£2.80 a pint
Got to love Manchester

Presented by Alan Robiette from JISC

Presentation as pdf

We’ll get on to exactly what Shibboleth is later, but lets just start by saying it is a method for authentication/authorisation.

Currently the closest we have to a nationwide authentication/authorisation system is Athens. This has been developed and recently seen Single Sign On and Devolved Authentication. Also done proof of concept on alternative ways of authentication/authorisation – e.g. digital certificates.

However, now facing new challenges. Need to look at not just institutions to publisher authentication, but also cross-institutional working, ‘virtual organisations’ with complex authorisation needs (driven by growth in e-research, GRID etc.)

Also external developments – emergence of new standards e.g. SAML

So – next generation AAA infrastrucutre must support scenarios such as:

Internal (intra-institutional) applications
Management of access to 3rd party digital library-type resources
Inter-institutional use – e.g. shared e-learning scenarios
Inter-institutional use – ad hoc sharing of resources

We are now seeing Virtual Organisations emerging – where people distributed across the world want to work together and share resources.

There is also a link-up with UKERNA location-independent networking project – authenticated guest access to a network. Being called ‘eduroam’ – implications of running a RADIUS infrastructure on participating campuses.

Finally, there is work going on with Internet2 and the NMI-EDIT programme – this is run by the US National Science Foundation, and is looking at development of middleware, and is taking a joint approach with JISC with some of the work in this area.

Some Principles:
Authentication is the responsibility of the user’s home site
Authorisation is the responsibility of the resource owner

So – what is Shibboleth?
An architecture developed by the Internet2 middleware community.
It is NOT an authentication scheme – expects the home institution to do this
It is NOT an authorisation scheme – expects this to be done by the resource owners
It is an architecture, and open source implementation

How does it work? Need a diagram for this, and still isn’t incredibly clear, but some key points:
WAYF – Where Are You From? This is a key part of the architecture – it is only by this that you can tell where they are going to authenticate (home institution).
ARP – attribute release policy – only gives out the information needed at any point for authorisation – for example, don’t need to give out your name if all the resource needs to know that you come from a specific campus.

Shibboleth is getting good international acceptance (US, Australia, Finland, Switzerland, France – and UK of course)
Basic software now well tested – around 30 US universities working with it seriously, plus several content vendors – Swiss national HE system deployment
Satisfies the main requirements ‘out of the box’ – digital library, shared e-learning and internal use scenarios – doesn’t yet do the VO stuff very well.

However – still not very user friendly, lacks management tools, demanding to installa nd run, might require outsourced or packaged service for smaller institutions. Also still a relatively unsophisticated authorisation model – single attribute authority (who manage the ARP mentioned above), decision engine not very sophisticated – this is currently being addresses in JISC development projects.

So – what needs to be done?
Implement Shibboleth on JISC services – provide critical mass of shibboleth-enabled resources
Gain experience on campuses – in a variety of institutions
Build the national components – which are relatively few
‘Charm offensive’ with publishers

JISC is providing an ‘assisted take-up service’ – contract announcement is imminent, and expected to be available this month (March 2005). This should provide documentation, tools and support.

Some projects are being funded to get institutions to trial Shibboleth on their campuses. JISC are looking for outcomes by Summer 2006 – this coincides with a break in the Eduserve/Athens service contract.

In the short-term, Athens and Shibboleth will coexist – no current plan to remove Athens. In fact Athens is being developed to work in a Shibboleth environment. A two way gateway is being developed so that Athens campuses can reach Shibboleth resources and vice versa.

Campuses will need to review strategy – Shibboleth, Athens DA and EduRoam all pose similar questions. Need to have robust Identity Management solution which sits at the heart of any of these technologies.

