Single Sign-on

The importance of getting identity management correct!

Hitting the news today (Tuesday 6th November 2012) was a sobering article highlighting just how important it is to get identity management correct!

Over a three year period from March 2007, the Prudential UK managed to mix-up two of their customers’ pension accounts and pay substantial funds into the wrong account.  The mistake, which has cost Prudential £50,000 in fines, boiled down to the two customers having the same forename, surname and data of birth.

For the full story check out http://www.bbc.co.uk/news/business-20221648.

5 reasons why you should take Single Sign-on seriously

F2MKE BlogA recent report by the credit checking company Experian warned that the average online consumer had 26 separate online logins but just 5 different passwords.

Two thirds of people have accounts they no longer use but have not closed down, leaving them vulnerable, the research found.  Every week we learn about new and major hacks leading to the comprising of our usernames and passwords.

In July 2012 we have already heard about the ‘loss’ of 450,000 Yahoo identities, over 1 Million Android forum IDs, 20% of all Microsoft account credentials – where they had been reused on other websites – and LinkedIn hacked twice in as many months.

It is all too easy to reuse the same ID – typically your email address together with your favourite password – when registering with different websites online.  The problem – and the very real threat – is that it only takes one of these websites to fail in keeping that ID and password safe and suddenly your online information and access across many different websites is in jeopardy.  What’s more, you may not even realise until you go to apply for a credit card, loan, mobile phone, or mortgage and are refused.  Perhaps worse still, the debt collectors come knocking upon your door!  Even if you do discover that a website you use has ben compromised, can you really remember all of the websites that you signed up to using the same ID and password so that you can sign-in and change your login credentials?

Standards-based Single Sign-on is one killer tool in your defence arsenal!  The following 5 reasons pretty much cover the benefits of using the Single Sign-on technology Oauth for your social online world and Shibboleth if you are in the classroom.

Popular Oauth Identity Providers include Twitter, Facebook and Google.  For more about the prevailing Shibboleth standard in education, simply search this website.

Now for those 5 reasons:

1) When you connect to a new website, application, or service provider using Oauth or Shibboleth, your username and password is not shared with, or stored in, that provider’s system.  If it’s hacked, your ID and password stays safe.

2) It is good practice, alongside having a complex password, to change that password often.  In the Shibboleth and Oauth Single Sign-on model, you can do this just once and in one place resulting in all of your other online presences relating to this change.

3) If you suspect that your password has been compromised, as with (2), you change it once and in one place.  No need to try to remember what you’ve signed up for and how to get there!

4) A single username and password for everything leaves space in your memory for other things; like remembering to pick-up some milk, or the kids, on your way home from work.  Oh and less reason to write it down too!

5) There are SO many great online resources out there asking you to sign up.  Can you really trust the honesty and security of them all?  With true Single Sign-on you can register with the peace of mind that they haven’t got hold of your username and password – often they shouldn’t even need to ‘know’ other personal details such as your name.

So there you have it.  Single Sign-on together with a ‘strong’ and frequently changed password will keep thing more simple and more secure for your online adventures.

The Server-less School

With an open standards integration Platform as a Service (iPaaS) available, could we see the dawn of a server-less school?  What’s needed?

– An Identity Management (IdM) service with automated Systems Interoperability Framework (SIF) integration with a school’s Management Information System (MIS);

– A Shibboleth federated Single Sign-on (SSo) Identity Provider (IdP) service;

– A Zone Integration Server (ZIS) service.

The extent of ‘Cloud’ application services compatible with the iPaaS summarised above could negate the need for Local Area Network (LAN) hosted directory, file and application servers..?  If we can show that proxy and caching servers are also redundant, then we are well on the way to a server-less school.  What does this mean?  In short, this means less infrastructure and related hard, soft and management costs overhead, together with fewer things to go wrong when relying upon Internet access for teaching & learning. This approach also lends itself to a device agnostic Bring Your Own Device (BYOD) strategy.  The following image visualises this idea…

 

Future School

What is Shibboleth and the UK Access Management Federation (UKAMF)?

