Macquarie University Library

•       

  FAQs

•                      

  SITE SEARCH

•               

  SITE MAP

•                                 

  ASK A LIBRARIAN    

•                      

  BORROWING

  Borrowing Conditions

  Borrowing Information

  Other Borrowing Services

  Returning Material

•                

  ABOUT US

  Classification Scheme

  Collections

  Exhibitions

  The Lachlan Macquarie Room

  Mollie Thomson Room

  Library Friends

  Our History

  Our Publications and Policies

  Survey

•                      

  CONTACT US

  Liaison Librarian

  Senior Staff

  Feedback

  University Staff Directory

•       

  HELP

  IT Help

  Just Ask

  Find your username and password

•       

  NEW LIBRARY 2010

  You are here: Macquarie University Library >> About the Library >> Conferences >> Matching People and Information Resources

Local Navigation

• LIBRARY HOME
• CATALOGUE
• DATABASES
• E-RESERVE
• JOURNAL FINDER
• SERVICES
• TRAINING

Matching People and Information Resources:
Authentication, Authorisation and Access Management

by
Neil McLean
Macquarie University, Sydney
Email: mclean@library.mq.edu.au

---

Introduction
New horizons are beginning to emerge in terms of matching people and information resources in a networked service environment. Librarians, publishers, subscription agents, database hosts and information service aggregators are now actively engaged in rethinking information landscapes, in harnessing Internet technologies, and in finding ways to link institutional legacy systems to the Web technologies in a manner that will appear transparent to the user. The present information service environment can be likened to a jigsaw puzzle. There are lots of bits, some of which form readily identifiable patterns and others which appear "grey" and shapeless. There is, as yet, no coherent view of the new service models but the various parts of the jigsaw already in place provide some clues as to the way forward.

The challenges inherent in solving the puzzle are considerable and this paper attempts to foreshadow a conceptual framework on which to build sustainable service models and technical infrastructure. In doing so, particular attention will be paid to the key issues of authentication, authorisation and access management which are basic building blocks for the creation of a secure and efficient networked information service environment.

Library Systems
Integrated library systems (which are now regarded as legacy systems in the Internet-dominated networked service environment) have a relatively long and proud history of development. These systems provide excellent control mechanisms for accessing print resources held in a vast number of libraries around the world. Their success has been based on adherence to a bibliographic description standard (MARC); a modular systems approach for dealing with the various control functions; the ability to import and maintain a strong user file within the system; the capacity to "bolt-on" Web front ends with various degrees of functionality; and the ability for systems to interrogate each other through a common industry standard (Z39.50).

The principal weakness of integrated library systems has been their inability to deal with the complicated processes associated with interlibrary loans. This is understandable because the dynamics underlying the array of transactions within, and between, libraries in terms of completing successful interlending operations are of a different magnitude of complexity to that of other library control functions. The system requirements of interlibrary loans are, in fact, much more akin to the problems now emerging in terms of conducting commerce in the Internet environment. A closer analysis of this proposition will be undertaken later in the paper.

In spite of the fact that systems vendors were unable to develop interlibrary loans modules, a standard ILL protocol has emerged over the past decade which is now being used in a limited number of instances within new resource sharing applications. This protocol provides another important building block in the "grey" area between library legacy systems and the Internet protocols.

The other potential weakness of the library legacy system has occurred, ironically, because of the notable success of the interoperability protocol Z39.50. After a slow beginning, most systems vendors have embraced Z39.50 as a standard to allow searching across library systems by the user. This has expanded the information landscape in a quite remarkable way and it is the principal connection between the huge number of library legacy systems. But, like most successful interoperability protocols, it is now being required to perform functions which it was not originally designed to do and, as a result, it is in danger of becoming too complex to implement and it runs into the danger of losing its effectiveness as a simple searching tool. The functionality of Z39.50 is also under question because of a factor which has nothing to do with the protocol itself, namely, the inconsistency of holdings descriptions in libraries. In other words, the search protocol retrieves an enormous amount of "noise" when searching across library catalogues which makes the result set unreliable, particularly in unmediated service environments.

