< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

Electronic Identity: The Foundation for the Connected Age

0 Comments

Policy Matters

Ann West (awest@internet2.edu) is Assistant Director for InCommon Assurance and Community, Internet2. Mary Dunker (dunker@vt.edu) is Director of Secure Enterprise Technology Initiatives at Virginia Tech. Christopher W. Holmes (Christopher_Holmes@baylor.edu) is Associate General Counsel at Baylor University.

Individuals in the higher education community, by their very nature, connect to each other and share information and resources. Faculty members connect to and share research with other faculty. Students desire to access institutional computing resources in order to share information with their faculty and other students. Librarians share resource materials with other librarians. This interaction with others and sharing of information presents higher education institutions with a number of responsibilities. Who is authorized to contribute information to be shared? Who is authorized to access such information and for how long? How do the individuals or institutions involved in the sharing transaction know that those who are authorized to engage in the sharing transaction are actually the ones doing so? Further, what methods are available to individuals and institutions to perform these authorizations and authentications in a manner that maximizes the privacy of the individuals involved in the sharing transaction?

In addition to the responsibilities enumerated above, higher education institutions find themselves in an environment in which the definition of who is considered a member of an institution's community is becoming broader (e.g., related entities, alumni). Further, the information and resources expected to be provided by the institution are continuously expanded (e.g., cloud storage, financial aid services). Finally, institutions are often pressured by campus users, vendors, or other entities who want the institution to use—or facilitate the use of—external authentication systems established by the users individually (e.g., OpenID, login with Google or Facebook) when accessing institutional resources.

Trusted Identities

Many higher education institutions are utilizing the InCommon Federation (https://incommon.org/), a federated-identity and trust system operated by Internet2, as a means of addressing these challenges. This trust system establishes an agreement between the Identity Provider (the institution representing the user who is initiating the sharing relationship) and the Relying Party (the institution managing the service and granting access to the information or resource). InCommon participants—institutions representing higher education, government, research, and the commercial sector—agree to a set of standards for ensuring the electronic identities of their constituents, securing the privacy of their information, and performing private and secure online transactions. In the same way that individuals use ATM cards issued by their local banks to conduct transactions in other cities at other banks, a faculty member can use his/her home institution login credentials to access online and protected course content hosted by a vendor or a colleague at another institution. This federated authentication model, with its common set of standards and technologies, eliminates the need for the Relying Party to create and store credentials for each of its users and enables a high degree of collaboration and information sharing among members.

Authorization and Privacy

A service that is enabled for federated authentication may request certain information about the authenticating person. The information or attributes can be personally identifying (e.g., name and address) or may be more opaque (e.g., a student, faculty, or staff affiliation). The service may use these attributes to determine whether or not the person is authorized for a particular type of access. In most cases, minimal information is shared with the service, in order to maximize the privacy of the individual involved in the transaction. In some implementations, the individual attempting to access a service has the option to approve the release of his/her information to the service. This information release is decided on ahead of time and is coded into the software that manages the transaction.

Identity Assurance

Those Relying Parties, like the U.S. Department of Education's Federal Student Aid services, that are "relying" on another organization to authenticate individuals accessing their service want to be very certain that the people are who they say they are. To ensure this, the federal government specified security requirements for the electronic credentials of individuals who will be accessing online government services. The InCommon Assurance Program (https://www.incommon.org/assurance/) provides such a framework of practices and a related compliance program tailored for higher education and approved by the federal government to access federal agency services. Many institutions are also finding that implementing these practices enhances their internal security and may contribute to their case for due diligence if they have a data breach.

Collaborating in the Cloud

The explosion of cloud services has opened up a broad range of information-sharing offerings at affordable prices, and faculty, staff, and students are already familiar with a wide array of cloud services available to the general public. E-mail, calendaring, and collaborative solutions are being outsourced, allowing educational institutions to devote their IT resources to other on-premise services. But what kinds of identities should be used to access cloud services? How can a faculty member be sure that "John.Doe@Google.com " is the same John Doe who is helping with his/her research project? For some services, formal identity confirmation may not be necessary. But in most cases, it is still important for faculty (or staff) to know which student or employee they are collaborating with. Fortunately, most cloud vendors' authentication solutions can be integrated with the campus Identity Provider, allowing individuals to authenticate using the institution's local credentials. Some cloud vendors are members of InCommon, which further helps to standardize authentication protocols, credential issuance, and identity management.

Identities for Online Learning

Whether hosted locally or in the cloud, online course offerings can provide large financial benefits to an institution by reducing the need to expand physical facilities. More students can enroll in an online course, whereas the same on-premise course might have a waiting list due to constraints of physical space. Courseware implementers have several options for online identities, depending on how important it is to know that the person who enrolled in the course is the same person who is submitting coursework and/or taking exams. For some courses, institution's credentials are the only ones that will be recognized, with the student agreeing not to share the credentials. Other courses may be designed to accept the credentials of another higher education institution. Some implementations of Massive Open Online Courses (MOOCs) are utilizing keystroke biometrics, photo IDs, and webcams to identify their users. Exams may need to be proctored at testing centers, where identities can be verified in person. Online courses may also be not-for-credit and may accept third-party credentials such as an OpenID supplied by Google, Yahoo, AOL, or MySpace.

