2. The Need for Change
• Regulatory Legislation
• Public Pressure
• New User Communities
• Distributed Non-ERP Services
• Service Management and User Experience
• The Federal E-Authentication Initiative
Today, additional internal and external factors have created new requirements that are forcing broader campus involvement in discussions of authentication-related policies and procedures.
- Regulatory Legislation - In recent years, press coverage
of identity theft problems have prompted U.S. Congress and state legislatures
to tighten operating requirements for organizations whose computing systems
hold personal information. This growing body of legislation and regulation
has created increased audit and compliance requirements for many campuses,
particularly in the area of security management, such as
the California SB 1386 law requiring the reporting of security lapses for
certain information. (Refer to the EDUCAUSE
Federal Policy page for an overview of existing and pending legislation)
The regulatory landscape has also evolved substantially in the areas of financial management practices and management of health-related data. Because of all these increased compliance requirements, campus technologies,
and business processes related to identity management, credential distribution,
authentication, and management of access control policies are now becoming
subjects for auditors – and current processes may
not be adequate to meet the new audit criteria.
- Public Pressure - The increasing publicity of incidents where personal information has been stolen from commercial entities, or where these entities have "lost" data, have served to heighten public awareness of the risks posed when databases are used to hold large amounts of personal information. Some of these publicized incidents have occurred on higher-education campuses, and have generated significant negative publicity for the institution involved. Often these incidents of unauthorized access are associated with data stored on non-centrally-managed systems on campus, or even on desktop or portable computers. Such incidents are now portrayed in the press as "privacy spills" — an incident where personal information that the institution was ostensibly safeguarding was viewed and retained by one or more unauthorized individuals. For many institutions, even if no laws were broken, the negative publicity may be a significant concern, as the institution may be portrayed as insensitive to personal privacy concerns. Check the Identity Theft Resource Center for information on the 2005 Disclosures of U.S. Data Incidents. Education institutions contributed 73 disclosures or 48% of the total 152 reported incidents. For an excellent discussion of institutional liabilities in this area, see Shakespeare On Cyberliability by Beth Cate, Associate University Counsel for Indiana University.
- New User Communities - Campuses are now routinely providing login credentials to non-traditional groups of users, such as student applicants, alumni, contractors, and friends of the library. Because it is common that many users are not required to receive their credentials in person, it may not always be clear who is actually receiving and using these credentials or when to revoke them. For many applications (such as accessing an events calendar), weak identification may not be an issue, but there are central and departmental applications (such as donating money or accessing a site with sensitive research data) where this is a significant concern.
- Distributed Non-ERP Services - Over the past several
years, the risk level has also been increased by the growth of business
departments managing distributed, independent data centers
to support applications beyond Enterprise Resources Planning systems (ERPs). These applications have authentication
and authorization security requirements ranging from very low to moderately
high, and although they don’t operate at the enterprise (or campus-wide) level, many
of them contain data that require strong safeguards or interfacing with enterprise systems. Ensuring a consistent level of assurance across all these applications may become a problem.
- Service Management and User Experience - Similar to the distributed services above, more and more processes and services are being automated or moved to an electronic self-service model, so the end-user interaction is now online twenty-four hours a day instead face-to-face during office hours. How can we mange the access to all these applications separately in a reliable fashion? How can the end user manage all the credentials involved? Scalability, reliability, and the end-user experience are important considerations, both from a strategic, cost effective, and "customer" service points of view.
- The Federal E-Authentication Initiative - This initiative promises a common infrastructure for electronically authenticating the identity of users of E-Government services offered by a broad range of Federal agencies. This infrastructure links institutions as identity suppliers (termed Credential Service Providers or CSPs) and the government agency as identity consumers (termed Agency Applications or AAs). Applications as diverse as NSF's grant submission tool FastLane and the Department of Education's Free Application for Federal Student Aid (FAFSA will be available through this infrastructure, thus ensuring that all segments of the institutional community will have a strong motivation to participate in the E-Authentication Initiative. However, before campus users can access these applications, the Federal government will require participating institutions to meet minimum operational, process, and policy requirements. As more applications become supported by this initiative, IT shops will receive more and more pressure to ensure access for their campus communities.
These sample drivers for change are pushing institutions as a whole to re-examine what they are doing with respect to authentication and its related identity management processes.
Click [next] below to learn about how campuses can respond to these drivers.