Oren’s Weblog

Asbed’s memorable quote (regarding students): You gotta reach ‘em to teach ‘em.

Mobility at MIT – Michael Gettes
MIT Mobile Framework
m.mit.edu – went live summer 2008. went open source spring 2009. v2.0 went live fall 2009
also have an SMS service which covers earlier phones like RAZRs.
- want to deliver to multiple platforms – all smartphones, feature phones, and PDAs.
Applications
Purely web based – native apps strategy TBD.

Web apps built with community participation. CIO funded up to $250k per initiative – total funding around $750k.

A bunch of universities are using their platform (27+).

Architecture (top down)
- browser detection (WURFL) – abstracts a lot of the UI issues across devices. (wurfl.sourceforge.net)
- SMS is parallel to that – both talk to Content Generator api layer.

Lots of work in rethinking apps to work in the smaller form factor.

Students building lots of apps – there’s a course (6.087) in building mobile applications.
Allocate about 25% of Andrew Yu’s time to work with faculty and courses. “one person can make a big difference.”

MIT Research on mobile – near field communication trial; Center for future banking; Open transaction network; Organic indoor location discovery.

1.5 FTE dedicated to mobile platform, plus contractors (including students).

iMobileU – vision: create a collaborative framework for higher ed institutions to jointly develop and enhance mobile solutions as open source projects. Kicked off Summer 2009. https://spaces.internet2.edu/display/imobileu/

60% of accesses are iphone (and ipod touch).

Candy Borland – Mobile at USC – http://mobile.usc.edu
What we did with no money (aside from what they have to do central web sites).
75% iPhones (including iPod Touch), 11% Android, 7% Blackberry, 5% other – major USC web site mobile use.
Done purely web-based apps, targeting webkit browsers. You can do most of what you need with the web – can’t talk to the sensors on the phone (accelerometer, compass, etc). Thinking about native apps, but haven’t gone there yet. Bus schedule is one of the most popular.
Doing an aggregated RSS feed reader (with some personalization) – reader.usc.edu

Design point – Need to have a thumbable UI.
Question – will Apple (and others) make sensors accessible from the web interface?
Another question – is the back-end ready for the mobile world?

Tim Flood – iStanford – A Mobile STudent Interface
Challenges and opportunities
- Approaching as an administrative user interface for their Peoplesoft system, about which people ask: “can’t you do better than this?”
(implemented Peoplesoft in 2000-2001, already regard it as a legacy system).
- Highly motivated students, capable campus partners. Worked with two teams of students so far: CourseRank – a web 2.0 interface to courses; TerriblyClever.
- want to encourage multiple interfaces to admin systems.
- Decided to develop for iPhone – didn’t want to wait for standards to evolve. Thought over time they could migrate to other platforms. To date have had no requests for iStanford to run on other devices.
- Anthropology research at Stanford – 9% of respondents pet their iPhones, 3% have names for them, 21% of grad students and 15% of undergrads describe iPhone as “appendage”

iStanford today – now have authentication working. Doing simple course adds and drops. Can view grades and study lists. Using Web Services and RSS feeds.

Klara – Duke has added student financial transactions and status to their iPhone app.

Planning for tomorrow – View the mobile platform as the successor to the Stanford ID card. Financial transactions, Access and privilege control, Student ID. Also want an app they can use during emergencies – be able to locate people and have them report where they are; view student bills (being worked on now, hopefully for release in February); announcements and advertisements platform that uses GPS; Places (dining, etc) with locations on map (modeled on Duke’s); Library search, map, stack maps, hours; Class textbook information; Dining app (like Chipotle or Starbucks apps); AskJane (knowledge base for student services); iTunes U and authenticated class video.

Pleasant surprises – 65k downloads of iStanford, where population is ~20k people.
Let your clients design your UI (the TerriblyClever guys) – don’t need to include all the functionality you can.

Student can be unpredictable (and the can be bought out overnight). This can impact your strategy.
Testing is a learning experience, and so is submitting to the App Store.