The other potentially useful de facto standard to emerge from the development of library systems has been the 3M proprietary protocol which links systems such as self-chargers to patron and circulation data. As with all successful proprietary standards, it is now evolving towards a more open industry standard which opens up possibilities for using the library system patron database as a means of authenticating users of external information services.

Library systems, however, have probably reached their apex as legacy systems and the challenge now is to find ways of drawing on their rich functionality in a networked service environment, where the centre of gravity in terms of providing information services to users has moved elsewhere.

Commercial Information Providers
There are now many commercial information providers offering electronic networked bibliographic information and electronic full text services. There is intense competition amongst providers to "bundle" appropriate ranges of services to fit institutional profiles. In broad terms, there are three principal categories of providers, namely, publishers, subscription agents and aggregators. These different categories of providers deserve some brief analysis because all of them will have to be incorporated into the emerging distributed service infrastructure.

Publishers have emerged as late, but important, players in terms of networked information provision. The large commercial publishers, such as Elsevier and Academic Press have made sufficient investment in information technology to change both their production and distribution methods. They have seized the opportunity to market their high quality content direct to institutions and/or end users and they now have plans to become mini-aggregators in their own right through value-added links to other electronic bibliographic services. All have their own proprietary systems which, even at this early stage, are in danger of becoming tomorrows legacy systems.

The second category consists principally of four global subscription agents which handle a significant proportion of print subscriptions as an intermediary service between publishers and institutions. In the earlier part of this decade, they saw a potential risk to their core business and invested heavily in electronic infrastructure in order to become aggregators in their own right through building on the subscription business already established with libraries. These big four agents (now reduced to three because of the recent merger of Blackwell and Swets) are all more or less at the same stage of technological development and they see themselves as well placed to lead libraries into an "e-commerce" information services environment.

The third category, which can be broadly termed aggregators, consists of companies which have come into being as part of the electronic services environment to offer libraries a range of bibliographic and full text services through a common search interface. Libraries have placed great faith in aggregators such as Ovid Technologies, because of their proven ability to package and present services in a reasonably transparent fashion to end users. Their prominent role, however, has been challenged over the past couple of years by the large commercial publishers who, for the time being, deny the aggregators access to valuable information content.

There are, however, significant opportunities for content providers and aggregators to make strategic alliances, where both parties can benefit without eroding each others market. From the customer viewpoint such strategic alliances are highly desirable. The interfaces and access which aggregators provide to libraries cover a range of bibliographic and abstracting services which are highly valued by customers. The value-added component from the publisher viewpoint is that the customer would be directed in a transparent way to the Elsevier-type content service whenever a citation to a journal in that content service is picked up through the bibliographic search on the aggregator platform. Such "arms-length" arrangements are likely to be a strong feature of the next stage in the evolution of the market place. The further advantage to all parties is the opportunity to engage in pre-competitive development of authentication, authorisation and access management infrastructure. The development of such infrastructure is the key to enlarging the size of the information services market through offering cost effective and secure information access.

Existing Approaches to Authentication
Libraries now find the provision of access to networked information services a major part of their core business. Managing this access is proving to be increasingly difficult as the number of services and products grows and the demands from users become more sophisticated. The deficiencies of present methods have been described and analysed in a series of papers by Clifford Lynch (1) on behalf of the Coalition for Networked Information (CNI). Based on his analysis the present situation can be summarised as follows:

• users are facing the prospect of having to remember and manage a large number of different user IDs and passwords issued by different publishers and service providers
• libraries could issue the user with a single ID and password for all licensed external network resources and then transmit them to each service provider but at very high administrative cost and with considerable risk of security breaches
• the most commonly used method at present is the users source IP network address which serves as a substitute for demonstrating proof of community membership
• the IP solution is proving to be most inadequate because it is a "one-for-all" solution which allows for no granularity in terms of service provision and fails to deal with user populations which are increasingly relying on commercial Internet service providers to remotely access information resources provided by the institution
• various local authentication, authorisation and access management systems are used to control access to the proxy
• the local authentication system, therefore, validates the user and the service authenticates the proxy
• the primary advantage of the proxy approach is that the external service providers can rely on an internal institutional mechanism for validation
• the main disadvantage of IP based authentication and mechanical proxying is the inability to provide the degree of granularity required by libraries for particular customer groups and the inability to manage complex user profiles and access management requirements
• can access management application is desirable as a means of managing a set of mechanical and application proxies
• for the time being IP based proxy solutions will be preferred, because they appear to the information service provider as extensions of the existing IP source network authentication systems
• a credential-based approach is emerging for local authentication based on the issue of digital certificates which act effectively as an analogue of the institutional ID card
• there are still major problems with such an approach in terms of resolving technical issues such as standards and software integration, as well as matters relating to the establishment of trust and value relationships.
• Any number of short term solutions are likely to emerge, mostly based on improving the efficiency of IP based proxying.

