3. • Extension college of Christ Church 1892
• Royal Charter awarded 1926
• 13,000 undergrads; 5,000 postgrads
• 3,000 staff (700 researchers)
• 87 % of research is of International Standing
• Turnover £200M; Research income £30M
3
4. IT Services - Responsibilities
• Data networks • Corporate systems
– 4 x switched Gb Ethernet – MS Exchange email (staff)
campus networks – MS IIS/CMS webhosting
– 2 x 1Gb connections to JANET – Agresso Finance
via TVN MAN – Trent HR
– 5000 room ResNet – SITS SR
• Voice networks – Blackboard VLE
• Infrastructure services • Research support
– Infoblox DNS/DHCP – Infrastructure
– MS Active Directory – Hardware
– 2 x 50TB NetApp Filers – Software
– Help and advice
• Classroom technology
4
5. IT Services – Partnerships
• Communications – PTS Consulting
• Networks – Data Integration
• Windows – Microsoft Educational Support Centre
• Virtualisation – VMware
• Disaster Recovery – Sungard
• Offsite backup - Recall
• Student Email – T.B.A.
• Identity Management – Oxford Computing Group
• Access Management – Eduserv
5
6. IT Services - Culture
• Services more important than IT
• We work for them - ‘Can-do’, ‘Here to Help’
• Good value for money - £270/fte user/yr
• Standards and working practices
– Service desk & workflow - ITIL
– Change management - ITIL
– Project management - PRINCE-lite
– Information security management - BS7799/ISO27002
• Pragmatism – ‘Utility not ideology ’
• Risk management – proportionality
6
9. Identity Management - background
• Mainframe s and UNIX minis from 1970s
• Distributed UNIX workstations + NFS filestore - 1988
– TCP/IP, PC-NFS for PCs, CAP etc for Macs
– Yellow Pages/NIS directory services
• Common University Username (= email LHS for students)
• Active Directory synched with NIS from 2001
Science Faculty Registration Year
s p u 0 3 c h 3
Physics Dept Undergraduate Initials + serial
9
10. Identity Management - update
• New format usernames for accounts from Oct 2008
– 2 random letters followed by 6 digits
– New format email addresses for students
a.n.other@student.reading.ac.uk
• Microsoft Identity Lifecycle Manager service summer 2009
– ADAM (Active Directory Application Mode) to replace NIS
– Parallel running from launch
• Remote authentication and authorisation
– OpenAthens subscription for 3 years from 1/8/08
– Eduroam for visitors and working away
– Digital Certificates for accessing research computing resources
10
11. So, is IdM Utopia Builded Here?
User
Communications
Remedy Directory
Communications
Directory Interface
HR SQL
ADAM
Midland Trent Student XMA
ADAM MA
(Staff) Employee External XMA Active Directory &
Exchange 2003
SQL ILM Employee/Xternal Active Directory MA
Employees XMA
AD
Trent Users XMA Student Active Directory MA
SQL
RISIS (Students) Actions Logging Group
Populator Delayed Employee/Xternal ADAM MA
Tutors Delimited File
Post Action
Unix Mail
Processing
Student ADAM MA
Students XMA
SQL SQL SQL SQL
ADAM
SQL Post Processing
Drive Creation
NIS Export
Home Drive/File Storage
Message Delivery
NIS
Export
Students at Registration File
User
11
12. UCISA Top Concerns 2008
Rank Concern
1 Funding and sustainable resourcing of IT
2= IT strategy and planning
2= Organisational change and process improvement
4 Business systems to support the institution
5 quot;Environmentally friendlyquot; computing / energy efficiency
6= IT/IS service quality
6= Service availability and resilience
8 Governance of IT
9 E-learning
10= The development of an architected, enterprise-wide IT Infrastructure
10= Data centres
12 Mobile computing, anytime, anywhere computing, home working
13 Identity & access management
12
13. Transatlantic Top Concerns
EDUCAUSE ISSUE EDUCAUSE UCISA
Security 1 >13
Administrative / ERP Information Systems 2 4
Funding IT 3 1
Infrastructure 4 10
Identity / Access management 5 13
Disaster recovery / Business Continuity 6 >13
Governance, organisation and leadership 7 8
Change management 8 2
E-learning / Distributed teaching and
learning 9 9
Staffing / HR management / Training 10 -
http://www.ucisa.ac.uk/members/surveys/tc
13
14. Challenges to IdAM in HEIs
• Porous boundaries and fluid structures
– Open campuses, open libraries, open access
– Open resources – research & T&L outputs
– Re-organisations, mergers, spin-offs, closures
– Nomadic academic careers
• Individual behaviours - PBSK
– Serendipitous discovery ignores boundaries
– Research collaborators identified and trusted by personal
estimation not external validation
– Web2.0 take-up - *FREE* of cost/authority/bureaucracy
– Sharing and trading identities
14
15. Project FLAME – London School of Economics
• Technical Strand – investigated systems supporting:
– Delegated Authority Management (DAM)
– Attribute Release Policy (ARP)
– Virtual Organisation Management (VOM)
• Social study - large scale studies of typical user
attitudes, exploring:
– the extent to which users (students and staff) value and
manage their personal data
