In Depth
Identity Management at Harvard and MIT
Harvard and MIT have similar identity management challenges but very different solutions. Comparing the two is a good exercise for any CSO looking at ID management.
By Simson Garfinkel
Another problem with MIT's enterprise authentication is that it doesn't work outside the Institute. MIT's libraries subscribe to hundreds of online information services. These organizations refuse to accept either Kerberos tickets or MIT Certificates. Instead, they want to authenticate members of the MIT community by their IP address. That's no problem for MIT users who are on campus. Professors and students who are off campus can either run the MIT Virtual Private Network client (which authenticates users with their Kerberos password) or else go through one of the special proxy servers that the MIT libraries have set up (which authenticate users with their MIT Certificate). Both of these systems create a tunnel between the user's computer and MIT so that the third-party information providers think the user is actually on campus and using an MIT IP address.
One Person, One PIN
A few miles up the Charles River, Harvard has taken a dramatically different approach. Harvard has created a unified identification and authentication system called the Harvard PIN. Like the MIT Kerberos system, the Harvard PIN is also based on a simple user name and password. But that's where the similarity ends.
Whereas the user name employed by the MIT Kerberos system is the MIT student's or employee's e-mail address, the user name for the Harvard PIN system is the person's eight-digit Harvard ID number. Because this number is not widely available, it's much harder for an attacker to figure out. Harvard passwords are also more secure: Whereas MIT lets people use pretty much whatever they wish as a password, Harvard has a "strong" password policy: PINs must be at least eight characters long, have at least one number or symbol, contain both uppercase and lowercase letters, and have at least five different characters. It actually took me 15 minutes to come up with a Harvard PIN that I could remember but that was strong enough to meet Harvard's requirements.
When a student or staff member at Harvard needs to do something official online (such as accessing grades) the online service redirects the user's Web browser to the Harvard PIN Server, a centralized system that requests the user's ID and PIN and then returns the user to the online service that was requesting authentication.
One nice aspect of the Harvard system is that users enter their PIN on only this single page. It always has the same look, feel and URL. The webpage is SSL-encrypted. Each of these measures reduces the chances that a Harvard PIN will be stolen through a phishing attack.
Because the Harvard PIN is used to authenticate both high-value and low-value transactions, the system allows different applications to have different "re-identification" policies. For example, the Harvard library website uses the Harvard PIN to approve access to electronic journals, but it requires that users authenticate only once. After that, it stores a cookie on the user's computer that's good for a day or so. In contrast, Harvard's enterprise financial applications that can issue checks for hundreds of thousands of dollars can require that the PIN be provided for each check—and even then, they can be further restricted to accept the PIN only from particular workstations in particular locations on campus.
These days, with Microsoft, Oracle, Sun and many other enterprise software vendors offering their own identity management systems, it's instructive to see how some of academia's best networking wizards have solved the problem for themselves. Both systems work without a hiccup day after day and make it possible for users to authenticate to a large number of enterprise systems, they never compromise security by sending a password over a network without encryption, and they will be relatively straightforward to upgrade to high-security systems like PKI-based security tokens. Corporate America should be so fortunate.##
Simson Garfinkel, CISSP, is the author of numerous computer security books, including Security and Usability: Designing Secure Systems that People Can Use
Other stories by Simson Garfinkel
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Keeping Your Members Safe from Online Scams and Predators
- Understanding Versatile Authentication and Its Benefits
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- WagerWorks Takes Fraudsters Out of the Game Using iovation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
- Home |
- About |
- Privacy Policy |
- Terms of Service |
- Subscription Service |
- Advertising |
- Events |
- Site Map
THE IDG NETWORK
- CIO |
- Computerworld |
- GamePro |
- Games.net |
- IDC |
- IDG |
- IDG Connect |
- IDG Knowledge Hub |
- IDG TechNetwork |
- IDG Ventures |
- IDG.net |
- InfoWorld |
- ITworld |
- ITwhitepapers |
- JavaWorld |
- LinuxWorld |
- Macworld |
- Network World |
- PC World |
- The Industry Standard