Campus Technology

Click here to receive your FREE subscription to Campus Technology

Opinion

The Case for Identity Management

7/20/2006

By Doug Gale

Fortunately, there are mature and well-defined standards, even cookbooks, for directory services. Yet not all of them fully address higher ed’s unique needs. For example, the international X.500 standard relies on a hierarchy of information access, reflecting the organizational structure of an institution. This creates substantial overhead in colleges and universities, where people frequently enter, leave, and have multiple affiliations. If you pigeonhole people and they change roles, there is a cost associated with updating the directory. To address this problem and others (such as the fact that X.500 is too complex to support on desktop PCs), the Lightweight Directory Access Protocol (LDAP) was developed at the University of Michigan. LDAP is essentially a simple version of X.500 that has been widely and successfully adopted in higher education. (More information on LDAP and other directory technologies is available here.)

Selling IdM

Often, it’s the all-too-common security scares in daily news reports that first call attention to the need for comprehensive IdM systems:

• In December 2005, an intruder hacked two Iowa State University computers containing encrypted credit card and Social Security numbers (Des Moines Business Record, April 20, 2006). This incident is a strong argument for encrypting sensitive data.
• The number of rootkit attacks being reported to McAfee Avert Labs was up by 700 percent during the first quarter of 2006, compared with the same period in 2005 (eWeek, April 24, 2006).
• On April 24 of this year, IT officials at Ohio University found that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations (Computerworld, May 3, 2006).

Such scares may feel compelling in the short term, but in the long run the most successful arguments for IdM are based on a value proposition: What’s the real risk and how much will it cost to mitigate? What should be the scope of the IdM system and what is the appropriate level of financial commitment? These questions need to be answered not just by the CIO, but also from the perspective of the chief financial officer (who is concerned with containing the growth of campus expenses), as well as the chief academic officer (who is concerned about diverting scarce resources from instruction and research).

Quantitative Metrics

As a physicist by training, I’ve always been attracted to the use of quantitative models and metrics to evaluate and compare IT initiatives. It turns out that I’m not the only one so enamored. The most recent Computer Crime and Security Survey conducted by the Computer Security Institute (CSI) and the Federal Bureau of Investigation found that a significant number of organizations conduct some form of economic evaluation of their security expenditures. (The full text of the survey can be found here.)

The most popular metric is a percent of revenue. For example, the CSI/FBI survey found that 48 percent of responding organizations devoted between 1 and 5 percent of the total IT budget to security. Other common metrics are expenditure per employee or per user. The advantage of these metrics is that they are relatively simple to explain to management; the problem is that averages can be misleading and can mask wild variations in the samples. As someone who has used IT expenditures as a percent of institutional budget as a rationale for increasing the IT budget, I have reluctantly concluded that these simple metrics have limited effectiveness and should be used with caution, if at all.

• Campus Technology |
• Education Plaza |
• EduHound |
• T.H.E. Journal

Copyright 1998-2008 1105 Media Inc.. See our Privacy Policy