Web Magazine for Information Professionals

Don't You Know Who I Am?

John Paschoud looks into identity and access management in the pre-digital and digital age, and describes how the JISC Identity Management Toolkit can help us manage identities better.

Way back in prehistory, when libraries were buildings with books in, identity management was a pretty simple challenge for them. A library was either truly 'public', in which case you did not care who came in (the more people, the more popular you were, which was 'a good thing'). Otherwise, you had to be a member, and the security officer on the door knew your face, or you could show him (it was usually a 'him', then) a card or something to prove you were a member.

For a library to trust you to take some of its books away with you (without hiding them under your coat), you usually did have to be a member, and becoming a member entailed some sort of registration process in which you might have to prove who you were with some official-looking document. The details of each member could be recorded in some sort of register, and a card issued. Effectively taking someone's membership away again, for whatever reason, was a bit more difficult - unless there was an opportunity to wrest the precious library card from them physically!

Admissions Rules

A few years ago now our Projects Team at the London School of Economics (LSE) Library [1] was involved in documenting and analysing the admissions rules of academic libraries in London. This was before our own library agreed to provide full access to 'the general public' (in return for Heritage Lottery grants towards a £20m building project), but I was intrigued to find that our own admissions rules included all sorts of bipartite agreements with institutions such as Kings College London (proximity, I guess) and the School of Oriental and African Studies (a lot of common-interest post-colonial subject material in each of our collections).

The most interesting 'right of access' I found in our admissions rules was 'accredited diplomatic staff of a recognised foreign country, attached to an embassy, consulate or diplomatic mission in London'. I never actually observed anyone trying to exercise this particular right (I am excused counter duties at the library because I do not know enough about books), but I was aware that my colleagues who did serve on the Admissions Desk rota were a wonderfully diverse lot; with collectively far more knowledge of international and political affairs than this duty required. I imagined the possible scene of an intending visitor from some small state (in some dispute with the United Nations, perhaps) being rebuffed by one of our Library Assistants because he was not accredited by a recognised foreign country. I am sure all our LAs are much too diplomatic themselves for anything like that to actually happen now; but it did get me thinking.

What we also discovered in the course of the same investigation was the great number of other academic libraries to which I was allowed admission, on the strength of my status as a staff member at LSE. We decided to test this out with a small 'mystery shopper' exercise. Having retrieved a copy of the access rules for South Bank University Library (with, listed somewhere on page 2, the clause allowing LSE staff members reciprocal access) I duly set off on the 171 bus, armed with the plastic card that identified me as such (with the usual un-fetching photo and the magnetic strip that magically opened the turnstile at the LSE Library when I came into the office every morning). There were two serious flaws in this plan. The first was due to the fact that single-sided photocopying was clearly the norm at South Bank, and the otherwise very polite security officer at the Perry Library was only in possession of page 1 of their admissions rules, and so he couldn't see a reason to let me in. I would like to believe that the second flaw was a result of my personal fame in the library world; but it was really because quite a lot of librarians tend to circulate around jobs in London universities, and a former LSE Library colleague was currently managing the counters there, recognised me and told the officer to let me in. The project team decided that I would need some serious disguises before being allowed out to do any more mystery shopping!

Identity Management

Partly as a result of the recognition we helped to generate - that reciprocal library access was a valuable resource for students and researchers but that administration of such rules was difficult, a number of schemes have been established that make it simpler. One such is SCONUL Access [2], a collaboration between 159 United Kingdom and Ireland university and college libraries. Several mutual schemes are based on geography such as the M25 Consortium [3], which also provides access to staff and researchers based at non-university member institutions like museums. The InforM25 'Visit a Library' tool [4] helps to identify rights of access and is linked with a facility to cross-search the online catalogues of most member libraries.

However, with the switch to e-resources, with more complex licensed access conditions than books, there is still considerable pressure on a library or the institution of which it is a part to identify each one of its individual users. If a library needs to do this, and keep records of each identified user (probably with other personal information about the user attached) then it is taking on the responsibilities of Identity Management. Most academic libraries have an 'obvious' membership constituency of the staff and students affiliated with the institution of which they are a part, and for these people their membership of the university or college will normally be handled by their human resources or academic registrar departments. However many academic libraries, including the Library at LSE (or the British Library of Political & Economic Science as it is properly named) have formal remits to provide services to (and register members from) many other groups too. Many of the identity management headaches in academic institutions stem from the rights of access of these 'miscellaneous' (i.e. not just staff or students) individuals. Moreover, the Library is an important first point of contact for many of these individuals with our institution and its identity management processes.