In the longer term – currently speculate that:
Some institutions (perhaps especially smaller ones) may want to stay with Athens. As may small publishers.
OR – if Shibboleth becomes pervasive, support or tailoring for particular situations may be the answer
JISC will need to keep national service requirements under review
No question of forcing institutions to migrate on any specific timescale

Presented by Alan Robiette from JISC

Presentation as pdf

We’ll get on to exactly what Shibboleth is later, but lets just start by saying it is a method for authentication/authorisation.

Currently the closest we have to a nationwide authentication/authorisation system is Athens. This has been developed and recently seen Single Sign On and Devolved Authentication. Also done proof of concept on alternative ways of authentication/authorisation – e.g. digital certificates.

However, now facing new challenges. Need to look at not just institutions to publisher authentication, but also cross-institutional working, ‘virtual organisations’ with complex authorisation needs (driven by growth in e-research, GRID etc.)

Also external developments – emergence of new standards e.g. SAML

So – next generation AAA infrastrucutre must support scenarios such as:

Internal (intra-institutional) applications
Management of access to 3rd party digital library-type resources
Inter-institutional use – e.g. shared e-learning scenarios
Inter-institutional use – ad hoc sharing of resources

We are now seeing Virtual Organisations emerging – where people distributed across the world want to work together and share resources.

There is also a link-up with UKERNA location-independent networking project – authenticated guest access to a network. Being called ‘eduroam’ – implications of running a RADIUS infrastructure on participating campuses.

Finally, there is work going on with Internet2 and the NMI-EDIT programme – this is run by the US National Science Foundation, and is looking at development of middleware, and is taking a joint approach with JISC with some of the work in this area.

Some Principles:
Authentication is the responsibility of the user’s home site
Authorisation is the responsibility of the resource owner

So – what is Shibboleth?
An architecture developed by the Internet2 middleware community.
It is NOT an authentication scheme – expects the home institution to do this
It is NOT an authorisation scheme – expects this to be done by the resource owners
It is an architecture, and open source implementation

How does it work? Need a diagram for this, and still isn’t incredibly clear, but some key points:
WAYF – Where Are You From? This is a key part of the architecture – it is only by this that you can tell where they are going to authenticate (home institution).
ARP – attribute release policy – only gives out the information needed at any point for authorisation – for example, don’t need to give out your name if all the resource needs to know that you come from a specific campus.

Shibboleth is getting good international acceptance (US, Australia, Finland, Switzerland, France – and UK of course)
Basic software now well tested – around 30 US universities working with it seriously, plus several content vendors – Swiss national HE system deployment
Satisfies the main requirements ‘out of the box’ – digital library, shared e-learning and internal use scenarios – doesn’t yet do the VO stuff very well.

However – still not very user friendly, lacks management tools, demanding to installa nd run, might require outsourced or packaged service for smaller institutions. Also still a relatively unsophisticated authorisation model – single attribute authority (who manage the ARP mentioned above), decision engine not very sophisticated – this is currently being addresses in JISC development projects.

So – what needs to be done?
Implement Shibboleth on JISC services – provide critical mass of shibboleth-enabled resources
Gain experience on campuses – in a variety of institutions
Build the national components – which are relatively few
‘Charm offensive’ with publishers

JISC is providing an ‘assisted take-up service’ – contract announcement is imminent, and expected to be available this month (March 2005). This should provide documentation, tools and support.

Some projects are being funded to get institutions to trial Shibboleth on their campuses. JISC are looking for outcomes by Summer 2006 – this coincides with a break in the Eduserve/Athens service contract.

In the short-term, Athens and Shibboleth will coexist – no current plan to remove Athens. In fact Athens is being developed to work in a Shibboleth environment. A two way gateway is being developed so that Athens campuses can reach Shibboleth resources and vice versa.

Campuses will need to review strategy – Shibboleth, Athens DA and EduRoam all pose similar questions. Need to have robust Identity Management solution which sits at the heart of any of these technologies.