Early on committed to using the power of the tools at hand – if there’s a way to enhance the experience using the properties of the device itself they’ll develop for it and figure out how to accomodate those that don’t have the device.

Brett Pollak – UC San Diego Mobile
Campus web manager and product manager for campus-wide CMS.
Many of the same problems with mobile usability that we had with web design in the 90s – small resolution, low bandwidth, connectivity problems, lack of flash/javascript support, etc.

Did a survey to prospective students about mobile browsing behavior.
40 respondents: 70% had smartphones, 40% had iPhones. 20% visited ucsd.edu from mobile device. They wanted: maps, student directory, courses, calendar, news.

The decided to provide student functionality – maps, news, directory, courses, shuttles. All audiences benefit from these. Decided to use TerriblyClever. App launched in June ’09. Around 10k active users to date. Just launched Blackberry app. Shuttle schedule is the most popular, then courses, directory, maps, athletics, photos, news then YouTube.

They’ve contracted with mir3 for opt-in emergency notifications. Klara notes that at Duke parents in particular love that functionality. Would be nice if it were more integrated with the web for notifications too.

Podcasting and videocasting of courses at discretion of professor. 27 locations across campus, including all of the 24 large lecture halls. 95 courses podcast this quarter, 6 with video. http://podcast.ucsd.edu

Where they’re going – integrate WEb content managed by CMS with app functionality from Terribly Clever. Keep apps and m.ucsd.edu in sync. Support broader group of smartphones. Integrate “add-ons” such as Worldcat Mobile (library catalog search).

Feedback is that people really like the “one-stop shop” of the iphone app.

Elazar notes (in response to a question) that they’re not necessarily wed to this vendor forever – now that they’ve done the hard work of getting the data interfaces in order they could migrate to another platform.

Michael asks the question of where we want to take all this – the vendor route or go our own route. It’s not just about the iPhone – what about the upcoming tablets? Shel notes that it’s not just about the vendor options, but the size of the investments. ERP wave is over, so it’s a matter of being nimble – making targeted investments where we don’t have embedded incentives to keep them beyond their reasonable life. Not the kind of time scales we previously dealt with. Go into investments with smaller amortization periods – like 30 months. Bill Clebsch – it’s about unbundling of sets of services – moving from being service providers to service brokers. Rate of market change is accelerating. Landscape, particularly in mobile, is undergoing tremendous change. Need to start looking at all our businesses that way – the way of ERPs is gone. The ill effects of ERP live on – we’ll spend the next decade trying to take that apart. Klara – what’s giving the value add? It’s not the infrastructure – if there’s a framework we can put our information in without developing.

Tim points out that there’s a lot of work to be done with our existing systems on integration – that’s the logjam. The key is web services. Takes a minimum 9 month cycle to get something changed in Peoplesoft – that’s unacceptable. Can the web services in the ERP be developed to allow more agility. Elazar – the iPhone app gave tremendous value which can’t be measured – students and alum are extremely proud. All about timing – a year from now that wouldn’t have value. Serge – it’s a giant carrot we can use to get people to do all sorts of good things with back end systems.

Question about authenticated access to mobile apps. Michael – personal certs on iPhone for access to web apps, as well as shibboleth access. Bruce – iPhone OS doesn’t handle kerberos. Worked with TerriblyClever to integrate security. Not perfect, but didn’t let that stop them from moving forward. Not a true single sign-on across apps. Ken – precipitates the deeper question about Shib for non-web apps. Lots of work going on in that space, but so far seem to be one-off solutions until we understand the pattern.

Elazar asks about other uses. Shel says that their field stations have an iPhone app using the camera for data collection. They want to have higher resolution and want to tie it into the sensor nets for real-time connections. Serge – is anybody looking at developing student response systems? Apple has one available. Tim – students ask for a more seamless experience across the student system and Sakai. Someone notes that there’s a radiology measuring tool on the iphone.

Tim – there have been some discussions between TerriblyClever and CollegeNet about doing iphone access to 25Live (successor to Resource25) for event scheduling, via 25Live’s web services.