Policy Matters

Institutions need to provide guidance to service implementers regarding the types of credentials that should be used to authenticate and authorize users of the service. During the early stages of development or procurement, each proposed service should undergo a risk assessment that includes determining the impact of authentication error (i.e., what happens if the wrong person gains access to the service or its data?). How important is it to know that the people accessing a set of information are who they say they are? Is the audience for the service primarily located elsewhere, and is the service-compromise risk low? If so, Google or Facebook logins may be acceptable to ease adoption. Some institutional information is highly sensitive; careful consideration of how to identify who has access to information will help ensure the security of the information and the privacy of the individuals who are sharing it.

What's in Our (Near) Future?

As we have seen, there is much significance behind the notions of connections and electronic sharing, especially when the collaboration occurs outside and among our institutions and in the cloud. Intrinsic in these ideas is the further interdependence of the organizations that host not only a service but also the individuals who use the service.

Those of us in higher education have long depended on each other for good behavior in technology: think of the physical network that interconnects our campuses. Now we are connecting on another plane: shared service delivery. We feel the tug toward using more valuable, off-campus services—such as those that enable our faculty to use their campus electronic credentials to submit grant proposals to federal agencies. But for trust to happen in a federated identity context, the Relying Party must understand that the Identity Provider has adequate security, and the Identity Provider must be satisfied with the Replying Party's policies and practices regarding the storage and use of the identity data sent during the transaction. This interdependence will ultimately drive identity practice standardization across higher education.

This situation will be felt most acutely in our academic medical centers: the higher education institutions that offer medical-related programs and degrees and that manage, or have a relationship with, a teaching hospital. Under the Patient Protection and Affordable Care Act, health information exchange points are being developed to reduce costs and increase the security and transportability of personal health care records. In keeping with federal requirements, policy governing these exchange points will require physicians to have highly secure, third-party (non-government) online credentials for viewing and updating a person's record. Other staff with less sensitive access will need credentials that are less rigorous. Our institutions could be certified through InCommon to issue these credentials to medical staff, making it easier for staff to go about their work. Alternatively, institutions will have to purchase the credentials from companies such as Symantec or Verizon, putting the burden on the medical researchers and faculty to manage even more electronic credentials.

Higher education is again building a global network, just as we did in the 1980s and 1990s when we worked with partners to develop what eventually became the Internet. This time it's an identity network designed to address challenges relating to electronic identities, but once again, higher education, through InCommon, is leading the way for other sectors.

Ann West

Ann West manages the InCommon Identity Assurance Program and works with the US Research and Education community and its corporate partners on collaborative projects and services.

Previously Ann held a joint appointment with Internet2 and EDUCAUSE beginning in 2001 to lead the outreach and education effort for their shared NSF awards on identity management. Prior to that time, she served as the Director of Distributed Computing Services at Michigan Technological University and was responsible for the institution's Internet and network-related services and enterprise identity management implementation.

 

Mary B. Dunker

Mary Dunker is Director of Secure Enterprise Technology Initiatives (SETI) at Virginia Tech. She began working at Virginia Tech in 1978, providing operating systems support and leadership until 2003, when she became involved in strategic efforts to secure the university’s information technology infrastructure as director of SETI. Units within SETI have developed and implemented an Enterprise Directory, Public Key Infrastructure, university portal framework and Microsoft Active Directory services. Mary has served as co-chair of the Higher Education Information Security Council's Effective Practices working group and the Information Security Guide Editorial Board. She currently chairs the InCommon Identity Assurance Advisory Committee. Mary is a graduate of Hollins University and has earned the SANS GIAC Security Essentials Certification.

 

Christopher W. Holmes

Christopher Holmes is Assistant General Counsel for Baylor University, and practices in a variety of areas, with emphases on privacy, security and legal issues relating to the use of information technologies. Before joining the University in 2002, Chris served as General Counsel for Dallas Baptist University; in-house counsel for a technology communications company; and practiced with the law firm of Cowles & Thompson in Dallas, Texas, focusing on civil litigation in the area of professional malpractice. Chris holds a B.A. in Political Science from Baylor University and a J.D. (with honors) from the University of Texas at Austin. He is a member of EDUCAUSE, NACUBO, and the National Association of College and University Attorneys (NACUA). Chris also serves as a member of the InCommon Steering Committee and is a member of InCommon's Assurance Advisory Committee.

 

Tags from the EDUCAUSE Library

Tags from the Community

Most Popular

Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on designing the future of higher ed, digital engagement, and new business models. Share your work and ideas with EDUCAUSE Review Online.

E-mail us >
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.