– their understanding of what data is held by service providers
– the extent to which this data is exchanged
15
16. Project FLAME – Social Study Experiment
• What is your LSE username? 91 %
• What is your LSE library number? 63 %
• What is your Facebook password? 40 %
• What is your LSE logon password? 14 %
• What is your term-time address? 90 %
• What is your date of birth? 73 %
• What is your mobile number? 67 %
• What is your credit card number? 30 %
16
17. Risk, Identity and Access Management
• Vital to mitigate risks:
– Resource misallocation
– Breaches of contractual obligations
– Breaches of confidentiality, integrity and availability
– Quality assurance failures …
• Mitigation must always be proportional to risk:
– Big risks need strong controls
– Small risks less so …
Else
– Excessive costs
– Inflexible processes
– Missed opportunities …
17
Good Afternoon. My name is Mike Roch and I am Director of IT Services at the University of Reading.When Andy Powell asked me to speak at this event, he described the intersection of identity management, access management and Research, and where a University IT director fits into that. Reflecting on this, the IMAGE which popped into my mind wasn’t a Venn Diagram, but this:VIDEO
20s – Ok - The university IT Director as a Traffic Cop. 25s - So, how deeply can I mine this metaphor?30s - Well, my first impression is that for all the arm waving, no-one appears to be taking much notice …35s – However, if we take a broader view then it’s clearer that something CRUCIAL is going on … 40s – Here we have a complex, potentially chaotic, high entropy environment …45s – We can’t simply let White Van Man muscle his way through50s – Someone has to manage and prioritise for the general good, and reliably identifying and distinguishing who’s who is central to this.55s – Not that we know who’s who amongst the Twitterati ……
Ok, let me describe my context, and then I’ll focus in on the topic at hand. University of Reading is a research intensive, medium sized university Its 4 campuses are green and luscious; our boundary has a fence, but no barbed wire.CLICKThe University ‘s origins go back more than a century. Its culture and values are traditional and collegial. The 2008 Research Assessment Exercise confirmed that we are an archipelago of research excellence and we also score highly in the National Student Survey and other measures of the Student Experience.
My department has a fairly typical spread of responsibilities.Our electronic infrastructure is of high quality, it’s resilientand highly available.
This range of responsibilities is too broad for us to cover to the appropriate depth with our own people, and so we make extensive use of commercial partnerships.
Services are much more important to me than the IT itselfWe work for them - ‘Can-do’, ‘Here to Help’We represent good value for money - All of usWe don’t just wing it – we adopt common Standards and professional working practices Service desk & workflow - ITILChange management - ITILProject management - PRINCE-liteInformation security management - BS7799/ISO27002We exercise pragmatism – ‘Utility not ideology ’Risk management informs all our decisions allowing us to apply proportionality in decision making.
How do we decide ANYTHING? Not by exhaustive analysis, but not by intuition either. We manage risks by assessing their probability and their impact. HIGH and LOW categories give us plenty of granularity; more categories give us more permutations and make decisions harder.PreventionEither stop the threat from occurring or prevent it having any impact on the project or business. Reduce ImpactTake action to control limit the impact on the project to acceptable levels. AcceptTolerate the risk − perhaps because nothing can be done at a reasonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level. PlanThese are actions planned and organised to come into force as and when the risk occurs.
Ok, so that’s IT Services in general. How do we relate to University research? For many years it was Reading’s policy that ITS should provide a standard IT environment for all and that research groups should sort out their own specialised needs. That has changed over the past few years as the eSCIENCE/eRESEARCH agenda emerged and NEW LOCAL NEEDS emerged, for example in BIOINFORMATICS where new potential users were not COMPUTATIONALLY SELF SUFFICIENT in the way that (say) our METEOROLOGISTS and PURE SCIENTISTS always were. We responded by appointing an eScience Development Officer who surveyed and mapped out unmet needs across the University and guided the development of provision. Once again, we have sought out and participated in PARTNERSHIPS in order to allow us to PUNCH ABOVE OUR WEIGHT.Mian Zhu is using GABOR features in facial recognition - 30,240 different Gabor features are compared in pairs to eliminate those which have mutual information; 457 million comparisons take 105 days on a workstation but 20 hours on the Campus Grid.