Can You Trust Me Now? RL “Bob” Morgan (U Washington)

Grade submission as an example – worked as a paper process, using bubble sheets which got scanned. The paper is the artifact – it’s about who’s holding it. Eventually gets back to the registrar’s office, then processed by people who are supposed to do something with the signatures but don’t really have a way to verify.

Online submission process- Instructors enticed by gradebook app in LMS, users sign on to LMS with NetID. Instructor of record inserts grades, reviews, and submits.

Old process relied on physical practices and personal relationships. New process relies on integrity of LMS and its connection to student system, accuracy of authorization, reliability of NetID system in all its parts.

What assurance do we have it’s the right person submitting the grades? Not comparable to the old process which was not about the person as much as the piece of paper.

Should we use two-factor authentication? What are instructors’ practices in protecting workstations and data? Data protection policy said that if you’re dealing with personal data then 2 factor should apply. But decided not to, based on the level of data you have access to. What are peers doing, are there standards?

That’s the assurance problem statement.

Basics of identity assurance

What are the risks to applications – they need to provide services to the world, protect their stuff, not be hacked. There are other kinds of risks – bad programming, database security, etc. What is identity? From the app point of view, anything about a requesting party that can be used to make an access control or resource allocation decision. Maybe just a userid, maybe much more. Traditionally much of the data is stored within an app, which implies practices that have to be justified to whoever oversees it. Now we like to externalize services. Motivates need for formal description – what is the app trusting, how do you talk about it?

One size doesn’t fit all – apps come in different sizes and shapes. Even if we thought there was one true identity everyone should use (popular a few years ago), evidence shows you can’t do that all the time. There are things that users just won’t do – if I have to provide a whole bunch of info about myself to use an app, I might not be willing to provide it. High assurance by its nature requires more work and information from the user. We need a range of practices. Need good ways to describe them.

Elements of IdM practice – about which apps migh want assurance. Registration and identity proofing – how does the notion of the existence of a person with an address and a relationship to the institution get into the identity system in the first place? How do we know it’s true? Relies on other information coming in from the world – photo ID, who’s doing the checking. How do we create a credential for that person? (typically userID and password). How do we know the credential is in the hands of the right person. Those processes can be expensive and rely on staff to support. Authentication services – has to work well all the time. What about managing additional user info (email address, e.g.)

End up with different practices for different kinds of people. We might present a huge matrix of possibilities to apps.

Elements about IdM operators – Organizational maturity – documented procedures, leadership consistency, authority of population/orgs in question. Operations change management, security, user support, logging, privacy.

Levels of assurance – in SAML there’s an elaborate spec about how in a authentication response you can put a megabyte of data about how assurance and identity proofing was done. Most reasonable people think that needs to be simplified.

US Government leads the way – OMB 04-04 (Dec. 2003) promotes e-authentication for e-government, using external identity providers. Characterizes risks into four levels. Support those levels with standards saying what the practices for each level should be. E-Auth esablished program to evaluate IdPs. They’ve been working on revisions ever since. Hoping to issue it this year. A set of universities were evaluated five years ago.

The four levels 1 – little or no; 2 some; 3 high; 4 very high
l1 – typical internet account – no tie to real-world identity. Use email address. Do you know that it’s a person? Is the billg account on LinkedIn really Bill Gates? You get assurance that the person coming back is the same person.

l2 – standard business practice. Identify person, know who they are, refer back to real-world docs. Don’t get it right all the time, but mostly we do. Usernames and passwords

l3 exta-secure business practice – use two factor authn

l4 – if you have to ask you can’t afford it.

The government moves on…
E-auth has some problems. Funding not stable, not serving needs of agencies. Shut down March 2009.
Working with NIH to work directly with InCommon and universities. using practices consistent with CAF/800-63.
Maybe this should be the way it works – agencies working with their constituencies (doh!) GSA now has an ICAM office endorsing that approach.
InCommon fills the vacuum – InCommon IDentity Assurance. To give us enough formality to work with the agencies we want to work with. InCommon would be certifying that an entity had met the requirements – InCommon Silver.

