Are You Who You Say You Are?

  • Published on
    11-Feb-2017

  • View
    215

  • Download
    1

Embed Size (px)

Transcript

  • This article was downloaded by: [ECU Libraries]On: 10 October 2014, At: 04:57Publisher: RoutledgeInforma Ltd Registered in England and Wales Registered Number: 1072954Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH,UK

    Journal of Access ServicesPublication details, including instructions forauthors and subscription information:http://www.tandfonline.com/loi/wjas20

    Are You Who You Say You Are?Nancy Hunt-Coffey a b ca University of California at Los Angeles , USAb Glendale Public Libraryc Glendale Community College , Glendale, CA, USAPublished online: 20 Oct 2008.

    To cite this article: Nancy Hunt-Coffey (2002) Are You Who You Say You Are?, Journalof Access Services, 1:1, 119-150, DOI: 10.1300/J204v01n01_06

    To link to this article: http://dx.doi.org/10.1300/J204v01n01_06

    PLEASE SCROLL DOWN FOR ARTICLE

    Taylor & Francis makes every effort to ensure the accuracy of all theinformation (the Content) contained in the publications on our platform.However, Taylor & Francis, our agents, and our licensors make norepresentations or warranties whatsoever as to the accuracy, completeness,or suitability for any purpose of the Content. Any opinions and viewsexpressed in this publication are the opinions and views of the authors, andare not the views of or endorsed by Taylor & Francis. The accuracy of theContent should not be relied upon and should be independently verified withprimary sources of information. Taylor and Francis shall not be liable for anylosses, actions, claims, proceedings, demands, costs, expenses, damages,and other liabilities whatsoever or howsoever caused arising directly orindirectly in connection with, in relation to or arising out of the use of theContent.

    This article may be used for research, teaching, and private study purposes.Any substantial or systematic reproduction, redistribution, reselling, loan,sub-licensing, systematic supply, or distribution in any form to anyone is

    http://www.tandfonline.com/loi/wjas20http://www.tandfonline.com/action/showCitFormats?doi=10.1300/J204v01n01_06http://dx.doi.org/10.1300/J204v01n01_06

  • expressly forbidden. Terms & Conditions of access and use can be found athttp://www.tandfonline.com/page/terms-and-conditions

    Dow

    nloa

    ded

    by [

    EC

    U L

    ibra

    ries

    ] at

    04:

    57 1

    0 O

    ctob

    er 2

    014

    http://www.tandfonline.com/page/terms-and-conditions

  • Are You Who You Say You Are?

    Network Access Management

    in Community College Libraries

    Nancy Hunt-Coffey

    ABSTRACT. A growing yet unresolved problem in access services todayis controlling user access to resources in a networked environment. Thispaper describes the history of network authentication, explores the issuesinvolved in selecting an authentication method, discusses the benefits anddrawbacks of the various methods, identifies efforts by some integrated li-brary services vendors and academic institutions to address this problem,and makes recommendations for selecting an authentication scheme for acollege library. The discussions are based in part upon the results of a sur-vey conducted with California community college libraries, various inte-grated library system vendors, and online resource companies. Technicalterms are defined in a glossary. [Article copies available for a fee from TheHaworth Document Delivery Service: 1-800-HAWORTH. E-mail address:

    Website:

    2002 by The Haworth Press, Inc. All rights reserved.]

    KEYWORDS. Networked information, Internet, authentication

    BACKGROUND AND METHODOLOGYIntroduction

    Regulating user access to networked resources is a rapidly evolvingbut unresolved access services problem for libraries today. In the recent

    Nancy Hunt-Coffey is a PhD student, University of California at Los Angeles, Ex-ecutive Analyst/Automation Services Coordinator, Glendale Public Library, andTechnology Consultant, Glendale Community College, Glendale, CA (E-mail:nhunt-coffey@u.glendale.ca.us).