In the longer term – currently speculate that:
Some institutions (perhaps especially smaller ones) may want to stay with Athens. As may small publishers.
OR – if Shibboleth becomes pervasive, support or tailoring for particular situations may be the answer
JISC will need to keep national service requirements under review
No question of forcing institutions to migrate on any specific timescale

Just been talking to Matthew about capturing stuff from the conference, and saying that some of the most valuable stuff comes out of discussion after the talks – so I thought we could try and get some of this down as we fly home…

Should also say that the presentations are online

Collaboration and Competition in HE

Are we competing in a collaborative environment or collaborating in a competitive environment?

HE is moving from the former to the latter – Roger McClure from the Scottish funding body made the distinction, and it seems as if Scottish HE has grasped this much more readily than English HE – also think about the success of the IU that David Farquhar talked about.

Also, in England at least, the aim seems unclear from a government level – are they really aiming for a open market, or will they bail out anyone who looks like going under. We had quite a good chat about this, comparing it to other similar commercial environments – e.g. Post Office – they are supposed to compete, but can’t increase the cost of postage. Is HE headed the same way.

How we become competetive as HE providers also came up a few times – should we specialise? Are we clear how we (as organisations) make our money, and where we should concentrate effort. The last talk also touched on this, with examples of how airlines collaborate to survive, but are also in competition – sometimes your closest competitor has the most in common with you.

I was struck by a comment from Howard Newby that at the moment it was theoretically possible for students to easily transfer credit between institutions, and take courses in different places – but the institutional processes get in the way. Look at the Gas and Electricity market where people come to your door to get you to change suppliers, you sign, and they do it all for you – why aren’t we providing this kind of service? Should we be more aggressive in recruiting continuously (i.e. not just a single UG intake in a year, but ‘why not swap to RHUL’ – thousands of customers are returning to BT every month etc.)

Howard Newby also emphasised that universities have to capitalise on their strengths – can they continue to offer a broad range of courses across disciplines at an appropriate standard? Are we going to see more specialist institutions? Should RHUL become more specialist? And what will it mean to be a university in that environment?

Technology is changing faster than you think

Several times I’ve been struck by how quickly things are changing. Why are our students worrying about storage on our network, when they can pick up a 120Gb drive that fits in a rucksack for less than £100? Why aren’t we exploiting this more?

The younger students coming through our doors now are immersed in this – they don’t even think that it might not be there – they’ve never known a world without mobiles, PCs, the Internet.

Reflecting on what has changed in the last 20-30 years and thinking what the implications of that rate of change continuing (or even increasing) for the remainder of my working life. But also, as we were reminded this morning, we cope with this incredibly well in general – although I’ve only owned a mobile phone for that last 5 years, I haven’t found it in anyway difficult to adapt – when technology works, you don’t even think about it.

Leadership and Vision

This probably relates to the first point of competition, and where we go as an organisation – but we need both leadership and vision. We need to know where we are going, and what we are trying to acheive.

If we can’t continue to do everything, we need to decide what we stop doing, and what the consequences of this will be.

Something that came up several times was that we are ‘risk averse’ both as a profession, but also (I think) as organisations. This coincided nicely with the presentation on Risk Assessment – so perhaps we need to be less risk averse, but at the same time understand the risks we are taking.

OK – that’s it for now, perhaps some more later.

Just been talking to Matthew about capturing stuff from the conference, and saying that some of the most valuable stuff comes out of discussion after the talks – so I thought we could try and get some of this down as we fly home…

Should also say that the presentations are online

Collaboration and Competition in HE

Are we competing in a collaborative environment or collaborating in a competitive environment?

HE is moving from the former to the latter – Roger McClure from the Scottish funding body made the distinction, and it seems as if Scottish HE has grasped this much more readily than English HE – also think about the success of the IU that David Farquhar talked about.

Also, in England at least, the aim seems unclear from a government level – are they really aiming for a open market, or will they bail out anyone who looks like going under. We had quite a good chat about this, comparing it to other similar commercial environments – e.g. Post Office – they are supposed to compete, but can’t increase the cost of postage. Is HE headed the same way.