We’ve had UNIX systems at Reading since the late 70s and in the 1980s Reading was the first UK university to spend its COMPUTER BOARD mainframe grant on a UNIX based distributed computing system and the TCP/IP/NFS environment has stood us in good stead for 20 years. We never dabbled with Novell; Never fell for Appletalk. Nor Token Ring. Nor ATM. ClickOur UNIX-compliant University-wide Usernames were ingeniously crafted and encoded a great deal of identity information. CLICKThis USERNAME FORMAT lasted us 30 years and the PASSWORD FILE and later, the NIS MAP, was our IdM DATABASE
So, why change?Well, whereas the University in 1978, or 1988, or even 1998 was relatively static, by 2008 it was inescapable that some or all of the attributes encoded in the University Username were likely to change during the user’s identity lifecycle with the University. We – IT Services as IDENTITY PROVIDER needed to keep up to date values for these attributes, but changing the USERNAME was problematic for the user and for the multitude of systems which shared that Identity.So … new format usernames and a single central system for managing identities, Microsoft Identity Lifecycle Manager – ILM.
Well, if I’m to be the traffic cop, I need a DVLC!Here we have a simplified picture of what is going on. ILM at the centre harvests user information from authoritative sources – the STUDENT RECORD and HUMAN RESOURCES systems – and builds a master table (a METAVERSE) of users and their SIGNIFICANT ATTRIBUTES. ILM can generate its own attributes, eg USERNAMES or HOME DIRECTORIES, which can be passed on to other systems, including back to the SR and HR systems.Subsets of users with selected attributes are then supplied to secondary information systems, such as the LIBRARY MANAGEMENT SYSTEM, ATHENS DA, the Blackboard VLE, MAILERSs, etc. Handover for acceptance testing is set for 30th MAY 2009.We are the new REGISTRARS !
So, to what extent is Reading typical of UK university IT departments? Well, my list would be subtly different from that collated from across the membership of the UNIVERSITIES AND COLLEGES INFORMATION SYSTEMS ASSOCIATION recently. IdAM is not a great concern this year – it’s under control at Reading and (APPARENTLY) elsewhere in the UK.
It’s interesting to compare UCISA’s rankings with those of EDUCAUSE A commentary can be found at the URL given, but a legal requirement in the US to report and publicise incidents in which PRIVACY INFORMATION (SENSITIVE PERSONAL DATA) may have been compromised seems to me to be particularly significant.RISK AVERSION may be the spirit of our age but we never seem to be worrying in advance about the thing that actually hurts us next ….
So, to draw things to a conclusion, some personal reflections on where Identity and Access Management fit into universities, and on where that fit chafes ….The BIG CHALLENGE is that we work for HIGH ENTROPYORGANISATIONS and the OLDEST, the STRONGEST, the MOST SUCCESSFUL institutions are often the MOST ANARCHIC. SLIDE BULLETS
So, how valuable, how precious are our electronic identities? I’ll pause to highlight a JISC funded project that has looked into this. John Paschoud of LSE is here today and can tell all about the project, but I’d like to focus on the latter part, the study of user attitudes. The project carried out an experiment, involving hundreds of students, in order to highlight the limits of institutions’ influence over users’ independent actions. RE-ENACTMENT!
They carried out an experiment, involving 327 freshers. In return for answering these questions, they received sweets. These young adults consciously traded identity elements for chocolate. Other surveys asked about actual practice in sharing accounts, access cards, library cards, etcBusy, sensible but pragmatic researchers collaborate with people they know and trust. They will share accounts across research groups and these may be geographically and organisationally dispersed. They will continue to use the accounts of departees. They will read journals others have subscribed to.So long as they feel that their systems and data are secure, their tolerance for our bureacracy, our procedures will be very limited.
So from where I stand, at the intersection of identity management, access management, researchand a host of other fast-moving objects,I worry that we may build IdAM solutions which are finer grained, more rigorous, more rigid than the institutions we work for. If this happens, then the tail will WAG THE DOG, We will GET IN THE WAY, We WILL IMPEDE THE TRAFFICAnd IT’S MY JOB to keep the traffic moving, Thank you very much for your attention.