Thursday, 24 June 2010

Is identity management that difficult, accreditation and telepresence

RUGIT meeting today in London, and some interesting stuff discussed. First up was a presentation from the NCC (National Computer Centre) about an accreditation service they have started running for IT departments. It's been piloted in about 15 different departments from different sectors and now they're looking to roll it out. Basically it consists of some prior work being done by the department in completing a workbook explaining how they fulfil certain standards and giving evidence. This is followed by a whole day visit from the assessor who determines if you have met the standard to attain accreditation. The aim is to reward capability and best practice, to provide IT departments with a structured business improvement plan, and to enable IT services to benchmark themselves against other both in and out of their sector. Normally I'm a bit sceptical about such things, but this came recommended by a fellow IT Director who'd been one of the pilots, and it was relatively inexpensive and fairly low risk. Might be worth following up, and it might give us some useful benchmarking data.

We then had a very interesting presentation from JANET UK about video conferencing and telepresence. V/C is becoming more popular now, especially with the need to reduce travel, use our time more efficiently and reduce our carbon emissions. We discussed the relative benefits and disadvantages of the rather heavyweight and complex offering of the JANET video conferencing service (JVCS), and the desktop clients that many of us use such as Skype. One is room to room, the other person to person. Room to desktop/person is still not particularly easy. Lots of potential for new developments - I liked the concept of telepresence, which I've not really looked at before. Warwick University are beginning to use it - looks a lot better than standard VC - I imagine you would feel lot more connected and as if you were in the same room.

Finally we talked about the Identity Management Toolkit which has recently been produced. Funded by JISC and supported by organisations such as UCISA, it's a very useful set of tools and covers governance and policies, systems, institutional requirements, gap analysis, project and supplier management. Looks like something we should be looking at and seeing if we can make use of it. The group had a long, complicated, and at times full and frank discussion about identity management. I can't decide whether we're doing it right, or I've missed the point altogether, as I just can't see what the problem is or why it seems so difficult to everyone else!


Owen said...

I think the comment about Identity Management is an interesting one. My experience and impression is that it is a difficult topic - I think the fact that so many institutions struggle with it is evidence of this, and for me this is backed up by personal experience.

I think it would be very interesting to explore more why you don't see it as a problem. A couple of thoughts from me:

Scope creep is endemic in Identity Management projects in Universities: the problem of Identity Management taken as a whole is (I think) intrinsicly difficult. Take it far enough and you get to philosophical questions about identity and what it means. It is easy to get dragged into larger problems as you consider IDM projects - so I'm guessing that those places that have implemented IDM 'successfully' have been very clear about what they are setting out to achieve, and been very clear on their success criteria.

Secondly the technical challenges of identity management are not the difficult bits. It is almost always politics/bureaucracy/personalities which cause problems. Questions of who owns what data, who can change what data, how much individuals can manage their own data, who is involved in the project, who is responsible for inaccurate data, etc. etc. - these are the issues that get in the way. How all of these issues play out is down to organisiational politics and culture - and so different institutions have very different experiences.

Final thought - leadership and investment. Without strong leadership from the top, and investment in IDM, my feeling is that the political issues are never resolved, and the technical infrastructure is not built to the quality required.

So - to throw out a theory - if you work in an organisation where IDM is a strategic goal, taken on by a senior member of staff who is able to get stakeholders to work together, IDM is relatively simple. Where this doesn't happen, IDM starts to get very difficult. What do you think?

Deborahf said...

I agree with Owen delays are less to do with the technology and more to do with process, ownership and unique sources of data.

However, shouldn't Universities be looking even more long term and investing in their systems and amending their processes to work with external identities? Many students arrive with their own identitites ranging from OpenID to Facebook and GMail. Shouldn't Universities be following the rest of the industry to support these or even replace internal IDM systems with them completely? That would surely be cost effective in the long term and sits the ownership of identity firmly with the individual.

Anthony Leonard said...

Identity Management is hard in devolved environments. At York we have a strong centre which actually manages identity information very well by tying together people registered in our student records system, HR system and our "miscellaneous" associates system into a single People database. Nevertheless we have strong outlier departments that have traditionally handled their own identity management and provisioning. Computing Science, Psychology, Electronics and others use separate departmental email addresses for their staff and manage accounts themselves. These accounts are used daily to login to systems using passwords that are not centrally managed. This means that tying together the lifecycle of a person's data at the centre to provisioning at the edge is a real integration problem involving adapters between lots of different systems and workflows.

The ultimate extension of the "devolved" problem comes with a research group that wants to open up a collaborative system to another external research group. The externals would prefer to be identified by the IDs and user profiles that are accredited or otherwise recognisable. If the collaborative tool is public (such as a blog like this) then currently people can be recognised by logging in using their Google profile, or by referencing their Twitter or Facebook ID etc, but these are commercial silos which are not for everyone. After all why should we give all or information to big corporates, and more importantly, can we seriously ask our staff to? Open ID is a better federated solution, but the ID itself is a URL which is hard to recognise or empathise with. This is why I'm pretty excited about Webfinger. This is pretty new, but it could allow everyone to start logging into blogs like these, or international universities VLEs or research systems, or even the systems of commercial partners, using your email address as your public ID. If Webfinger were to take off I would be known around the web for work things as "". Any contributions made using this ID on web systems could show my same photo/avatar and link back to the same profile hosted by the domain referenced by my Webfinger ID. That is my photo and profile are hosted at my home institution where this information ought to be. I reckon that that's identity management done right. I've written a longer blog post about Webfinger here.

We live in a devolved but networked world. The systems we use everyday need to cope with that.

Anthony Leonard said...
This comment has been removed by the author.
jake george said...

webfocus online training| webfocus training| call us+ ...
webfocus online training, webfocus developer studio online training, webfocus training india, webfocus training classes, webfocus training schedule, webfocus ...Call Us +919000444287