InCommon Assurance documents
Identity Assurance Assessment Framework – describes overall approach, processes, role of IT organization and auditors.
Bronze/Silver Profiles – details of compliance elements, much taken verbatim from E-Auth CAF, also in “auditor-friendly” checklist form
Published November 2008 – a number of campuses working on it, nobody yet saying they comply.

Gov 2.0
Obama administration seeks to transform government transparency, delivery via web
A lot of effort people coming to Washington, sharing info. A lot driven by social networking like we were discussing this morning – citizen engagement. OpenID is a big thing for citizens authenticating to government – informed the GSA to make it happen.

A big tent for protocols, trust providers – ICAM creates more modular structures – not just SAML and PKI, but a process for blessing other protocols – Identity Scheme Adoption Process – hold up protocol against 800-63. “Comparability” is the principle. There’s also a Trust Framework Provider Adoption process. Documents published summer 2009. Profiles fro OpenID (level 1 only), Information Card protocols.

Who ya gonna trust? Kantara Initiative – successor to Liberty Alliance, working in many identity areas. Has industry-oriented group working on its own Assurance Framework, also parallel to CAF. Set up operational Assurance Certification process similar to InCommon. One of the big auditing houses, for example, might offer that certification as a service. Has applied to GSA to be TrustFramework Provider. InCommon could end up being a certifier in the Kantara framework. Kantara is more of the model of big business using “auditors in white coats”. InCommon is helping to shape how the rest of the world is being created.

OpenID Foundation and Information Card Foundation – newly empowered by government interest. joined together in opposition to Kantara to develop the Open Identity Framework model – allows for self-certification. Really promoted for “open government.” Used InCommon docs as starting point. Google and Yahoo are at the table.

InCommon applying to be a TFT at some point.

Assurance and Privacy

Trust framework – new section came in about privacy principles – Adquate notice about using federated authn; users must auth in; only required info is sent.

Dealing with ICAM privacy reqs – InCommon developing privacy addendum to its assurance program. Notion is that existing university policies cover, so we don’t need to adopt the technical means mentioned.

New FERPA rules 2009 – suggest that student data protection requires “good” authentication practice, but how good is good? Working to get InCommon Silver blessed for this.
National Student Clearinghouse – student-self-service access – want to impose standards on campuses. Working to get Silver blessed for this.

What’s a campus to do? Work to comply? Some schools are doing. Doing the practice is different than complying with regs. Define its own levels/profiles? Do the four levels really meet our needs?

What means compliance? To meet silver do all users have to be Silver? No. It is fine for one IdM system to have user entries at many different levels. One user might be at different levels depending on hwo they signed on. But system as a whole must meet Silver system criteria.

Can we rely on existing proesses – if we can’t, can this work?

Who does the audit? – Hoping internal university audit.

Password issues – interpreting password-protection requirements is hardest technical part of compliance.

Klara Jelnikova (Duke -> Chicago) Duke’s Identity Assurance Journey

Identity Managment joint across Duke University, Duke Medicine and Duke Health System. Card Office technology part of the identity management space. Card system shared too.

Identity Assurance – Round 1
NIH InCommon pilot as a start of a structured discussion. Research faculty cahmpions InCommon bronze compliance. Held tech expo this fall – room was packed with research faculty for id management session. Other faculty viewed some aspects (like password expiration) as “Orwellian”.

Chasm? Using IdM to manage different assurance levels within a single IdM. Business needs drive higher levels. Aligned with InCommon categories. Model has been expanded for unified DU, DM, DHS, account management.

Health System Challenges – People have legitimate need for high level assurance apps but fall otuside Duke HR – contract or temp nurses or affiliated physicians. Adding Helath System credentialing system as a system of record. Non traditional apps such as shared clinical workstations. Need for PIN tracked in core IdM (with appropriate card coding. Speed of authentication (swipe and PIN versus username and password). Highly specialized apps and equipment – tough integration.

Lessons learned – having a clear busines caseis key. Incremental approach. Working on documentation towards InCommon levels. Hard to work on documentation. Health System can be a great ally as long as you can manage the complexity.