How we become competetive as HE providers also came up a few times – should we specialise? Are we clear how we (as organisations) make our money, and where we should concentrate effort. The last talk also touched on this, with examples of how airlines collaborate to survive, but are also in competition – sometimes your closest competitor has the most in common with you.

I was struck by a comment from Howard Newby that at the moment it was theoretically possible for students to easily transfer credit between institutions, and take courses in different places – but the institutional processes get in the way. Look at the Gas and Electricity market where people come to your door to get you to change suppliers, you sign, and they do it all for you – why aren’t we providing this kind of service? Should we be more aggressive in recruiting continuously (i.e. not just a single UG intake in a year, but ‘why not swap to RHUL’ – thousands of customers are returning to BT every month etc.)

Howard Newby also emphasised that universities have to capitalise on their strengths – can they continue to offer a broad range of courses across disciplines at an appropriate standard? Are we going to see more specialist institutions? Should RHUL become more specialist? And what will it mean to be a university in that environment?

Technology is changing faster than you think

Several times I’ve been struck by how quickly things are changing. Why are our students worrying about storage on our network, when they can pick up a 120Gb drive that fits in a rucksack for less than £100? Why aren’t we exploiting this more?

The younger students coming through our doors now are immersed in this – they don’t even think that it might not be there – they’ve never known a world without mobiles, PCs, the Internet.

Reflecting on what has changed in the last 20-30 years and thinking what the implications of that rate of change continuing (or even increasing) for the remainder of my working life. But also, as we were reminded this morning, we cope with this incredibly well in general – although I’ve only owned a mobile phone for that last 5 years, I haven’t found it in anyway difficult to adapt – when technology works, you don’t even think about it.

Leadership and Vision

This probably relates to the first point of competition, and where we go as an organisation – but we need both leadership and vision. We need to know where we are going, and what we are trying to acheive.

If we can’t continue to do everything, we need to decide what we stop doing, and what the consequences of this will be.

Something that came up several times was that we are ‘risk averse’ both as a profession, but also (I think) as organisations. This coincided nicely with the presentation on Risk Assessment – so perhaps we need to be less risk averse, but at the same time understand the risks we are taking.

OK – that’s it for now, perhaps some more later.

Presentation by Rene Carayol

Presentation in zip file (58.6Mb)

I really can’t summarise this – very motivational speaker I can’t really get this over in writing. Check out the slides at http://www.carayol.com/clients/ucisa/ from 12th March.

Presentation by Rene Carayol

Presentation in zip file (58.6Mb)

I really can’t summarise this – very motivational speaker I can’t really get this over in writing. Check out the slides at http://www.carayol.com/clients/ucisa/ from 12th March.

Something that JISC has been developing – this being presented by Christine Cooper from LSE.

Presentation in pdf

Apparently BS7799 is the key standard in the area of Information Security. There are questions about how appropriate it is to the HE sector. When JISC first looked at this, they felt that the content of the standard was good, but that it may not be worth going for formal certification.

The toolkit https://www.ucisa.ac.uk/acuk/infosecurity is a translation of BS7799 for HE with best practice for the sector.

The toolkit is a structure/framework containing generic information security elements and specimen policies, which you can incorporate into local policies. It can be used as a template which you simply adapt for local use, or as a guide which you use to create your own policy.

Obviously creating the policy is only one part of this – you have to actually apply the policy for it it to be worthwhile!

Now just going over the detail of using the toolkit – all looks pretty straightforward – fit the procedures or policies that you already have into the framework outlined in the toolkit and also identify gaps, and start looking at how you fill these.

Need to remember – Information Security doesn’t just mean Information Technology – but all Information in the organisation. Also remember that not all Information Technology is provided by a central service – there will be local things happening in departments etc. Needs to be a pervasive attitude in the organisation.