Shibboleth is an open source and standards based software package for web Single Sign-on (SSo). It allows software services and applications to make informed authorisation decisions for individual access of online resources in a privacy-preserving manner.

http://shibboleth.internet2.edu/about.html

In the United Kingdom, the UK Access Management Federation (UKAMF) provides a single solution to accessing online resources and services for education and research using the Shibboleth software.  Identity Providers (IdP) and Service Providers (SP) can register with the UKAMF by following a set of procedures and implementing agreed to policies.

http://www.ukfederation.org.uk/

The best explanation I have found so far about how Shibboleth and the UKAMF works is in the following video…

UK Government seeks a common infrastructure built on open standards

The UK Government’s Cabinet Office has announced a strategy to deliver real financial savings and efficiency gains through the agile implementation of an ICT infrastructure that will enable the reuse and sharing of our ICT assets.

In a move that is believed to reduce the high level of risk associated with large scale ICT projects, the infrastrtucture will build upon the successes of smaller projects that have transformed services through the use of common and open standards.  By encouraging and in some cases mandating the use of open standards, joining-up all of these pockets of smaller projects to form a supportive, comfortable and long lasting king size infrastructure mattress will be simpler.

Some key points to note:

The Government will push ahead with its agenda for data centre, network, software and asset consolidation and the shift towards cloud computing.

The standardised cloud platform will also allow developers, especially SMEs, to generate innovative solutions.

A common infrastructure based on open standards will allow for greater flexibility of policies and services delivered at lower cost and within a shorter timeframe.

The use of common standards can make ICT solutions fully interoperable to allow for reuse, sharing and scalability across organisational boundaries into local delivery chains.

The adoption of compulsory open standards will help government to avoid lengthy vendor lock-in, allowing the transfer of services or suppliers without excessive transition costs, loss of data or significant functionality.

Modern, knowledge-based service delivery underpinned by effective information architecture and open standards will support government to build more transparent, trusted and efficient information exchange processes.

Read more at http://www.cabinetoffice.gov.uk/content/government-ict-strategy

Influence UK Government technology standards now!

UK Government Open Standards Survey

I’m not sure how well publicised this Cabinet Office survey has been..? I stumbled across it whilst searching for something quite different.  The closing date is 20th May 2011 – so complete it today!

http://www.surveymonkey.com/s/UKGovOpenStandards

The results from this survey will be reviewed by the Chief Technology Officers Council and their conclusions will be published on the Cabinet Office website in the Autumn.

Here’s the background…

Government must be better connected to the people it serves and the partners who can work with it – especially small businesses, voluntary and community organisations.  Government ICT must play a fundamental role in making life easier.

One of our first goals is to organise Government data and systems using an agreed set of standards that make our ICT more open, cheaper and better connected.  To do this, we need to know which standards are most important to you.

The survey ends on 20 May 2011.  We’ve included free-text fields in the survey, so you can tell us what we have missed or which alternative standards you believe may be better.  The results from this survey will be reviewed by the Chief Technology Officers Council and their conclusions will be published on the Cabinet Office website in the Autumn.  Bear with us whilst we work through your suggestions and please understand that we’ll have to prioritise our responses.

 

SIF Association UK 2011 Annual Meeting

Day one of the SIF Association UK 2011 Annual Meeting has come to a close. Highlights were from Warwickshire County Council’s Emma Gelfs on using SIF to facilitate efficiency gains and an improved customer experience with free school meals data. And the South West Grid for Learning’s (SWGfL) Ian White on Merlin and in particular the lessons learnt so far!

I presented an overview of how SIF and Shibboleth are in place to deliver a “pluggable” infrastructure in Norfolk with key outcomes to:

  • Enable choice
  • Make switching simple
  • Improve data accuracy
  • Advance security
  • Leverage efficiency gains
  • Save £money
  • Put the learner at the centre

Some helpful insights for those starting on the SIF path are:

  • Have every Management Information System (MIS) publish all SIF data and let the Zone Integration Server(s) (ZIS) handle what services and applications have access to what data.
  • Try to stick to one Zone per school.
  • Let the application drive and not the SIF Agent.
  • Get your data agreements bottomed out and in place.

How well does SIF fit with this Coalition Government’s priorities?