In the Australian context, the outcomes of the Australian Research Council (ARC), Research Infrastructure Equipment and Facilities Scheme (RIEF), sponsored Authentication Project (led by Marian Bate at the University of New South Wales) are awaited with considerable interest in terms of providing a more streamlined approach to the current IP based proxying environment.

Summary of Present Position

It is evident from the analysis so far that libraries are faced with formidable challenges in terms of offering access to external information providers. The fundamental weaknesses of the present approaches to authentication and access management can be summarised in the following form:

• high operational costs difficulties in dealing with scale, as the demand for new services increases multiple security and logon regimes sub-optimal use of organisational assets inability to provide consistent on-line access to authenticated users and to business partners.

From an institutional perspective, there are a range of issues which remain unanswered at present, including:

• the degree of investment to be maintained in traditional integrated library systems
• the level of interdependence to be attained between the library legacy system and Web-based services
• the extent to which information architectures have to be rethought to integrate the closed library system environment with the more ubiquitous Internet environment and with commercial information suppliers
• the scope and nature of the deployment of Web technology within institutional information infrastructures the degree to which users can be self-reliant in accessing information resources
• the number of external information services that can be sustained, both financially and technically as part of the virtual information resource
• the selection of partners for the collaborative development of services
• the level of technical convergence to be sustained
• the level of customisation to be developed for the particular user groups
• the level of end-user payment and accountability
• the amount of training to be provided in assisting clients to adapt to new services
• the level of self-reliance to be attained by the library within institutional environments where the various components are highly competitive in seeking IT resources.

From a broader perspective, there are a number of challenges facing any global collaborative initiatives in terms of building appropriate access management infrastructure. These can be summarised briefly as follows:

• the continuing gulf between conceptual and technical developments in the US and in Europe
• the ubiquitous nature of the Internet and Web development which militates against collaborative infrastructure development
• the linking of the vast repositories of knowledge locked in library legacy systems to the "free-wheeling" Web environment
• the lack of private sector investment in library-type information infrastructure
• the uncertainty about how authentication frameworks will evolve and the extent to which they will be local, national or global in nature
• the consequent linking of information infrastructure to viable e-commerce models
• the durability and extendability of library industry standards, such as Z39.50 and the International Organisation for Standardization (ISO) ILL protocols
• the ability of information services infrastructure to extend into the prevailing lifelong learning service paradigms
• the degree to which all stakeholders in the scholarly information industry will adhere to open systems standards as a means of creating a global distributed information services environment
• the capacity to mount collaborative development across national boundaries.

Given all these unresolved issues and the severe constraints of existing approaches to authentication and access management, there is a need to rethink the nature of the problem and to build new conceptual models as a basis for creating more sustainable and effective solutions. The remainder of this paper explores some particular approaches to this task, based principally on Macquarie Universitys participation in current international research and development initiatives.

Strategic Planning Goals
At the highest level of strategic planning there is a need to develop an information resource sharing infrastructure with the capacity to:

• deal with print and electronic information resources within the one integrated service model
• match resource discovery with resource recovery in a manner that is seamless from the user viewpoint offer automatically mediated service, wherever possible.

With regard to the systems planning environment the following strategic assumptions are important:

• all planning should assume a distributed services environment
• systems must be flexible and based on open systems architectures
• clearly articulated service models are essential
• strong functional and technical models are required
• scaleability and sustainability are essential criteria for all research and development initiatives.

Distributed Service Environments

Much of the thinking in this part of the paper has been derived from the involvement of Macquarie University Library in a large scale European project called PRIDE (People and Resources Identification for Distributed Environments).(2)

The purpose of the PRIDE Project is to develop a broker service to support the identification and delivery of information services through the global information infrastructure and to develop directory services which will provide support for authentication, authorisation, registration, cost recovery and integration with other interfaces to library services.

