Click here to receive your FREE subscription to Campus Technology
Opinion
The Case for Identity Management
7/20/2006
More complex metrics have been proposed. A recent national security publication proposed a “value protection” metric based upon an algebraic formula. Upon closer inspection, however, the methodology is circular. The user is asked to specify a desired “value protection level” based upon a poorly defined and fuzzy explanation of the metric. The formula is then used to generate the cost of meeting the metric. Unfortunately, the resulting investment cost is derived directly from the formula—independently of what it may actually cost to provide the service in the real world. This particular metric can work (sometimes) because senior executives do not always fully understand statistics, what they mean, how they are derived, and what assumptions were made in their preparation. The metric is still balderdash, and if exposed, will undermine the credibility of the IT organization using it.
IdM RESOURCES YOU SHOULD KNOW
- The Internet2 Middleware Initiative promotes standardization and interoperability of software and services that provide identification, authentication, authorization, directories, and security. The site includes links to initiatives by other higher education organizations, such as the Educause eduPerson/eduOrg LDAP Schema, the InQueue Federation, and InCommon.
- Educause sponsors a number of IdM activities, including the Identity Management Working Group and the Campus Architectural Middleware Planning (CAMP) Workshops.
- A number of commercial companies are developing products and capabilities designed to assist higher ed institutions that lack the internal technical resources to implement federated IdM initiatives such as Shibboleth. One example is 9Star Research, which is offering support for Shibboleth through ProtectNetwork.
- The Computer Crime and Security Survey is conducted annually by the Computer Security Institute (CSI), with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad. This survey provides authoritative data about how often crime occurs on computer networks and how expensive these crimes can be. This data may be useful in building a case for IdM initiatives
A Workable Strategy
What I suggest to clients is an honest assessment of the probability and costs associated with various security risks, solid research on the costs to mitigate those risks, and a common-sense decision-making process. The goal should be adequate security—much like Ralph’s Pretty Good Grocery in Garrison Keillor’s Lake Wobegon, where you can get what you need but not necessarily everything you want. Most people routinely make decisions in their everyday lives based upon this common sense process. Years ago, as a rock climber and new father, I took out a large life insurance policy because the risk was high and the cost of mitigating the risk relatively low (at the time, insurance companies didn’t yet include rock climbing on their list of dangerous activities). I didn’t base that decision on a formula or a spreadsheet, but rather on a clear, common-sense measurement of the risks, and the costs associated with mitigating those risks. The same process is key to assessing security risks and their potential costs to your institution.
Recommended Reading
- CT Industry
- CT Solutions
- Cut to the Core
- DAM-ing the Digital Flood
- Get The Word Out
The market’s teeming with products to help you alert your campus community on any number of fronts. Now you just have to pick the right ones and get everyone signed up.
- Thwarting the Copycats
New tools are helping colleges and universities counter burgeoning paper mill sites, pervasive internet content, and persistent student ingenuity.
