Identity Management ...

Identity Management assembles several streams of activity around identifying members of the university community and provisioning services for those community members. Universities need methods for discovering new members of the community and making sure those members have access to the services that the individual members need. Identity management can be used create a single-authentication environment, moving to a single sign-on environment, and then sharing that authentication among several universities in a federation. When used for service provisioning, access to private or limited resources can be controlled through identity management strategies.

 

A growing aspect of Identity Management is the creation of access and traffic logs. These logs allow us to differentiate the activities of those authorized community members from activities that are not authorized, particularly those originating from those outside the community. We can trace and answer “what happened.” Compliance requirements (e-evidence or HIPAA, for example) may require retention of logs for extended periods of time.

 

I like to think that university networks and systems operate within a set of ethical principles. Our networks are open highways where communities are free to travel. There may be limited entrance and exit ramps, particularly to special services (like interstate highways). Cars are licensed to travel wherever the driver chooses, but travel is not monitored or permanently recorded in a log. Some destinations are not easily accessible or have limited access; there are locked gates and perimeter walls.

 

If a law is broken, evidence is gathered and an investigation is pursued. The investigation is undertaken carefully by specific individuals authorized to handle such an endeavor. These individuals are knowledgeable in the laws that apply to gathering evidence, sharing details and protection of the innocent. Evidence about an individual is not gathered or tracked in advance of an investigation, suspected criminal activity, or an actual crime. 

 

If our networks are the highway and our systems are the destinations, many institutions want to promote free and easy entrance ramps. Once on the highway, you are now free to move around the Internet! 

 

It can sound so good up front to say “We’ll have logs of your Internet travels.” Then, if something goes wrong, we’ll be able to IDENTIFY who did this deed.   But the risks to personal privacy and electronic freedom are huge. 

 

I will admit to having traveled through some pretty dark alleys in my Internet voyages. If someone was looking at my track record alone, they may be startled at the places I’ve been. What is missing is “why”? Why did I go to that porn site (investigating a complaint of harassment from Student Affairs)? Why did I go to that racially-biased hate site that spoke of bombing (to prepare for the Public Administration class I sometimes teach)? The “whys” behind my activities are nowhere documented.   The presence of my identity in a log is not evidence or proof of wrong-doing on my part.

 

And I will only be able to defend my actions once someone has reviewed the log of my travels and tells me that they have questions. How will I know when the log of my personal activities is being reviewed? Will a notification to me be required? Who will have the right to review the log? Who will make the decision? Under what circumstances are logs released? To whom?

 

Perhaps we should build our identity environments modeled on credit reporting agencies.   Retained logs need to be available and viewable to those whose identities appear in the logs. Should the owner of the identity be notified when a log containing their identity is released? If the log is retained, can I, as the owner of the identity, add my own annotations?

 

Our internal IT organization has maintained that we use logs to trend and not police, unless we have an official legal request, authorized by the university General Counsel, to gather evidence. We do not retain personally identifiable information in logs for an extended period (not longer than 30 days). Our log retention issues are helped by not needing compliance with HIPAA.  Is "knowing what someone is doing or has done" a component of identity management?

 

As an IT professional, I am uncomfortable with the idea of tracking everyone’s activity on our networks. I am fully comfortable with protecting destinations, our systems and data, from unauthorized travelers (keeping the keys to the gate). I find the environment similar to surveillance cameras. We have a reasonable expectation of privacy as we travel the Internet. I would be a big fan of posted signs: “Surveillance monitoring present on this network.” 

 

The network director at Oakland University, Brian Paige,  reminds me that we need to consider the changing landscape of social perception and laws.  What is legal or socially acceptable now may not be legal or socially acceptable in the future (or vice versa).  Logs can be kept for long periods of time.  What is the purpose of evaluating old logs?  Have we fully identified justifiable reasons for retaining old logs and applying new standards to the old data? 

 

The word “trust” is often used in the building of an Identity Management environment. We are trying to give access to those we trust, and as a result, build trusted communities who use trusted resources and trusted networks. That works in reverse, too; we need to build Identity Management structures that are trusted infrastructures. Key to building trust is to announce what data we are gathering, state publicly how data are used, and then use that data only in accordance with that public statement. That trusted environment includes logging, monitoring and other tracking activities.

 

(Acknowledgement to Brian Paige for his contributions and willingness to engage in this discussion).