In Depth

Identity Management at Harvard and MIT

Harvard and MIT have similar identity management challenges but very different solutions. Comparing the two is a good exercise for any CSO looking at ID management.

By Simson Garfinkel

April 01, 2006 — CSO —

Cambridge, Mass., is home to two of the world's great universities, MIT and Harvard. Both have massive enterprise networks with every imaginable kind of off-the-shelf and custom device. Both schools have diverse user populations with tens of thousands of highly mobile members. And both schools have a need for strong network security—these universities are under constant attack, from both the outside and from within.

MIT and Harvard have been on the Internet since the early 1970s, and they had fully deployed campus networks before most people in the United States even had a dial-up connection. Thus, it's not surprising that both schools have built their own custom identity management systems. What is surprising, though, is that the under­lying design and implementation of the two identity management systems are radically different, yet in many ways they offer similar functionality and have similar problems.

Identity management systems provide for a centralized directory of the organization's members. They give members a way to authenticate themselves, and they may even track each person's level of authority and authorization. The best identity management systems can be easily integrated with a wide variety of legacy systems. For example, they could interoperate with a Microsoft Active Directory server and provide the possibility of "federation," that is, allowing organizations to certify the identity of a member to other organizations. Such a system could be used by a company like Ford to enable the employees of its suppliers to directly interoperate with the Ford website using their existing user names and passwords, rather than forcing them to get new user names and passwords that would only be used at the Ford website.

Comparing the strengths and weaknesses of MIT's system and Harvard's is illuminating for any CSO whose organization is considering deploying or expanding an identity management system of its own.

Kerberos: Good Watchdog, Surly Pet

Researchers at MIT developed one of the world's first identity management systems back in the 1980s. Called Kerberos, the system was designed to allow users of distributed Unix workstations to identify and authenticate themselves to services running on other computers.

Kerberos had only a few design goals. MIT's network designers realized that there would be no way to prevent students from running their own packet sniffers, so the primary goal was to give everyone on the MIT campus the ability to use any network-based service without sending their passwords over the local area network. This goal was realized with a complex system running on users' computers that obtains encrypted "tickets" from a central Kerberos server.

• Email
• Print
• Comments
• Digg This
• SlashDot