    Journal of Access Services, Vol. 1(1) 2002http://www.haworthpressinc.com/store/product.asp?sku=J204

    2002 by The Haworth Press, Inc. All rights reserved. 119

    Dow

    nloa

    ded

    by [

    EC

    U L

    ibra

    ries

    ] at

    04:

    57 1

    0 O

    ctob

    er 2

    014

    http://www.HaworthPresshttp://www.haworthpressinc.com/store/product.asp?sku=J204

  • past, libraries have had manageable methods of controlling access tocertain resources in a networked environment, such as the library cata-log or in-house resources. For example, different logons provide differ-ent views of the catalog data, which allow different levels ofinteractivity for the public, librarians, circulation staff and catalogers.However, with the advent of Internet-based online products that can ex-ist anywhere in the world, these system-centric mechanisms no longersuffice. Libraries have addressed this problem by developing home-grown solutions or implementing software filters; however, no industrystandards have been set.

    Homegrown solutions may not take into account the many questionsthat should be considered when selecting a comprehensive access man-agement system. What type of burden is placed on the user trying to ac-cess a networked resource? How difficult is it for staff to implement andmaintain the chosen technology as the user base grows? How does thelibrary gather statistics on resource usage while still protecting user pri-vacy? How can the library track down a user who has hacked a networkresource? What are the ethical implications for libraries that implementsuch technical barriers to information? It seems appropriate in this inau-gural issue of the Journal of Access Services that the current state of ac-cess to networked resources should be considered.

    Project Background

    The experiences of Glendale Community College Library provide afairly typical example of how many libraries have addressed access is-sues. The library began providing access to its first online reference re-sources in August 1996. The library employs IP filtering to control oncampus access to these resources. Some can also be accessed via theWeb by home users and distance learners. To access these resources,students must complete a paper or Web-based application form andsubmit it to a library staff member. Staff then verify that the student iscurrently registered and enter the student information into a securename database. The student is then issued a userid and password to ac-cess the online resources.

    While this access methodology has worked well for the past twoyears, there are some major drawbacks, especially with the remote ac-cess component. Even minimal safeguards entail some degree of incon-venience. Students who have automatic access to in-house libraryservices are not granted the same ease of access to remote online re-sources. They must first know these products are available to them,

    120 JOURNAL OF ACCESS SERVICES

    Dow

    nloa

    ded

    by [

    EC

    U L

    ibra

    ries

    ] at

    04:

    57 1

    0 O

    ctob

    er 2

    014

  • which may not always be the case with off-site users. They must takethe time to complete and submit the access form, then wait a few daysbefore it is processed for access to be enabled. With the advent of theInternet, online users have come to expect immediate and unencum-bered access to information. The time factor is important because manystudents balance full time work and school schedules, and a delay ofeven a few days can seriously affect their research effectiveness. Someargue that it is fundamentally inappropriate for libraries to erect suchbarriers to information. Furthermore, as distance education evolves, lo-cal proximity to a physical campus will be less vital, and students willbe able to choose the community college that best meets their educa-tional goals regardless of location. Easy, quick access to networked re-search resources may be a deciding factor for students when choosingwhich community college to attend.

    From the practical side of library workload, the need to manually as-sign passwords to each student and faculty member is labor intensive.As the user community grows, maintenance of this type of system be-comes unwieldy. Furthermore, it is very difficult to manage the ac-counts once they have been established. For example, to faithfully carryout the terms of many online product licensing agreements, student ac-counts should be deleted or disabled whenever students graduate, leavethe school, or take off a term. This level of account management wouldrequire a real-time interaction between the secure name server and thestudent enrollment database. Security and technical difficulties makethis type of connection problematic.

    In late 1999 the Glendale Community College Library team com-peted for and was awarded California Community Colleges Technol-ogy Model Applications Pilot funds to study and explore alternatemeans of authenticating users to online resources. This paper summa-rizes the findings from that research within the context of global trendsand how libraries in general are dealing with them.

    The team conducted a literature review of academic and trade jour-nals on the subject of network and remote authentication. Multiple sur-veys were developed for use with different groups, and in some casesfollow-up interviewing was conducted to gather additional data. Of the106 California Community College libraries that were sent a two pagesurvey, 54 responded (51%). The goal of this survey was to determinethe state of technology deployment at each library, the level and type oftechnical support available, and the type of authentication schemes(in-house and remote) that are currently in use. Additionally, 28 onlineproduct vendors were surveyed, and 16 responded (57%). The goal of

    Part Three: The Current State of Access Services 121

    Dow

    nloa

    ded

    by [

    EC

    U L

    ibra

    ries

    ] at

    04:

    57 1

    0 O

    ctob

    er 2

    014

  • this survey was to determine the type of authentication methodologyrecommended or accepted by these vendors, and whether the onlineproducts could interface with an integrated library system (determinedby use of Z39.50 protocol). Finally, 13 integrated library system (ILS)vendors were surveyed, and six responded (46%). The goal of this sur-vey was to determine integratability of the library catalog with onlineresources based on usage of Z39.50 protocol, and whether the ILSwould handle the authentication of users to online products automati-callyi.e., no further authentication methodologies would be needed.

