Roll Call

To many, identity management is about protecting the network. But to Jim Hirsch, assistant superintendent for technology at the Plano Independent School District (PISD) in Texas, it's about assigning 53,000 students customized user profiles that allow each to access course assignments, supplemental materials and personal information from inside and outside the classroom.

And for Charlie Hofmann, manager of database-application development in the Information Technology Unit at Virginia's George Mason University, identity management is about figuring out how to get the nearly 5,000 employees that span three campuses to add and remove students, faculty and staff via the school's universal application suite so that information can match in all systems campuswide--from libraries and student residences to food service and e-mail.

In other words, identity management in education is as much about collaboration as it is about security.

"In education, you can't use the same type of 'by-default, everything-is-locked-down' solution that you can sometimes use in industry," says Steve Worona, director of policy and networking programs at Educause, a nonprofit association dedicated to promoting IT in higher education.

"That doesn't mean things are wide open; it just means the protections are at a lower level of granularity. That's also the reason identity management is more complex."

NEXT: K-12: Customized Education

For example, a second-grader who's advanced in reading may log into a user profile for that subject and have access to fourth-grade materials. Another student may be struggling with math and can turn to software to catch up.

Such scenarios are, of course, cutting-edge. For now, the challenge is integrating the data housed on a multitude of legacy systems to lay the groundwork for that level of customization.

"There are all of these disparate systems that, up until a couple of years ago, didn't really need to be separated out," says Colleen Beale, engineering manager of storage, portals and security at Hunt Valley, Md.-based Data Networks. "But now districts want to harness the technology to make good decisions for the students, teachers, parents and community."

To enable that, a central repository is often incorporated for different directories--e-mail, food service, transport and so on--to talk to each other. "Once all of the information is in a central location, you can start creating policies, pulling reports and making the efficiencies and interactions easier between systems," Beale says. "Set up a profile once, and based on policies, you can set it up in all other systems automatically."

That's exactly what Fairfax County Public Schools (FCPS) in Virginia hopes to accomplish. Right now, an in-house provisioning system automates the creation, transfer and termination of about 30,000 Active Directory accounts.

In a current RFP, the district seeks to integrate enterprise directories, provide reduced Web sign-on, audit security privileges and automate user-account lifecycle workflow. The initial identity-management project will focus on directory integration and provisioning, with the aim of tying together data from a human-resources system and Active Directory, says Nitin Pradhan, director and chief information-technology architect at the district's Office of Technology Planning and Assessment.

Ideally, centralized provisioning and password management will reduce the cost and complexity of managing user accounts; centralized log-ins and auditing will ensure that the district knows who has access to what; consolidated sign-on will reduce the number of authentication events required when accessing various Web systems; and access modeling will help prevent unauthorized access to FCPS' applications and information services.

"FCPS has identified the need to define access at a more granular level," Pradhan says. "Dynamic group membership can be calculated in real-time based on attributes that are maintained in a user profile stored in an enterprise directory, while the use of role-based authorization can provide an additional layer for modeling consistent access rights across all systems." The authoritative sources of those attributes will be the student information and HR systems, Pradhan says.

Similarly, PISD in Texas implemented an identity-management solution that uses Novell's eDirectory for authentication to network/local resources. Student profiles are maintained in the user group of the local Windows machine, while staff members belong to the power user group, allowing them to perform almost any task. A mypisd.net portal expanded the borders of the system, enabling access to students from outside the network through a terminal service with Citrix that provides an encrypted connection to a remote KVM solution.

"To talk about security from end to end, you have to talk about the applications and how they're configured to run," Hirsch says. The district has more than a thousand fat applications that are authenticated through eDirectory and often include their own added security to prevent intrusion. The network is protected by a firewall and an intrusion-detection system. Multiple antivirus/antispam checkers, and local scanners and patch-management solutions protect desktops and servers.

"We also have some two-factor authentication by design and require a different name and password for teachers to get into the gradebook system," Hirsch adds. "The bottom line: Every network needs to [include] directory services for every user--whether student or staff."

NEXT: Higher Education: Global Information Exchange

So how does that compare to the identity-management requirements that exist in higher education? While universities still face issues relating to disparate systems and authentication, many have moved on to the next level in terms of technology and scope.

