setting up an account, and considers access to be sufficiently difficult to have created a video in its user guide section to show how to access content (and the video itself is hard to access, giving me a 404 not found error when I tried it). "Investigating and applying authentication methods" is one of the objectives of the project, but I would suggest that more work is needed. But that is better than the second link, to Oxford's Flexible Services for the Support of Research which does not exist at all. They really should have employed a more persistent URL: it has moved from a "current research" directory to a "research" directory, here. This is a far less glossy project, more technical in content, as can be seen from the Installation documentation, which describes access control in the following terms:
"Security Groups: users can define groups with access rules indicating what port can be
accessed from which source IP(s). Multiple Virtual Machines (VMs) can then be instantiated and associated to a defined group. In this way, a security group works analogously to a firewall put in front of one or more VM. Crucially, such a 'firewall' is managed directly by the owner of the VM(s)".
Flexible, but a bit of a challenge for those with little knowledge of virtual machine firewall configuration. The final project link is to HEFCE's funding announcement of shared cloud services for higher education institutions.
So there is still work to be done, in terms of the user experience mainly. Clearly this aspect is of importance to commercial providers of cloud-based services, such as Google docs, and this is inspiring the frequent occurrence of questions on the relevant user mailing lists about the integration of Shibboleth, as a single sign on product used in many tertiary education contexts, with the authentication regimes imposed by these providers.
Mobiles
Again, mobile technology is being adopted rapidly by many institutions. The main IAM related issue is how to ensure security, and it is something which is quite well understood - but that hasn't prevented implementations of other systems having embarrassing security holes which should have been avoided. With mobiles, the issue is more about making sure that known issues are dealt with rather than extensive research to work out what should be done. An introduction to the issues can be found here (among many other places). Since most of the resources being discussed are web based, issues of integration and single sign on are not likely to be important, as they will have been solved for traditional web clients (e.g. by using a standards based SSO solution).
Open Content
In the past, I promoted the idea that even when repositories have open access, there is still a need for authentication and authorisation, unless the repository really allows anyone to anonymously store any item, with no audit trail: a situation which is not likely to happen in the academic community. Similar remarks also hold for open content. The holders of the content will want to retain at least some control over the much of the content being posted. In fact, deposit is likely to be quite restricted, in order to retain a degree of academic respectability and to keep control of intellectual property rights. This is true in the example project links which are given in the report, except for one: P2PU. There, all that is needed to post content, either comments on existing teaching material or a course of your own, is a login. This can be an OpenID identity, or one which is derived from the completion of a registration form.
As is the case with mobile use, there is little new here; developers of open content repositories just need to be sure to apply known security principles correctly to safeguard the holdings that will fill them.
Tablet Computing
Here, the main point is the potential for the use of apps for educational and/or research purposes. This means that the use of apps is the main issue for IAM in this context: how an app (and associated remote data stores if any) handles identity, privacy, security and so on will be the major concern. As with the previous two technologies, it seems that the principal focus for IAM work here will be on developer/deployer education rather than finding something new. Heterogeneity is a potentially serious issue for tablets than less advanced mobiles, because apps can take non-standard approaches to IAM and services provided by institutions will need to be flexible in order to cope: but this should not be at the expense of security and privacy.
Overall, there is an excellent discussion (Part One, Part Two) of what Frank Villavicencio calls the "consumerization of IAM" - the consequences for Identity and Access Management of the explosion in the use of different devices and methods for accessing systems. Although it deals with the commercial market, much of what he says is going to be at least as applicable to FHEIs. With all these new devices and methods for accessing services, a user's multiple roles (as student or employee, as a private individual, as a consumer, etc.) become immensely important, whether they want to merge them or keep them separate. As with much of Identity, the issue is the precise way to manage the trade off between privacy and convenience. The main recommendation of the Identropy discussion is that organisations need to embrace this change, rather than trying to bury their heads in the sand; this is something which applies even more to FHEIs if they want to meet the expectations of their students, who will expect them to live in this decade not the last.
The report groups technologies into three groups of four, the first group being those which are imminent (time to adoption one year or less), then those which are likely to be adopted in two to three years, and finally those which the contributors to the report expect to be adopted in four to five years. I will devote a single post to each group of four. This is post one of the three; go to post two, post three.