JISC Activity

Identity management has been recognised as an important issue by (amongst others) university and college IT directors in Britain via their association UCISA (Universities and Colleges Information Systems Association [5]), which highlighted identity and personal data management as one of the top ten key issues for member organisations. One outcome of this concern was a call for research from the JISC [6] e-infrastructure programme [7] in 2006 which funded two projects: ES-LoA [8] which investigated security levels of assurance, and The Identity Project [9]. The latter conducted a national survey of Further & Higher Education institutions to establish the broad state of play, and highly detailed audits of identity management policies and practices in ten particular institutions that were involved in the project. A strong recommendation from the concluding reports of The Identity Project was that UK academic institutions (even larger universities with relatively large staff establishments to manage IT infrastructure) were in need of tools, guidance and standards on what they needed to do.

The Identity Management Toolkit

The response to this recommendation was a further call in 2008 for the production of an institutional toolkit to provide such comprehensive support. From this, JISC funded a partnership between LSE, University of Bristol, Cardiff University and Kidderminster College (all with considerable previous experience in this field) to put together what was ordered. The project to produce the Identity Management Toolkit [10] has involved UCISA, RUGIT (IT heads of 'Russell Group' universities [11]), ISAF (the UK Information Security Awareness Forum [12]) and other national bodies in governance and oversight, and has 'road-tested' draft materials in live institutional projects to implement identity management systems and practices.

The project used a collaborative process of writing and editing on a wiki (TWiki being the chosen platform), with fine-grain access control (federated access using Shibboleth - naturally!) supporting published pages or topics of the Toolkit, with embedded graphics and attached template document files sitting alongside pre-publication material and other non-public pages used for management of the project and the institutional trials. They could be read or edited as required by members of the project team and the governance board from all partner institutions with little or no administrative overhead, because all partners had well-established identity-provider services registered with the UK Access Management Federation [13]. The wiki platform for the published Toolkit, launched at the 2010 annual conferences of both UCISA [5] and JISC [6], made it very easy for the team to produce a set of highly linked documents for online use, with the option for users to generate a monolithic PDF document comprising all 138 pages of the content - or just PDF documents of any of the main sections or appendices.

Realigning Responsibility within Institutions

In most universities and colleges much of the concern surrounding identity management policy and practice and the responsibility to improve them currently rest with the managers and maintainers of the IT network infrastructure. However, the Toolkit advice on formulating and governing organisational policy urges an organisation to shift these responsibilities wherever possible, and as fully as possible, onto the administrative departments that actually own the business processes involved. The situation of an enrolled student or a newly-recruited staff member having to wait days for the activation of their network and email accounts is all too common; and all too commonly blamed on 'the IT service' - when in fact the people (or automated systems) in IT are merely following procedure by refusing to create a network account until they can 'see' a valid personnel or registry record for the user.

In the case of individuals whose principal or main relationship with a university or college is via the library, as one of the 'odd' categories of library user, it should be the library that takes this responsibility for registration and future maintenance of a new identity-managed individual. If this function of the library is forgotten when institutional procedures are reviewed or designed, and the simple assumption is made that 'everyone is a staff member or a student' (and, probably, that nobody has both these roles at the same time), then things are likely to stay messy.

The Identity Management Toolkit includes comprehensive guides on the drafting and review of governance and policies (which have so often evolved over time, but not been written down or clearly owned by an identified individual or committee), the technology, processes and jargon (see Figure 1 below), and the functionalities and standards to look for when assessing the increasing number of 'solutions' from IT vendors (which may cause more problems than they solve, if both supplier and customer do not really understand the existing requirements of the institution properly in the first place). It also contains the methodology and templates compiled by The Identity Project for carrying out a complete institutional audit to discover where, by whom and how identity management (often duplicated or worse) is happening in an institution already; and it covers the 'social factors' of user education on network security with a methodology for measuring this amongst students (or: how much chocolate will buy their personal passwords?).

diagram (29KB) : Figure 1 : Core Identity Management components

Figure 1: Core Identity Management components

Wi-fi Access

One facility that visitors to an academic library (or any other sort of library) have come to expect these days is omnipresent wi-fi access. Ignoring for the moment the additional challenges posed by the newly minted Digital Economy Act 2010 [14] - mainly because that deserves extensive discussion of its own - this poses some specific problems for academic libraries that depend on JANET for Internet access, but which admit non-academic visitors. The Toolkit contains a specific section of guidance on what access a library can allow, to what types of visitor, and options for how this can be regulated and managed by an institution.

