Posted by Randy Jones, Senior Director, Technology Innovation
Trust is an interesting concept we rarely think about. Yet it underpins our personal relationships and is the glue holding communities together. Trust is understood to be the belief in the reliability of a person, organization, or thing.
Trust is hard to quantify but it is easy to know when it doesn’t exist. It can be qualitatively described as the degree of one’s confidence or faith in something. Trust is earned over relatively long periods of time by behaving in a consistent, predictable manner and in alignment with expectations. Conversely, trust can be lost quickly by a single event.
As in our personal lives, trust is critical to the security controls used in Identity Management (IM) solutions. Many Research and Education (R&E) institutions are looking closely at IM options as a critical piece of digital infrastructure with which to accelerate adoption of external services such as research collaboration sites and commercial Software as a Service (SaaS).
Over recent years, cloud service providers have earned our trust and our business. As applications migrate to the cloud, our trust relationship with vendors changes, in part because authentication protocols must pass through public networks and enterprise firewalls. Opening additional ports on firewalls for authentication protocols is rarely acceptable because it introduces additional security risks.
What’s needed to deploy trustworthy IAM solutions for the Research and Education (R&E) community when “on premise” applications transition to the cloud?
What’s needed is a means of integrating multiple, unrelated external services with institutional directory services (e.g. Active Directory) without opening additional firewall ports. Options for IAM solutions in the cloud include:
- The ‘We Give Up Option’: User accounts are created in each external service. The result is that each user has multiple credentials to remember. This is not a great option because it takes a lot of effort to maintain and hackers love it because of the abundance of accounts to attack.
- Bi-lateral arrangement created between each external service and the home organization Identity Provider (IdP): This option is good because users only have a single set of credentials to remember. Additionally, the use of HTTPS eliminates the need for additional ports to open on a firewall. However, validating the authenticity of messages amongst a mesh of unrelated parties requires separate bi-lateral digital trust relationships (e.g. security certificates) to be provisioned between a home organization IdP and each service. Trust is the missing ingredient from these activities because there are rarely pre-existing agreements on how integrations are to work between two parties. Scaling this solution to many services requires a fair bit of co-ordination, resulting in delays in lighting up new services.
- Federated Identity Management: In this option, each participant registers their metadata once with the federation operator, who distributes it to all participants. This reduces the effort needed to light up each service, particularly if a service provider is already part of the federation and a reduced-scope security assessment is required. The use of HTTPS to transit the enterprise firewall eliminates the requirement for new, open ports. This option also simplifies the user experience by providing users a single set of credentials to remember. The Canadian Access Federation (CAF) provides a Federated IM service to the R&E community in Canada.
How does trust work in an R&E IM federation?
Trust in an IM federation is not unlike that in a closed residential community. Imagine a group of neighbours who travel frequently and wish to have their property looked after in a reciprocal arrangement. One trustworthy neighbor that we’ll call ‘Bob,’ who values living in a secure, happy community, maintains and distributes a single list of contact and property access information amongst all participants. Trust amongst this group is established through a common need, with the knowledge that none of them could travel with ‘peace of mind’ if they couldn’t count upon one another’s assistance and discretion.
In Canada, CAF provides a Federated IM service that acts much like ‘Bob,’ specifically for the R&E community. Trust in this community is based upon a common and specific interest in R&E and a need for researchers and students to share and collaborate through digital infrastructure. CAF mandates the use of standard protocols for information exchange and security mechanisms to validate the authenticity of messages. Additionally, CAF sets and enforces the minimum requirements for participation, and distributes metadata so all participants can be assured that their interactions are trusted to conform to federation standards. Trust is earned amongst participants by consistently conforming to the policies of the federation, and by using secure protocol mechanisms to ensure authenticity of all IM message exchanges.
The Canadian R&E community is increasingly dependent upon international collaboration to accelerate its work. Fortunately, many developed countries have their own IM federation based on the same standards as CAF Federated IAM and the interfederation service known as eduGAIN allows global sharing of trust information amongst federations. Enabled by eduGAIN, researchers can access federated services globally using a single set of credentials maintained at their home institution.
The larger a federation, the more value it can provide to its participants. Joining CAF is simple and is available to any organization which supports or enables the R&E community in Canada. To learn more please visit canarie.ca/identity.