Cloud Computing
The report describes this as an almost ubiquitous technology. The main access challenges must therefore have been solved, surely?
However, a quick glance at the project links given in the section to relevant initiatives in the sector shows that access to cloud resources is not as simple as it might be. The Bloomsbury Media Cloud requires an email to request the setting up an account, and considers access to be sufficiently difficult to have created a video in its user guide section to show how to access content (and the video itself is hard to access, giving me a 404 not found error when I tried it). "Investigating and applying authentication methods" is one of the objectives of the project, but I would suggest that more work is needed. But that is better than the second link, to Oxford's Flexible Services for the Support of Research which does not exist at all. They really should have employed a more persistent URL: it has moved from a "current research" directory to a "research" directory, here. This is a far less glossy project, more technical in content, as can be seen from the Installation documentation, which describes access control in the following terms:
"Security Groups: users can define groups with access rules indicating what port can be
accessed from which source IP(s). Multiple Virtual Machines (VMs) can then be instantiated and associated to a defined group. In this way, a security group works analogously to a firewall put in front of one or more VM. Crucially, such a 'firewall' is managed directly by the owner of the VM(s)".
Flexible, but a bit of a challenge for those with little knowledge of virtual machine firewall configuration. The final project link is to HEFCE's funding announcement of shared cloud services for higher education institutions.
So there is still work to be done, in terms of the user experience mainly. Clearly this aspect is of importance to commercial providers of cloud-based services, such as Google docs, and this is inspiring the frequent occurrence of questions on the relevant user mailing lists about the integration of Shibboleth, as a single sign on product used in many tertiary education contexts, with the authentication regimes imposed by these providers.
Mobiles
Again, mobile technology is being adopted rapidly by many institutions. The main IAM related issue is how to ensure security, and it is something which is quite well understood - but that hasn't prevented implementations of other systems having embarrassing security holes which should have been avoided. With mobiles, the issue is more about making sure that known issues are dealt with rather than extensive research to work out what should be done. An introduction to the issues can be found here (among many other places). Since most of the resources being discussed are web based, issues of integration and single sign on are not likely to be important, as they will have been solved for traditional web clients (e.g. by using a standards based SSO solution).
Open Content
In the past, I promoted the idea that even when repositories have open access, there is still a need for authentication and authorisation, unless the repository really allows anyone to anonymously store any item, with no audit trail: a situation which is not likely to happen in the academic community. Similar remarks also hold for open content. The holders of the content will want to retain at least some control over the much of the content being posted. In fact, deposit is likely to be quite restricted, in order to retain a degree of academic respectability and to keep control of intellectual property rights. This is true in the example project links which are given in the report, except for one: P2PU. There, all that is needed to post content, either comments on existing teaching material or a course of your own, is a login. This can be an OpenID identity, or one which is derived from the completion of a registration form.
As is the case with mobile use, there is little new here; developers of open content repositories just need to be sure to apply known security principles correctly to safeguard the holdings that will fill them.
Tablet Computing
Here, the main point is the potential for the use of apps for educational and/or research purposes. This means that the use of apps is the main issue for IAM in this context: how an app (and associated remote data stores if any) handles identity, privacy, security and so on will be the major concern. As with the previous two technologies, it seems that the principal focus for IAM work here will be on developer/deployer education rather than finding something new. Heterogeneity is a potentially serious issue for tablets than less advanced mobiles, because apps can take non-standard approaches to IAM and services provided by institutions will need to be flexible in order to cope: but this should not be at the expense of security and privacy.
Overall, there is an excellent discussion (Part One, Part Two) of what Frank Villavicencio calls the "consumerization of IAM" - the consequences for Identity and Access Management of the explosion in the use of different devices and methods for accessing systems. Although it deals with the commercial market, much of what he says is going to be at least as applicable to FHEIs. With all these new devices and methods for accessing services, a user's multiple roles (as student or employee, as a private individual, as a consumer, etc.) become immensely important, whether they want to merge them or keep them separate. As with much of Identity, the issue is the precise way to manage the trade off between privacy and convenience. The main recommendation of the Identropy discussion is that organisations need to embrace this change, rather than trying to bury their heads in the sand; this is something which applies even more to FHEIs if they want to meet the expectations of their students, who will expect them to live in this decade not the last.
Subscribe to:
Posts (Atom)
Posts