    History

    Traditionally, the problem of controlling access to networked re-sources has focused on the physical location of a facility or institution.With the rise of the mainframe in the 1960s, the need to regulate accessto files and services led to the problem of user authentication. Due to theexpense of mainframe systems, time-sharing became common, and in-stitutions had to pay for the amount of time used on the machine.Tracking user access to resources on the mainframe became very im-portant because it was the basis of billing and revenue generation.1

    In the 1970s and 1980s, companies like CompuServe began chargingfor online access time. As Clifford Lynch points out, the focus of thesepublic networks was still internal; for the most part, they were closedcommunities. Once users got online with CompuServe, access manage-ment systems determined what services or files users could access onthe internal company servers. In the 1980s distributed computing mod-els emerged in universities and research labs, through experiments likeAthena at MIT.2 These projects explored logistical problems, such ashaving servers scattered geographically across a large campus and theneed to recognize the same set of users and their associated attributes oneach of these machines. While these experiments were cross-depart-mental, it was still focused on resources within an institution.

    With the emergence of the Web, users and resources can be locatedanywhere in the world. Colleges and universities must now provide ameans of authenticating remote users who access campus resources,many of which run on the same network as sensitive faculty/student in-formation. Therefore, they must make certain resources available se-curely outside of the campus network. Institution-centered accessmethodologies no longer suffice.

    Cryptography is generally considered the best and most broadly sup-ported solution for network security. Initial work was done on pub-

    122 JOURNAL OF ACCESS SERVICES

    Dow

    nloa

    ded

    by [

    EC

    U L

    ibra

    ries

    ] at

    04:

    57 1

    0 O

    ctob

    er 2

    014

  • lic-key encryption in the mid-1970s by Diffie-Helman and was laterconverted into an architecture by Rivest, Shamir and Adelman (RSA).3

    Work on digital certificates dates to the mid-1980s, when this technol-ogy was used to support secure e-mail transactions.4 It was not until the1990s that the use of cryptography and digital certificates became morewidespread. In addition to its impact upon higher education, the explo-sive growth of the Internet and e-commerce have fueled the develop-ment of more mature methods of securing online transactions andauthenticating users.

    The fundamental problem with controlling user access to network re-sources lies with the architecture of TCP/IP itself. TCP/IP was designedto allow robust communication among diverse platforms. To a certaindegree security was an afterthought. While the Open System Intercon-nection (OSI) model . . . designed a layer between the application andnetwork that could manage secure handshakes, TCP/IP left everythingabove the communication layer to the application.5 As a result, indi-vidual application developers were required to implement security solu-tions for each program. Rather than building a generic, reusablesecurity mechanism, applications relied on proprietary or embeddedtechniques for shuffling account information across the network to theplatform or application for validation.6 Although some efforts havebeen made with technologies like Secure Socket Layer (SSL), it hastaken a long time for security standards to be established. Even withinindividual industries, security standards have not been established. Forexample, some ILS vendors are implementing their security measuresusing different and perhaps incompatible methodologies and standards.These divergent methodologies may present significant standards prob-lems in the future.

    ISSUES

    Defining Our Terms

    There are a number of issues involved in choosing the right user ac-cess methodology for a college library. Much of the decision is based onthe needs of the library, its users, and the requirements of the technolo-gists and product vendors.

    As Clifford Lynch adeptly points out in his White Paper on Authen-tication and Access Management Issues in Cross-Organizational Use ofNetworked Information Resources, the problem of user access to net-

    Part Three: The Current State of Access Services 123

    Dow

    nloa

    ded

    by [

    EC

    U L

    ibra

    ries

    ] at

    04:

    57 1

    0 O

    ctob

    er 2

    014

  • work resources has two parts: (1) authentication, and (2) authorization.7

    Authentication is the process where users supply some kind of secret in-formation (ex., a password) to establish themselves as being permittedto use a...

Recommended

View more >