  • It is tailor-made for localism and local improvements – choice!
  • SIF can reduce burdens such as the school census.
  • Parental choice and engagement are ripe for SIF facilitation.
  • There are great efficiency gains to be had.

I’m excited about day two – particularly an update from the Department of Education’s Chief Information Officer, Tim Wright, discussing SIF in the context of Government strategy…

Virtualising SIF

Well… It’s been a mad few weeks hence being a quiety on the blog!

We’re migrating our SIF, Identity Management and Shibboleth Single Sign-on infrastructure to a ‘virtual data centre’ – a kind of private cloud.  This will give us loads of confidence in terms of scalability, high availability, sustainability and total cost of ownership, as well as alleviating the strain of managing the hardware, OS and networky side of things.

It has meant that there is much interest in what we are doing resulting in case studies, media coverage and a spell for me in front of the camera, lights and action – oh and having make-up applied in front of the team :-S

Still, I’ve learnt a few things…  It doesn’t matter how well you know your subject, asked about it in front of the camera and even a thoroughbred Bable Fish will struggle to translate your ramblings.  And, should I ever acknowledge that the Johnny Depp Pirates of the Caribbean look does have its advantages, then I now have some make-up application training 😉

If the film team are magicians and able to cut and slice the vid into something that is not too career limiting – and if I am able to post it – it will be here at some point.

How much ICT infrastructure does a school really need to manage?

Let’s just start with servers…

A quick tally of the number and types of servers a typical secondary school might have sitting in a dedicated, no doubt air-conditioned, room resulted in this visual…

School Server Infrastructure Today

School Server Infrastructure Today

And a few of the disadvantages of this approach might be:

  • Some poor soul has to keep all of these running and somehow manage stay an up to date expert across a wide-ranging set of server services.
  • Each server is most likely running 24/7/365 at an average of around 200 watts – roughly £2.5k per annum in electricity bills alone and that’s quite a smelly carbon footprint to boot.

Provider: Scottish Power (Tariff: Premier Plus online, London)
Rate: 11.252 pence per kilowatt/hour
Rate last checked: 10th Sept 2009

And that’s without going down the whole maintenance and replacement, licensing and support costs. Nor factoring in stuff like resilience and security…

What if today looked something like this..?

School Infrastructure Today?

School Infrastructure Today?

A few of the advantages might be:

  • High availability resulting in high teacher confidence in the ‘invisible’ ICT.
  • Much lower total cost of ownership – subscription based access to services that you need and when you need them.
  • Flexible – add new and remove unwanted services with ease.
  • More space – no more dedicated server room.
  • Sweeter smelling carbon footprint.
  • Access from anywhere and at any time 🙂

Yeah right… But how do people login to the network?

They don’t. Ideally they single sign-on (online) into the services that they have privileges to access. Look at how you can link-up your accounts on many of the popular web based apps like Google, Flickr, Twitter, Facebook and so on and on and on… In education terms this would most likely look like using the UK Access Management Federation and Shibboleth for single sign-on.

But the web isn’t advanced enough yet to support all of the teaching, learning and management tools, apps and services that we need!

Sure it is! Just check out my Delicious bookmarks for a sample… Also check out Johannes Ahrenfelt’s blog for even more ideas!

Okay… But how on earth do I keep all of these disparate apps updated with the relevant info about students and staff?

How do you right now? A combination of many different and often bespoke or proprietary methods methinks? The Systems Interoperability Framework (SIF) is a promising option for education services. Get involved!

Yeah but what if our connection to the internet goes down?

Get some resilience. A fail-over connection maybe? Let’s face it, with all of those servers a potential weak point, the chances are that your internet connection is far more reliable than you might think!

What do you really think? Some good debate around this is very welcome 🙂

PS Would we still need a proxy server if, as is likely, most of the web traffic is encrypted across Secure Socket Layer (SSL) (port 443 / https)?

Novell Identity Management and SIF

Doing some research on industry Identity Management (IdM) solutions and stumbled upon Novell’s Identity Manager (3.5.1) which has a SIF Agent plug-in.  The following case study may be of interest…

Alvarado Independent School District used Novell Identity Manager to automate user provisioning, and reduced administration time by 45 percent using Novell ZENworks @ http://www.novell.com/success/alvarado.html