Such services are essential in networked service scenarios where:

• the information and support services may be inside and outside the library domain
• the users may go anywhere for their service requirements
• the service providers may seek patrons anywhere.

The aim of PRIDE is to enable the user to gain unified access to a global range of information, resources and services in a more efficient, scaleable and functional manner by facilitating:

• unified source of both library-based and networked service descriptions
• identification of suitable resources and services as a prelude to searching
• declaration of personal profiles accessible to disclosure agents (e.g. Selective Dissemination of Information(SDI) services)
• authentication, authorisation and access control for services valid to individual users
• integration of credential based electronic payment services
• one-stop declaration of personal information, rather than multiple service registrations.

The PRIDE application aims to act as a broker for an independent user accessing multiple services; it will attempt to improve the interface between distributed library services and the wider world of e-commerce and information supply.

As with all research projects, PRIDE is unlikely to achieve all of its declared objectives, but it is proving to be an important learning experience in terms of mapping new service scenarios and in identifying the various levels of authentication, authorisation and access management required to sustain different service environments.

The complexity of the emerging service models has been highlighted in a recent attempt by the UK Joint Information System Committee (JISC) community to define the service requirements of a Distributed National Electronic Resource (DNER).(3) At the highest level it has been depicted as requiring:

• integration of access to existing services, through a variety of entry points tailored to appropriate communities rather than to the data owners, data suppliers or even data types
• integration through enabled cross-searching (breadth versus depth searching)
• integration through linking to value-added services such as ILL, document acquisition transactions, etc, especially in a "joined-up" way where information is carried across appropriately and does not have to be re-keyed
• integration across domains, eg searching across different media types, curatorial traditions, etc.
• access to a wide range of sources through non-traditional interfaces.

Faced with these service complexities, it has been clear for some time that the emerging Internet technologies will not be sufficient in themselves to provide the multitude of interfaces required to link library legacy systems to commercial information providers proprietary systems.

The exposure, therefore, through the PRIDE project to the deployment of X-500-based directory services has been an invaluable learning experience for all project participants and the remainder of the paper describes a potential directory-enabled approach to many of the problems already identified in this paper.

Directory Services

Much of the content in this section of the paper has been derived from papers written by Alan Lloyd, (4) who is the technical consultant for Open Directory, now part of the global company Computer Associates Pty Ltd. Open Directory is an Australian-based company with a suite of X-500 based services and products which have been widely applied in large scale implementations including banks, airlines and national defence systems.

Open Directory is a primary sponsor of the PRIDE project and, as such, their services and products are at the heart of all demonstrator tool kits being developed within the project. The aim of this section is not to provide a description of the Open Directory product range but to present the case for adopting directory- enabled service strategies as a response to the present problems.

The Case for Directory Services
As Alan Lloyd has said:

Directories are evolved databases that deal correctly with common object oriented schema design, namely, access control, information protection and distributed operations.

He identifies the problems that can be addressed by directory services as follows:

1. Removal of the issues associated with fragmented information about an Organisations staff or its customers

2. Ability to integrate corporate technology initiatives (services) of other organisations to the internal technology environment in a manner that is seamless and secure

3. The inclusion of all Users (not just staff) eg. Contractors, Customers and business partners as authenticated users of a serviced based system comprising multiple applications and databases

4. Removal of the multiple instances of replicated data used by many applications

5. Reduction in the number of multiple system logons currently used by staff and customers in accessing disparate networks and applications

6. Reduction in the fragmented applications that deal with eg. Property assignment, asset management and staff/contractor access - in terms of zoning, asset protection and cost attribution to business units

7. Provision of a consistent distributed information infrastructure about Users and their service profiles on which consistent security, authentication, smart card, and certificate regimes can be placed

8. Information Content Repositories (Document and Media Stores).

It is important to note that directories can hold and manage a range of functional requirements, including: logon and related services; programs/content; people/roles/groups; security/credentials; devices and services; mobility and usage costs; documents and Web pages; database transition and integration.

