This is the first of a two-part series introducing the Identity and Access Management (IAM)project at the University of Illinois. Read part 2, Access Management. More information can be found on the IAM project website.
Authentication
When someone tells you who they are, do you believe them? If it’s a casual introduction, “Hi, my name is Jason,” then probably you do believe them every time. If it’s during a transaction, like checking out a book from the Library, you probably ask for some proof (like showing a library card). If the person is trying to access their bank account online, they are asked for a password.
The process of determining whether someone is who they claim to be is called authentication. There are certain levels of trust associated with authentication, which are appropriate for different types of interaction. When I introduce myself to someone on the bus, there’s no logical reason to complicate things by making me prove who I am. When I access my credit card accounts, though, I want some pretty strong safeguards in place so I can be reasonably sure no one else is getting into my financial transactions.
The University currently has several methods for authentication, which are very loosely coupled, and that don’t rely on the same basic requirements. There have been reports of people using, for example, a guest library card to convince someone at Campus Rec to also issue a day pass for the ARC.
The IAM project aims to address this situation by creating one source for information, a central identity store, which includes information on how trusted each identity is. When a student applies for undergraduate admission, they may be entered into the identity store with a low trust level – we only know their email address, but that’s good enough for now. The applicant then submits some paperwork, which may be checked against other sources (the Social Security Administration, credit bureaus, the high school the applicant attended, etc). This adds increased trust, because it’s much more difficult to fake those records than it is to fake an email address.
One Person, One Identity
Currently, each U of I campus maintains its own identity store. Different units may also have their own systems – the Library uses a database to differentiate between different patron types, for example. Effectively, this means that a person could have several different identities with different levels of trust. In order for that person to function on campus, all of these systems need to communicate with each other, and people who grant access to services need to be familiar with each of these other systems.
IAM will greatly reduce the complexity of identity management by ensuring that each and every person has one, and only one, identity. The central identity store will be queried in various ways, depending on the level of trust required for the service being requested.
Identity and the Library
Creating and maintaining this store has several implications for the Library. We currently gather patron information from ICard, CITES, and Active Directory. Each feed has some delay associated with it, which creates a delay in updating the current information. In the coming years, the IAM project will allow us to change how we query patron information, which should greatly simplify the current process and improve accuracy and timeliness of data.
But there are other issues that bring up problems. As a public library, we do not require that patrons be affiliated with the University in order to use some services. Will we need to expand the identity management store to include anyone who might be a patron? Will we need to run a separate identity store for people who are not in the central one? Will our service models change to allow a basic level of service for people without a U of I identity, which doesn’t require any identity proofing at all? These are just a few of the questions we will have to address as the project moves forward.
Continue with part 2, Access Management