1 / 17

Access Management for Digital Libraries in a well-connected World

Access Management for Digital Libraries in a well-connected World. John Paschoud SECURe Project London School of Economics Library. Introduction.

Download Presentation

Access Management for Digital Libraries in a well-connected World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Access Management for Digital Libraries in a well-connected World John PaschoudSECURe ProjectLondon School of Economics Library ICDL 2004, New Delhi

  2. Introduction • InfoSystems Engineer at the LSE Library - The British Library of Political & Economic Science (“the World’s largest library dedicated to the social sciences”) • …responsible for applied research projects, with external funding (JISC, EC, SURF, NSF…) • I am not a “Dr.”, but an “Eng.”(ineer) • …so I have no competence to decide what should be in the digital library • …but I do know how to build the shelves! ICDL 2004, New Delhi

  3. Summary • Access Management – key to DL security • Principles of Access Management • What the UK has now: Athens, GRID PKI • What the UK is moving towards • Distributed technology: Shibboleth & SAML • Demands on libraries & universities ICDL 2004, New Delhi

  4. Why is Access Management so important? • Library users (and where they want to study from) more diverse • Library resources (and where they are physically, legally held) more diverse • Resource owners want to maximise $$$ • Users (researchers) need to maximise currency of their knowledge • Libraries have limited $$$! ICDL 2004, New Delhi

  5. Principles of Access Management • 4 processes: • Registration, AutheNtication, AuthoriZation, Accounting • Membership institutions (university, library, etc) must control Reg and AuthN • Resource hosts must control AuthZ • Users must control own privacy (of attributes, identity) • Security must be appropriate (for value of resources protected) • Scalability must be cross-domain, global (mostly) after Clifford Lynch, Coalition for Networked Information ICDL 2004, New Delhi

  6. UK Current Assets • Athens: username/password based service for unifying access to digital library resources • Mainly licensed via JISC consortium deals • Over 2 million current usernames • Username/password database; maintenance devolved to institutions • Around 500 HE and FE institutions use the Athens service • Around 200 licensed resources are controlled via Athens • A high proportion of the major academic publishers have now implemented Athens • UK e-Science CA: service for issuing digital certificates for access to Grid-type resources • Based on OpenCA software (with local modifications) • Verification of user identities carried out by trusted RAs around the community • Current scale of operation a few hundred certificates per year ICDL 2004, New Delhi

  7. UK current challenges • Athens uses single centralised database of users, and its own, proprietary protocols • Little international take-up as yet • Design lacks the flexibility and scalability of more recent approaches • e-Science CA is similarly centrally administered, and hard to scale up ICDL 2004, New Delhi

  8. UK current actions • AAA Programme (2002-2004) • Experiments with newer AM technologies and architectural models • (SECURe Project was the main vehicle to test and liaise with Shibboleth development) • Foundation studies (2004): • Digital Rights management • Institutional Profiling • Single sign-on technologies • Feasibility of a national certificate issuing service • Policy management with PERMIS • Assessment of eduPerson & similar schemas • Core Middleware Programme (2004-2006) • Invites larger-scale experiments, tackling problems like “virtual organisations” of users, and secure resource access via university or library portals • New Shibboleth-based service infrastructure (2004-2006) ICDL 2004, New Delhi

  9. What is Shibboleth? (ancient) • A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See: Judges xii (Jewish or Christian Bible) • Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913) after Michael Gettes, Duke University & Shibboleth Project Team ICDL 2004, New Delhi

  10. What is Shibboleth? (modern) • An initiative to develop an architecture and policyframework supporting the sharing - between domains - of secured web resources and services • A project delivering an open source implementation of the architecture and framework • Deliverables: • Software for Origins (campuses) • Software for Targets (vendors) • Operational Federations (scalable trust) after Michael Gettes, Duke University & Shibboleth Project Team ICDL 2004, New Delhi

  11. Shibboleth Goals • Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions • Provide security while not degrading privacy. • Attribute-based Access Control • Foster interrealm trust fabrics: federations and virtual organizations • Leverage campus expertise and build rough consensus • Influence the marketplace; develop where necessary • Support for heterogenity and open standards (SAML++) after Michael Gettes, Duke University & Shibboleth Project Team ICDL 2004, New Delhi

  12. Attribute-based Authorization • Identity-based approach • The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. • This approach requires the user to trust the target to protect privacy. • Attribute-based approach • Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. • This approach does not degrade privacy. after Michael Gettes, Duke University & Shibboleth Project Team ICDL 2004, New Delhi

  13. How does it work? Hmmmm…. It’s magic.  (or: You can ask me later) after Michael Gettes, Duke University & Shibboleth Project Team ICDL 2004, New Delhi

  14. How does it work? after SWITCH, Switzerland ICDL 2004, New Delhi

  15. Who else is interested? • US NSF (they have paid for most of it) • JISC, UK • SWITCH, Switzerland (they have a whole-country Shibboleth Federation already) • SURF, Netherlands • Many resource owners (they need to follow what their market is doing) • Many software suppliers (WebCT, Blackboard, uPortal) ICDL 2004, New Delhi

  16. Challenges for Libraries • Reliable Access Management will be a requirement • “installing Shibboleth” is easy, but… • To do Access Management, a university or library also needs: • Identity Management: directories of users and attributes (and all the technical infrastructure) • Policies on user privacy and vendor licences • To collaborate, forming national or international federations for access to resources • Middleware is invisible (when it works!) – so justifying costs to management is not easy ICDL 2004, New Delhi

  17. Questions? Project info: www.angel.ac.uk/SECURe Contact: j.paschoud@lse.ac.uk ICDL 2004, New Delhi

More Related