WASHINGTON, D.C. — Jenny is a graduate student and a teaching assistant at the University of Wisconsin-Madison. She also collaborates on a research project with the California Institute of Technology, where she ultimately decides to go for her doctorate program. When she changes campuses, she still needs to collaborate on the research project with colleagues on both campuses.
She doesn't fit neatly into one role that gives her access to specific university resources, explained Kevin Morooney, vice president of trust and identity services for Internet2, which operates the nation's largest and fastest research and education network and serves universities, state and regional networks; governments and corporations around the world. On top of that, she needs to analyze research data from two different institutions.
Is it possible to safely identify Jenny, and can these universities trust her enough to give her access to their research data and high-speed network? "People in societies have developed the capability to advance themselves in agriculture, trade and commerce through the building of trust for millennia," Morooney said. The difference now is location. "How would you create trust asynchronously on two different places on the globe with someone you’ve never met before?” And where can identity fit together with privacy and security protections?
These are the questions that research universities today have to answer. And they're working together in the research and education community of Internet2 to find the answers.
At the Internet2 Global Summit April 23-26, identity played a prominent role, with a keynote on the topic for the first time and a number of sessions focused on it. Beyond the acronyms and technical terms, identity, at its core, is all about establishing trust between people who are working on research projects all over the world.
Across continents, these researchers need to access large volumes of sensitive data quickly as they tackle complex research questions. High-speed networks through Internet2 and others give them the technical capabilities to do this. But they also need a way to know which researchers in which institutions should be able to access the data on these networks.
While cybersecurity and privacy have taken up most of the air time in the IT world, identity is the third leg of the stool that IT initiatives rest on, according to Ian Glazer, a senior director for identity at Salesforce and a recognized expert on the issue.
But identity isn't considered as important as cybersecurity and privacy, which Glazer argued should be treated equally. Also, people who work in the identity field don't have a professional organization to help them learn their trade. And identity systems can be weaponized to hurt others, leaving universities and the people they store data about vulnerable if they don't take important steps to de-weaponize them.
"We're trustees of information about them, and with that and our desire to give great service to them, it means we have to deliver great protection for them," Glazer said.
To get everyone to pay more attention to identity, it's important to show how it's connected to security and privacy. Glazer described it this way: "Identity is the human interface for security." And it's also the operational arm of privacy. By tying identity to security and privacy, higher ed IT leaders can elevate its importance and get buy-in from their universities to invest in better identity practices and processes.
For example, attackers try to trick people by changing the name of the email sender to someone that the recipient trusts. If an email looks like it's coming from the president of a university, the chief financial officer is much more likely to do whatever that email requests, Morooney from Internet2 explained. That may involve sharing private payroll data inadvertently with someone who plans to attack the people connected to the data, affecting both privacy and security.
In his keynote, Glazer laid out a plan to prevent attackers from hurting others through their use of identity systems. While identity systems are neutral, in the wrong hands, they can be used to hurt others instead of protecting them. That's why it's important to put safeguards in place to help prevent these systems from being used as weapons.
Ultimately, the goals of this maturity model are to beat all the attackers, be productive while protecting the institution, achieve greater transparency and promote data provenance — a historical record of where data came from.
Glazer's maturity model for de-weaponizing identity systems so they can be used for good, not harm:
0. Baseline - This is where universities are now with their identity systems.
- This step allows universities to put some basic administrative guidelines in place for the people who work on identity systems. Over the next six months, Glazer challenged leaders to take some fairly easy steps, including following the General Data Protection Regulation (GDPR)
passed by the European Union, requiring two-factor authorization for all system administrators and encrypting data in transit. He also suggested not giving developers or program leads access to production data, along with not allowing insecure data transfers or data staging.
2. Defend against your successors/ourselves - In this stretch 12-month goal, universities will go into defense mode to protect themselves from internal users like top administrators who access the system and people who take over someone else's job. These users can unwittingly give away data and access to attackers who pose as people they trust, so it's important to have protections in place that mitigate these attacks. Universities should prevent rogue and compromised administrator attacks, protect data at rest, and establish boundaries with adjacent services. Also, it's important to selectively encrypt data, use tools to help segregate user duties and provide access control between systems.
3. Defend against bulk attacks - Bulk attacks aim to gather as much data as they can about a specific demographic group. That's why universities need to understand who is accessing what data, implement a two-person approval rule for any data extracts from a system and set up guardrails on what data can be queried.
4. Defend against single-row attackers - This is the hardest attacker to defeat because attackers are targeting a specific individual and have a lot of data on them, Glazer said. That's why it's important not to authenticate users by asking them a knowledge-based question when the answer to that question lies in the data they're trying to access. It's also wise to use machine learning to recognize when someone is running a data query that falls outside of the normal pattern of a particular user so it can be flagged for analysis.
5. Transparent - This step improves visibility into data access by trying to make public at some level who is accessing what data.
In conversations with CIOs, Morooney from Internet2 said some of them walked away from the keynote thinking that they could realistically accomplish the first two steps in the maturity model over the next year. Janemarie Duh, identity management systems architect at Lafayette College in Easton, Penn., said the model "will definitely help institutions mature and institute better practices and policies."
Better practices and policies could also come out of a new professional association for identity professionals called IDPro
, which Glazer and the Kantara Initiative have been working on for nearly a year. While it's not ready to launch yet, more than 400 people have expressed interest in joining, and those who are interested can keep an eye on what's next via an email chain and Twitter.
As universities ponder this new maturity model and potential professional organization, they're continuing to handle identity as part of a group effort with Internet2. Going back to Jenny's example, the two universities she needs to access data from have established that this fictitious person can be trusted in her multi-faceted role as a student, staff member and researcher with the help of Internet2's InCommon identity management federation, which requires institutions to follow certain policies in order for their people to be trusted. More than 600 universities participate in this federation in the U.S. Last year, InCommon joined eduGAIN
, a loosely connected consortium of more than 40 research and education networks worldwide.
What this means for Jenny is that she can do international research projects with peers from the University of Wisconsin-Madison, the California Institute of Technology and University of Capetown in South Africa. What this means for the research and education networks is that they have to do everything in a similar way, because a change in one of their networks will affect how the other networks can exchange identity information and data.
As Morooney puts it, "Internationalization and having to be aligned with the world is simultaneously exciting and makes the running of the InCommon trust federation that much more difficult.” It's also something that each of these research and education networks have committed to doing so that people like Jenny can participate in important research collaborations worldwide.