1Document Title, Month, Year

RESOURCE ACCESS IN THE 21ST CENTURY

SAT MANDRI

SERVICE MANAGER – TUAKIRI

7TH SEPTEMBER 2017

2Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

• Welcome & Introduction• Facts• 1990’s System• Problem Statement• RA21 – What is it, Goal and Explanation • Technology Considerations• Direction of travel• Compliance• Key Message

AGENDA

2

3Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

INTRODUCTION

3

Technology is changing how users access content in a world increasingly on the move, yet delivery of content acquired by institutions and their libraries are optimised for the user who is physically on campus. • What about the students and researchers who live, study, travel and work off campus? • What percent of the customer base does that make up?• What are the content service delivery failures that develop as a result and how much are these

failures costing IT services, libraries and publishers? These are significant problems for our research and education community and for which the size and scale of these issues is growing.

4Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

IT Services, Publishers and Librarians need to acknowledge that when it comes to serving users electronic resources, for a variety of reasons, you are somewhat failing to deliver.

A system that functioned well at the outset of electronic content delivery is showing its age, because the user community and the technology have advanced.

“Much like a crumbling bridge or a broken water main pipe, the solution and processes you have built so many years ago to provide access is starting to fail and your customers are having to find their way around those systems to get access to the content”

It is time!

FACTS

4

5Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

In the 1990s many publishers saw the potential of the internet and started to move their content online. This consolidated the need for a shift in their business models from a focus on individuals to IP-mediated institutional access.

IT Services were procuring more computers and Libraries were purchasing institution-wide subscriptions with access facilitated through fixed computers, in libraries and student learning and collaboration areas on campus.

Over time, publishers added other institutional authentication mechanisms – trusted referrer URLs, library cards, EZProxy support, and so on, but you never addressed the poor user experience associated with off-campus access.

Now, with the rise in BYOD, tablet and smart devices and increasing flexibility in work spaces, access control is failing.

1990’S SYSTEM

5

6Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

In the two decades since electronic journals started replacing print journals as the primary access to teaching and learning content, the uncertainty of how to ensure proper access to electronic publications that are licensed and paid for by the library has been with us.

Termed the “off campus problem”, Libraries and IT Services have employed numerous techniques and technologies to enable access to authorised users when they are not on-campus.

Access from on campus is easy – the publisher's system recognizes the network address of the computer requesting access and allows the access to happen. Requests from network addresses that are not recognised are met with “access denied” messages.

To get around this problem, Libraries and IT Services have deployed web proxy servers and virtual private network (VPN) gateways to enable users “off campus” to access content. These techniques and technologies are not perfect for the current generation of remote and digital savvy learner.

PROBLEM STATEMENT

6

7Document Title, Month, Year

STRIKE THE BALANCE “Make use of innovative technologies”

8Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

RA21 – WHAT IS IT?

8

The RA21 initiative is brought to you by the International Association of Scientific, Technical, and Medical Publishers (STM) and the National Information Standards Organization (NISO). NISO is where content publishers, libraries, and software developers turn for information industry standards that allow them to work together.

Acknowledgement and references:https://ra21.orghttp://www.stm-assoc.org/http://www.niso.orgwww.wiki.shibboleth.nethttps://refeds.org (Voice of the Research & Education Federations)https://www.geant.org/Services/Trust_identity_and_security/eduGAIN

9Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

Ensuring that members of the research and education community have access to the right services, at the right time, with the right protections and

privacy considerations, while supporting easy collaboration.

RA21 GOAL

9

10Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

The initiative is aimed at optimizing protocols across key stakeholder groups and research and education communities, with a goal of facilitating a seamless user experience for consumers of scientific communication and teaching and learning resources. This comprehensive initiative is working to solve long standing, complex, and broadly distributed challenges in the areas of licensing, information security and user privacy.

Engagement and consultation is currently underway in order to explore potential alternatives to IP-authentication and to build momentum toward testing alternatives among researcher, customer, vendor, and publisher partners.

So, what’s driving this effort:1) In part, the ease of resource access within IP ranges makes off campus access so difficult; and2) In part, the difficulty of resource outside IP ranges encourages legitimate users to resort to

illegitimate means of resource access.