The primary advantages of adopting a directory services strategy are:

• consistent information applied collectively, but managed individually
• protected operational contexts
• applications which are managed in a flexible, distributed and scaleable manner.

Rethinking the Problem and Solution Space

One of the principal benefits of the involvement with Open Directory in the PRIDE project has been the reassessment both of the nature of the problems and of the potential solutions based on the application of directory-enabled service environments.

Figure 1. depicts a model, prepared by Alan Lloyd, which has common application to all industries seeking to provide user access to core systems and services and it demonstrates that authentication is but one part of the total model.

Figure 1.The Problem Solution Space [Image not currently available]

Of equal importance has been the emphasis on standardising the methodological approach to the various components required to build the distributed services architecture, all of which can be achieved within the X.500 standards framework.

Alan Lloyd summarises these components as follows:

• provide the Ability to Connect Them All Up ie. Standardise - the Access, Distribution and Replication Protocols
• standardise the Information Engineering View - ie. As Named Objects (Object Oriented approach) standardise - as configurable and extensible, the User Authentication and Information Access Controls
• standardise - as configurable and extensive, the Information Schema Rules
• standardise - as configurable and extensible, the Information Management Model

From a systems viewpoint, it is now possible to map a directory-enabled access and authentication model which is applicable, irrespective of the type of service environment. This model, as depicted in Figure 2, has been extrapolated from a generic model prepared by Alan Lloyd and is now being adapted to the requirements of the library information infrastructure in Australia, with particular reference to resource sharing capability.

Figure 2.Directory Enabled Access and Authentication [Image not currently available]

The models present considerable intellectual challenges because they represent a new way of looking at the means of building infrastructure. It has, however, encouraged the participants in the PRIDE project to look "outside-the-box" for solutions to the library infrastructure problems and the next six months should see further significant developments, particularly in the context of the Australian resource sharing project, Local Interlending and Document Delivery Administration System (LIDDAS). Building extensible service models

The open systems resource sharing platform, which developed through the LIDDAS project in Australia has become strategically important because it is extensible as both a service and technical model and it has the capacity to fit into a directory-enabled access management environment.

LIDDAS (which will be implemented initially in 18 institutions across Australia and New Zealand over the next year) aims to provide a number of key functions for permitting auto-mediated, unmediated and mediated resource sharing of both print and electronic information resources.

These functions include:

• Web based client searching, requesting and monitoring of requests
• managing the end user relationship
• interfacing to local systems such as the local catalogue and circulation system
• linking with bibliographic and citation databases
• managing copyright arrangements
• facilitating site-configurable workflow management
• processing requests through applying local business rules which will automatically locate suppliers and route requests
• delivering electronic documents to a document store
• providing linkages with directory services
• developing detailed reporting and statistics.

Of crucial importance to the success of LIDDAS is the ability to support these activities with appropriate levels of authentication, authorisation and access management. Involvement in the PRIDE project, and with Open Directory, has enabled the LIDDAS project to become an extensible model which is the paradigm for operating in the distributed information services environment. The directory-enabled LIDDAS model, depicted in Figure 3, has been developed by Kerry Blinco, (5) who is Project Manager for the LIDDAS Project and Macquarie Universitys representative on the PRIDE Project.

Figure 3. LIDDAS Information Services Model [Image not currently available]

The Building Blocks for Directory Enablement

A principal goal of LIDDAS is to have auto-mediation wherever possible, which necessitates having information about people and resources in standard schema for interpretation by the system. LIDDAS has been able to take full advantage of the Z39.50 protocol and the ISO ILL protocol as basic components of the overall systems model to facilitate searching and transactional processing.

User Profiles

There is a need, however, to build quite detailed user profiles in terms of entitlements and privileges within the resource sharing environment. The pilot plan is to build these user profiles and the associated schema at Macquarie University using the Open Directory suite of X-500 products. For example, there will be at least seventy attributes to be included in the schema relating to interlending procedures as specified in the existing service environment. It is important to note that the creation of this directory information feeds off, but does not impinge on, existing legacy systems. Once these user profiles and the associated schema are developed there is a strong foundation for applying the same profiles to the range of commercial information services. The basic aim is to describe once for use in many different service applications.