Federated identity management is a growing trend at the larger universities, allowing one institution to access resources from another's network with credentials that are validated before the user gets through the door, so to speak. This enables universities to collaborate with each other, and with business or research institutes. Organizations such as inCommon Federation and Internet2 support a unified framework for shared access to online resources and help create IT standards that can link institutions across countries.

Of course, that information-sharing paradigm makes secure identity-management solutions all the more crucial.

"Because of the amount of collaboration happening in the higher-education environment, it's more critical than ever to have single-sign-on solutions to access all applications, incorporating a LDAP [Lightweight Directory Access Protocol] and, in a lot of cases, token technology with two-factor authentication," says John Roman, executive vice president at Brite Computers. The Victor, N.Y.-based solution provider has worked with a number of institutions on identity-management solutions, including the Rochester Institute of Technology and Monroe Community College. "In a lot of cases, they want to know what's out there. It's still ambiguous enough that if [industry] isn't talking about it, they're not thinking about it."

George Mason University, for one, is in the process of implementing the Sun Identity Manager, which will tie campus systems together, reduce log-ins and ease both provisioning and deprovisioning of users from the network. The solution will start with the expansion of an enterprise LDAP and the phasing in of six mission-critical systems.

Fortunately, most front-end applications allow a user profile to kick out and go to an LDAP for authentication, then return for access. The authoritative source will be the Sungard Banner administrative suite--an application that competed with Oracle's PeopleSoft and is specifically designed for the higher-education market. And that means the IT administrator at George Mason will be able to write triggers, programs and procedures that export information from the database to an interface table that the identity manager reads for provisioning. This way, business logic can be separated from the identity-management solution and maintained in-house. Sun partner Aegis performed the initial implementation.

Of course, as any advanced solution is implemented, areas of frustration arise. As far as George Mason's Hofmann is concerned, improvements could be made in how exceptions from the LDAP are handled.

"If I'm logging in to an application, and my password has expired, I can't get the correct message on my screen or a redirect to the password page," he says. "Instead, I just get a note saying 'incorrect login and password.' That's one example of awareness on the vendor's part that we need some intelligence in the product to interpret the return codes and then have the ability to redirect."

At the same time, with user information stored in the LDAP for role-based provisioning, Hofmann would like to see systems do a better job of extracting data from that repository, rather than having to be fed extracts on a nightly basis.

"The information is out there in the LDAP, and yet we're still having to feed the data into databases," he says. "These systems should be able to pull the data easily--either in real-time or in batch mode."

NEXT: Getting Everyone Talking

"The major challenges with any project are the nontechnical ones--understanding the process you're trying to automate, and the human elements," FCPS' Pradhan says. "Some human issues that are heightened in identity-management projects involve working through data-ownership issues. On the technical side, complexity, consolidation of the market and maturity of the available solutions are common challenges."

Most enterprise applications enable interoperability by being "hot-pluggable," as Oracle calls it. Products integrate with major directories, application servers, portals, business applications, databases and so on, based on standards.

Where institutions sometimes face challenges, however, is with the smaller instructional applications that are typically hosted externally. Often, those apps require an agent on a hosted server and, therefore, conflict with reduced sign-on solutions.

With education from the channel, though, even the vendors behind those specialized applications are coming around--tweaking the design of their offerings so that they can be integrated with other solutions.

"In the past, everyone was on his own island," Beale says. "That was fine when technology wasn't as sophisticated as it is today. Now, vendors need to understand the need to interoperate. It's not like they have to give up a piece of technology; they just have to develop to the industry standard and leave the interoperability to whoever is doing the integration."

Of course, in order for any solution to truly have an impact, detailed processes that enable gradual implementation have to be in place.

For FCPS, the discovery and documentation processes involved consultants right from the start. They documented the school district's identity-management environment and process, delivering a series of technical workshops for senior management and key project stakeholders. From that process stemmed the current request for proposals.

Meanwhile, channel players can continue to help school districts and universities roll out and fine-tune their identity-management systems. One caveat: Don't make promises you can't keep.

"Don't fake it by preaching that you have one complete solution that will solve all of the [customer's] problems," Educause's Worona says. "The people on campus are more technically savvy than any of the technically savvy people you'll deal with elsewhere; they'll see right through it."