The Role of the CIO

A minority of UK universities (based on a quick straw-poll I took at a conference of appropriate senior academic IT people recently) have so far established the post of Chief Information Officer (CIO). In an academic institution (and certainly, in the larger number of US academic institutions that have a CIO) this is likely to mean something rather different from the same title in a commercial enterprise of a similar scale. But then, universities and academic libraries are enterprises that deal largely in information. In some, the role of CIO has been built upon that of 'Director of Library and Information Services' or a similar post. The Toolkit (and many of the sources from which the Toolkit has drawn) recommend that primary institutional ownership of the policies that govern identity management should rest clearly with a single senior post, and that this should be the CIO or equivalent. As 'public bodies' (as most academic institutions have declared themselves for the purposes of Freedom of Information), and with news media keen to pounce on stories of personal data losses or misuse, particularly in the public sector, this brings additional pressure to any person in such a role, to 'get identity management right'.

Federated Access for Libraries

Over the past three years, since the establishment of the UK Access Management Federation for Education and Research [13] in November 2006, we have seen major advances in the technical capability of the UK academic community to offer federated access to an increasing variety of online resources. So that, for example, the manager of a resource held by Columbia University in New York can allow access by students of a particular course based at LSE in London, identifying themselves with the network credentials issued by LSE (this was in fact one of the earliest examples of international and inter-institutional use of the Shibboleth protocol, implemented in January 2005 [15]. Less exotic or newsworthy examples of similar exploitations of the technology of federated access management are likely to be springing up apace, largely undocumented.

Where a current member of one university is admitted as a 'guest' to another academic library, this is on the basis that they are already 'identity-managed' by their home institution (i.e. their 'identity-provider'). But such guest access often requires that the user must undergo a further, redundant process of registration with either the host library or perhaps with the consortium organisation (such as InforM25) that has been established to facilitate the reciprocal arrangement. In effect, the host library is also taking on the burden of identity-managing the same individual. There are additional technical challenges to extending federated access (as it now works in the purely online domain) to the physical barriers that typically protect the physical contents and physical space of a library; and many of the systems that control access to library gates or turnstiles, using magnetic strip or RFID tokens to identify users, are proprietary and not well integrated in standards-compliant ways with other networked resources (if they are networked at all).

Conclusion

Physical library spaces and printed resources for learning and research seem set to be with us for some time yet, and so the possibilities for providing access to them on a par with e-resources and eliminating all that duplicated administration for users and library staff are attractive. Would it not be better when I can use my LSE staff ID card to pass effortlessly through the turnstiles of King's College Library or University College London (they both have much better collections of books on 'hard' IT subjects)? – and without a challenge from the security officer and that suppressed desire to exclaim, 'Don't you know who I am?'?

References

  1. London School of Economics Library (also known as the British Library of Political & Economic Science)
    http://library.lse.ac.uk
  2. SCONUL Access http://www.access.sconul.ac.uk/
  3. The M25 Consortium of Academic Libraries http://www.m25lib.ac.uk/
  4. InforM25 'Visit a Library' http://www.inform25.ac.uk/AET/
  5. Universities and Colleges Information Systems Association (UCISA) http://www.ucisa.ac.uk/
  6. JISC http://www.jisc.ac.uk/
  7. JISC e-Infrastructure Programme http://www.jisc.ac.uk/whatwedo/programmes/einfrastructure
  8. e-Infrastructure Security Levels of Assurance (ES-LoA)
    http://www.jisc.ac.uk/whatwedo/programmes/einfrastructure/esloa
  9. JISC: The identity project http://www.jisc.ac.uk/whatwedo/programmes/einfrastructure/identity
  10. The JISC Identity Management Toolkit Project http://www.identity-project.org
  11. The Russell Universities Group of IT Directors (RUGIT) http://www.rugit.ac.uk/
  12. Information Security Awareness Forum (ISAF) http://www.theisaf.org/kzscripts/default.asp
  13. UK Access Management Federation for Education and Research
    http://www.ukfederation.org.uk/
  14. Digital Economy Act 2010 http://www.opsi.gov.uk/acts/acts2010/ukpga_20100024_en_1
  15. "Institutions collaborate to allow secure access across continents", London School of Economics and Political Science (LSE), News Archive, 2005
    http://www2.lse.ac.uk/newsAndMedia/news/archives/2005/Shibboleh_LibraryPR.aspx

Author Details

John Paschoud
Information Systems Engineer
LSE Library

Email: j.paschoud@lse.ac.uk
Web site: http://www.angel.ac.uk

Return to top