Information Provider Details

At the other end of the spectrum it is necessary to directory-enable the details of the 3000 Australian libraries which participate in the national interlending scheme. This is volatile information that is very expensive to maintain at present and the aim, once again, is to describe once, to have local maintenance of information and to permit full interoperability within the LIDDAS environment. This task will also require the creation of standard schema and initiatives are already underway to create an international standard through the ISO standards-making process relating to this particular requirement.

Resource Directories

Many university libraries have constructed Web front ends with various levels of sophistication to provide an integrated entry point to electronic information services and local library services with regard to journals access. Such developments are positioned in between institutional authentication schemes and the various IP/ID password arrangements with publishers and information service providers. These front ends have proved highly popular with users but they have all the limitations of Web technology; no ability to provide limited views of services for particular user groups; no capacity to link user profiles to services; and no ability to handle complex access management mechanisms.

As part of the research framework for the PRIDE and LIDDAS projects, Macquarie University Library is intending to directory-enable its own particular version of a Web front end (JournalSearch), using the X-500 technologies. This will provide the ability to match user profiles with particular views of the resources available through the various services. If this proves successful, it should be possible to extend the model to other types of resource directories, whether in the print or electronic service area.

Information Service Provider Directories

As an extension of the access management model there will be a further phase of development which will involve directory-enabling the various access management protocols necessary to link users directly to designated service providers in a transparent manner. This will require effort on behalf of the information providers in terms of making their systems directory aware in the short term and directory-enabled in the long term using credential based authentication. In the Macquarie University context, the aim is to strengthen strategic alliances already in place with key commercial publishers and aggregators in order to build the necessary pre-competitive infrastructure.

\ Trust Relationships and the Concept of Value

One of the more neglected aspects of the current debate on authentication and access management has been the need for trust and associated value relationships.

In a distributed services environment, where a user may be passed through several different parties to secure a particular information resource, the authentication and digital certificates provided by a particular institution can be rendered meaningless unless all the parties have an established relationship together with the appropriate technical and legal infrastructure required to support the trust relationship.

The complexities of trust and value relationships are, as yet, little understood and this is understandable because all parties are still struggling with the basis technological infrastructure. Nevertheless it will become an important matter in the very near future for libraries as they develop designated networks of preferred suppliers for their users.

Summary and Conclusions

This paper has attempted to unravel some of the complexities associated with authentication, authorisation and access management in the networked information service environment. The analysis shows that the present preoccupation with authentication addresses only one part of the access management problem. Authentication is multi-layered in its own right and users in the networked environment may find themselves being challenged at various points of a particular information procurement process, thus requiring different levels of security in terms of authentication for access to different applications in the distribution chain.

Of fundamental importance in the emerging service environment is the ability to provide high levels of granularity in terms of matching people and resources. The answers to this challenge lie in the area of authorisation and access management, rather than authentication alone. There is an acceptance, also, that directory enablement is probably the only means of providing the necessary levels of flexibility, scaleability and sustainability for successful operation in a distributed services environment. In the short term there are likely to be a plethora of local approaches to improving authentication and access management and there is no reason to stifle such local creativity. There is, however, a need to stand back from the problems as they are presently manifested and to reappraise the longer term approaches taking into account developments in other service industries. This will require sustained levels of dialogue and strong collaborative action, both of which have been overshadowed over the past years by the need for immediate solutions.

It remains for library managers, IT directors and information providers to explore these new service paradigms and to find common ground for developing the required components for effective access management in a distributed information services environment.

---

References

1. The most useful summary of Clifford Lynch's views on access management is an article entitled Access Management for Networked Information Resources, CAUSE/EFFECT vol.21 (4) 1998. Also available at http://www.educause.edu/ir/library/html/cem9842.html

2. PRIDE project - further details at: http://lirn.viscount.org.uk/pride/

3. Description of the Distributed National Electronic Resource (DNER) Annex B of a Joint Information Systems Committee (JISC). Request for Proposal, Enhancing JISC activities for learning and teaching Draft C.

4. Alan Lloyd has written a number of papers relating to the deployment of directory services which are available to clients. He may be contacted for further information through his email address alan.lloyd@opendirectory.com.au

I am indebted to Kerry Blinco for much of the concept of the conceptual content contained in this paper.