RA21 EXPLAINED

10

11Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

The RA21 group is leveraging two technologies, SAML and Shibboleth, to accomplish the project's goals.

Notable advancements in these two technologies:1) Consent based: users ability to provide consent to

attribute release (IdP v3);2) Privacy aware: the publisher trusts that the institution's

identity system properly authorize users while providing functionality for the publisher to offer personalized user experience; and

3) Enhanced reporting: the institution can send general tags/flags/exceptions (user type, department/project affiliation, etc.) to the publisher that can be turned into reporting categories in reports back to the institution.

TECHNOLOGY CONSIDERATIONS

11

12Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

The focus of the RA21 effort is to lower the barrier and provide the right balance to that common problem of user authentication – on-campus and off-campus.

Some key considerations are:• Discovery “Where Are You From” problem - how to make the leap

from the publisher's site to the institution's sign-on portal as seamless as possible. If the user’s trust is established the publisher can link directly to the portal.

• Clue-less geo-location - can this be used to establish user’s affiliation to their institution;

• Advanced browser functionality - the publisher having the ability to learn about user’s affiliation to a institution without prompting them for any info;

• User experience design and usability testing for authentication screens. Publishers agree on common page layout and login.

DIRECTION OF TRAVEL

12

13Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

Protection of User PrivacyImproving access needn’t mean that other values are set aside. And while more secure authentication and access provision does rely on greater user awareness, it is entirely possible, using SAML-based Authentication protocol to provide security and privacy simultaneously.

Many research and education federations globally (similar to REANNZ Tuakiri) and its member organisations are already providing content access via SAML-based technologies, such as Shibboleth, so there is global experience balancing these concerns.

Data PrivacyData privacy, also called information privacy, is the aspect of information technology that deals with the ability an organisation or individual has to determine what data in a computer system can be shared with third parties.

Regulatory ComplianceRegulatory compliance is an organisation's adherence to laws, regulations, guidelines and specifications relevant to its business (Policy). Violations of regulatory compliance regulations often result in breach and legal implications.

COMPLIANCE

13

14Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

KEY MESSAGE

14

1) Publishers, libraries, and research and education community have all come to the understanding that authorising access to content based on IP address no longer works in today’s distributed world.

2) The RA21 project hopes to resolve some of the fundamental issues that create barriers to moving to federated identity in place of IP address authentication by looking at some of the products and services available in the identity discovery space today, and determining best practice for future implementations.

3) It is time that your IT Services, Librarians and the Publishers consider using SAML-based Authentication services like REANNZ Tuakiri to address this problem here in NZ. Visit our Service Catalogue

Contact: tuakiri@reannz.co.nz or sat.mandri@reannz.co.nz

15Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

ShibbolethAn open-source project that provides single sign-on capabilities and allows sites to make informed authorization decisions for the individual access of protected online resources in a privacy-preserving manner.

eduPerson and eduOrg (auEduPerson Schema)eduPerson and eduOrg are LDAP schema designed to include widely-used person and organisational attributes in higher education.

REANNZ Tuakiri operates the identity trust federation for New Zealand research and education, allowing for a secure and privacy-preserving trust fabric to enable the sharing of protected resources, and offering users single sign-on convenience.

eduroamThe eduroam service provides instant, authenticated and encrypted network access to the users of all participating institutions.

TERMINOLOGY

15

16Document Title, Month, YearResource Access in the 21st Century, TICT Conference 2017

A LITTLE BIT OF JARGON

16

• Individuals and organisations have sets of attributes• Identities may have multiple identifiers• Identities may have multiple entitlements

Identity

• Based on attributes called ‘authentication identifiers’ or ‘credentials’• A user submits their credential to enter a site• This process is authentication: establishing the user’s identity

Access

• Based on attributes like subscriptions and licenses• After authentication, extra information about the user’s rights is passed to the site (consent process)• This process is authorisation: establishing the user’s entitlement

Entitlement

It is important to familiarise yourself with the critical terms that are commonly used, these include Identity, Authentication and Authorisation, the latter two often abbreviated to ‘Auth & Authz’. The term ‘IAMS’, is an acronym for ‘Identity and Access Management System’ and FIM refers to ‘Federated Identity Management’.