1 / 15

New Developments in Access Management: Setting the Scene

New Developments in Access Management: Setting the Scene. Alan Robiette JISC Development Group JISC-CNI Conference, June 2002. Outline. Overview and terminology Authentication – problems and progress Authorisation – problems and progress Summary and conclusions. The High-Level Problem.

kdemetrius
Download Presentation

New Developments in Access Management: Setting the Scene

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002

  2. Outline • Overview and terminology • Authentication – problems and progress • Authorisation – problems and progress • Summary and conclusions JISC-CNI Conference, Edinburgh

  3. The High-Level Problem • We need national-scale services for • Authentication (linking people to electronic IDs) • Authorisation (linking IDs to privileges) • Profiling (linking IDs to personal preferences) • Accounting (in the sense of tracking and recording usage, whether or not for actual billing) • All in an interoperable framework which can be realistically implemented by our institutions • Not to mention all our third-party suppliers … JISC-CNI Conference, Edinburgh

  4. Authentication • On a local scale, largely a solved problem • Various solutions exist, some with single sign-on (Internet2 promoting WebISO for web resources) • Digital certificates are on the increase • All serious Grid middleware requires them • But the management problems get no easier • Public-key technology will itself evolve • XML-based schemes may become a real factor • E.g. XKMS, Web Services Security JISC-CNI Conference, Edinburgh

  5. Authentication Issues on a National Scale • Naming and name-space management • How is uniqueness assured nationally? • What happens in the case of multiple affiliations? • Should real IDs be generally visible to off campus providers? • Trade-offs between privacy, convenience and accountability JISC-CNI Conference, Edinburgh

  6. Authorisation Issues • Determining an individual’s privileges • What attributes (roles) is it useful to consider? • Which are generic and which application-specific? • How many could be defined sector-wide? • Location of the access control decision • At the resource itself (greatest provider control)? • At the institution (i.e. devolution of trust)? • At some intermediate point (e.g. as in the present case in the UK, at the Athens server)? JISC-CNI Conference, Edinburgh

  7. Where Should Control Be Applied? • Logically at the resource itself • The resource owner logically should determine who gets access and who does not; but this may require more user information to be disclosed • For electronic information, this is often delegated (e.g. on the basis of a contract) • A better model for a bibliographic database than for a supercomputer? Or even a telescope? JISC-CNI Conference, Edinburgh

  8. Where is the Complexity Felt? • Do we best achieve interoperability by having the same software interface at • All service providers’ servers? • All campuses? • All users’ local environments (wherever they are)? • More than one of these? • And where the complexity ends up, so do most of the costs … JISC-CNI Conference, Edinburgh

  9. Other Concerns • The single sign-on question • How important is “seamlessness”? • The portal problem • To address this properly is quite hard • Standards and interoperability • There aren’t many, especially for authorisation • The international scene • A system for JISC services is all very well, but what about integrating resources from the wider world? JISC-CNI Conference, Edinburgh

  10. Current UK Developments • EduServ’s development plan for Athens • Single sign-on introduced Spring 2002 • White paper and proposed trial of distributed authentication Summer 2002 • JISC call for projects issued Summer 2002 • With the objective of exploring a range of emerging technologies, particularly for authorisation • JISC is actively working with Internet2-MACE in the US and TERENA in Europe JISC-CNI Conference, Edinburgh

  11. Developments Elsewhere (1) • Shibboleth (Internet2) • Devolves authentication and attribute assertion to campuses • Resource owner requests attributes from campus and makes decisions based on the response • Model allows both campus and user control over attribute release (strong emphasis on privacy) • Open source reference implementation due to be released Autumn 2002 • Publishers getting involved in trial programme JISC-CNI Conference, Edinburgh

  12. Developments Elsewhere (2) • PAPI (Spanish national network) • Distributed architecture: authentication and authorisation both carried out at campus (i.e. campuses have to be trusted by resource owners) • Multi-tier architecture – easy to interface to existing publishers’ services • Open source and in use in a number of sites/consortia in Spain, including some publisher involvement JISC-CNI Conference, Edinburgh

  13. Is a Common View Emerging? • What is clearly needed is a single, widely accepted vendor-independent scheme • At first sight the different projects (PAPI, Shibboleth, Athens+) look very distinct • However they share many components and a common architecture appears feasible JISC-CNI Conference, Edinburgh

  14. And What About the Grid? • Currently the Grid community’s problems appear more complex • Grid middleware relies heavily on X.509 identity certificates, which are far from universal otherwise • Even in the longer term, it may not be possible to standardise on one single Grid authorisation solution • But there may be analogies with other relatively complex problems, e.g. medical middleware JISC-CNI Conference, Edinburgh

  15. Conclusions • Authorisation in particular remains a tough problem • But some of the emerging solutions look promising, for quite large sets of commonly encountered applications • International co-operation in this area is looking very promising JISC-CNI Conference, Edinburgh

More Related