Institutions of higher learning impose unique challenges for chief information officers. On the one hand, resources must be open to embrace academic freedom and interactive learning environments. At the same time, openness makes universities targets for cyber break-ins and other unauthorized activities.
The most important IT issue affecting colleges and universities over the next two to three years is “network and data” security, according to the 2005 Campus Computing Survey. Slightly more than half (50.7 percent) of the schools participating in the survey experienced hacks or attacks on their campus networks in the past academic year; 41.2 percent suffered major spyware infestations; 35.2 percent experienced major viruses; and 19.6 percent reported security incidents involving identity management.
“The data confirm that network and data security are major concerns for campus IT officials across all sectors of American higher education,” says Kenneth C. Green, founding director of The Campus Computing Project, which conducts the annual Campus Computing Survey. “The 2005 data also document a major shift in campus IT priorities from instructional integration to security and enterprise resource planning (ERP)/infrastructure issues.”
A holistic approach
With data and physical security a priority, schools are seeking more holistic approaches to campus identity and access management (IAM). Howard University in Washington, D.C., deployed such an approach, integrating a package of security-management solutions that includes the latest identity and access-management systems, as well as physical control and monitoring technologies.
According to a Datamonitor survey of 53 organizations, substantial cost savings result not only from the protection of resources and data, but also from such factors as reduced time spent on sign-on procedures, better management of Public Key Infrastructure (PKI) certificates, consolidation of access privileges onto multifunctional smart cards, easier card provisioning and reduced numbers of password-related queries made to IT departments.
This same logic can be applied to universities and colleges, whereby IAM comprises the creation, maintenance and administration of identities, as well as the permissions and policies that determine who gets access to what and under what circumstances. The process of digital-identity management combines authentication, in which users must prove that they are who they say they are, with authorization, in which an individual or group identity is matched with a set of access rights to various systems and files.
Directories play a crucial role in the security architecture of colleges and universities. The problem: there are too many of them.
Such directories contain redundant sets of user IDs and data. And they are managed separately, with different tools and commands. Administrators struggle to maintain consistency between entries and must keep track of user access rights across multiple systems and accounts.
Such synchronization of data among directories is a time-consuming, often manual, job. In addition to wasting many hours on repetitive tasks, IT administrators are hampered in their ability to identify and plug security holes as well as provision and de-provision user access rights in a timely fashion.
As a result, education institutions are increasingly using meta-directories as the basis for campuswide IAM infrastructure. From a manageability standpoint, meta-directory platforms provide the umbrella infrastructure to synchronize and tie together disparate directories and allow IT managers to centrally administer identity and access management throughout all applications and security systems — all from a single console. Meta-directories are vital for storing, maintaining and updating identities and related information. The information they house can be used for reference, user authentication and access control.
Meta-directories help strengthen an academic institution's defenses against security threats. Here's how:
- Centralized management
Administrators can monitor and control user access across all IT systems from a single console. This allows for quick response to potential security breaches.
- Rapid provisioning and de-provisioning
Schools can provide access rights for incoming students, faculty and visitors as soon as they arrive on campus. Schools can remove access rights the moment a user leaves. The meta-directory's dynamic links to all relevant directories and security systems ensure that no resources will be overlooked. This minimizes the likelihood that a departing user will retain — and possibly abuse — access rights to campus systems data.
- Granular, policy-based control
Meta-directory IAM platforms use preset policies to determine who gets access to what on an increasingly granular level. This is crucial to institutions of higher learning. Administrators need to grant access privileges according to the various student, professor and visitor roles.
- Control of both logical and physical resources
More and more campus environments are working toward a “single sign-on” or single-password approach for both logical IT resources and physical facilities. This is done by connecting meta-directories to smart-card systems to control access to residence halls, computer rooms, laboratories, libraries and other restricted campus areas.
Choosing the right meta-directory
For colleges and universities, meta-directories are critical components of effective IAM solutions — providing openness and security to myriad types of users. Here are characteristics to look for when choosing a meta-directory solution:
High performance. As a central clearinghouse for identity information, a meta-directory must respond to multiple, simultaneous queries, authentication requests and user information updates in a timely fashion, even during peak usage.
A scalable, flexible architecture that can be configured to meet specific needs. In addition to campus users, many colleges provide information resources, in a secured fashion, to telecommuting students, alumni, other schools and the public. Furthermore, an organization might have millions of ID entries or a few hundred; a couple of workgroup directories, or one huge global active directory; or a hundred different directory-enabled applications.
High availability and reliability. Given the critical role it plays in an organization's IAM infrastructure, a meta-directory platform should be equipped with business-continuance features such as automatic backup and restore, redundancy, and a centralized console for performance monitoring and troubleshooting.
Standards support enables a meta-directory to communicate with other standards-based systems without the need to write special links or scripts. Most directory-enabled applications, for example, use Lightweight Directory Access Protocol (LDAP), a standard that enables clients to interact with a directory (or directories and a meta-directory to interact), for authentication and profile retrieval.
Proprietary support. Not all systems and applications support LDAP, so a meta-directory needs to support a full range of vendor-specific application programming interfaces (APIs). Windows server-management applications, for example, often use Microsoft's NT Sequential Access Method or Active Directory Services Interface APIs. Even if a directory supports LDAP, proprietary APIs tend to support richer functionality than generic LDAP-enabled applications.
Interoperability. A meta-directory should be able to run on top of all the popular operating systems — Microsoft Windows, Linux and various Unix platforms. This allows IT staffs to deploy the meta-directory on a familiar operating system for which a support structure already exists in the organization.
Modular, yet integrated. A meta-directory platform works best as a suite of integrated, functional modules. Start with a basic platform and add modules as needed. A typical initial deployment would consist of a meta-directory engine, a data store and a hub that ties everything together. Subsequent additions might include automated workflow and additional agents that link to proprietary, directory-enabled applications.
Norlin is the national higher-education business development manager at Siemens Communications Inc., Boca Raton, Fla. Siemens is responsible for the Cornell University project (see sidebar, p. ss45)
LANs with IAM
Home to more than 20,000 students and 10,000 faculty and staff, Cornell University in Ithaca, N.Y., has a network infrastructure that supports wireless laptops, PDAs, tablet PCs and other mobile devices in 45 buildings as well as locations across campus where users assemble. The Cornell wireless LAN is an example of a wireless, location-based authentication coupled with a meta-directory's granular access control.
Wireless LANs are running at more than 75 percent of campuses, according to a recent survey by Gartner Inc. The leading wireless LAN platforms use directories to authenticate users when mobile laptops and devices are connected to an access point.
Wireless LANs should comply with industry standards so they can be integrated with standards-based meta-directory suites, which gives administrators the ability to control access to wireless LAN resources throughout the meta-directory infrastructure.
The solution addresses a security issue that is fairly common for an academic institution: the need to grant user access to certain resources based on where the user is situated at a given time. For example, students in an American history class can be granted access to certain files on a library server, but be blocked from web surfing or using e-mail.