It’s interesting to note that the two top challenges faced by higher ed CIOs, security and finance, are both addresses in many aspects by the integrated identity approach of ITM.

Security comes from streamlined provisioning and decommisioning of all aspects of identity at an institution, both physical and logical. At the transaction level, common security monitoring tools could provide a better perspective on your overall security situation.

Financially, identity initiatives offer ROI opportunities not found in many other IT efforts. For instance, security efforts traditionally weigh cost against risk of loss. The poor ROI leads to risk acceptance until we have major breaches, like those linked to from the Inside Higher Ed article. Following a breach, institutions often spend in a knee jerk reaction. It gives immediate satisfaction, but often provides a ROI in the future.

Approaching your identity efforts in holistic fashion focusing on security, sales and service, helps your security ROI piggyback on efforts with a clear financial return. For instance provisioning all your credentials and passwords from a single office reduces administrative overhead. In some instances, that single point of provisioning can also reduce IT overhead of multiple system interfaces to your badging system, physical access control and IT identity management efforts. Let dining and vending fund the office while IT reduces points of support and failure in identity provisioning. It’s worth looking into.

The original Educause survey report can be found here.

An article at Inside Higher Ed provides a good, brief summary. Inside Higher Ed :: Top IT Challenge: Paying for It

In a bill with a good intent and poor execution, the California legislature is considering banning RFID in government documents. This could have a dramatic impact on building security, transit and campus ID programs. While many outlets, like Wired and RFIDNews have been watching this for a while, the bill’s recent passage out of committee deserves notice. It effectively dumbs down government building security and transit while not really protecting much information. A bill titled “Identity Information Protection Act” is sure to be a hit with consumers’ groups without a clear understanding of the impact.

The bill acknowledges beneficial uses for RFID by allowing exceptions such as toll road collection, ID bracelets for children under four, inmates, and mental health patients. Transit applications and building security are not included in the exceptions. Government facilities with existing RFID deployments not covered by exceptions would have until 2011 to phase those out.

Beth Givens, founder and executive director of the Privacy Rights Clearinghouse, quoted in RFIDNEWS, said “Senator Simitian’s bill provides vital protection for all Californians. Individuals who are required to carry government issued IDs should not be put in a situation where that document enables them to be monitored and tracked.” That’s an appropriate sentiment, but it misses the mark because security requires that tracking in some settings and transaction convenience mandates it in others, such as subways and campus dining.

Spurred by a combination of privacy concerns, federal initiatives and public outcry over a poorly considered RFID plan at an elementary school in Northern California, the bill seems to throw the baby out with the bathwater.

Much of the concern about government RFID documents is that your information would be freely available to anyone walking by. If the legislation read “only unique, alphanumeric identifiers can be unencrypted” much of the exsiting technology could be accomodated while still protecting privacy concerns. The ICAO recommended a system of storing a pin in a 2D barcode for government officials to “decrypt” more information. This provides for active presentation of the document before more sensitive information is passed along.

As for concerns about surreptitious tracking of individuals, it’s not really worth the effort. Legislation could forbid government tracking with a court order or public notice. Bad guys simply would not carry their documents and police would implement other, less expensive passive surveillance like video facial recognition.

For building access badges, the only alternative technologies are magstripes and bar codes, which are much easier to compromise. Some have suggested the use of contact smart cards for access control but those have proven problematic in the past.

In the US, almost all transit applications are run by the government and they are increasingly moving to contactless technologies as the only method for speeding throughput, increasing transaction security and allowing for the complex fare calculations many transit implementations demand.

Since much of the nation looks at California as a bellwether, expect other states to consider follow up legislation if the California bill passes later this spring. I’m all for privacy, but the implications of an ill-considered bill need to be heard.

Wired News: State Bill to Limit RFID

EPIC.org bill listing

Around the Capitol

http://www.rfidnews.org/weblog/2005/03/03/new-bill-will-protect-californians-privacy-rights-rfids-misnomer/

It’s just a college paper, but this article shows how wide the knowledge gap is about RFID and card technologies. The duo prox is nothing like an ICAO passport and has only a fraction of the security risks. Prox cards operate on a different frequency than the proprosed passport chips and only pass 26 bits of information to the reader, barely enough for an unique identifier.

Comparing a true contactless smart card to a prox card is like comparing a computer to a calculator. Whole different scale.

Why care about a Dartmouth student article? In any deployed identity system, user education is critical. I am not suggesting that Dartmouth educate their population on the nuances of wiegand vs. 13.56, but the population should know the relative risks of using a system with only an abstract idenitifier and one with a large amount of freely readable identity information. Something to consider. Done right, Dartmouth continues to deploy their identity solutions without having to engage in big debate about what the State Department wants to do.

The Dartmouth Online

Last week was the National Association of Campus Card User’s (NACCU) annual conference. Other obligations kept me from attending for the first time since 1997. That and the beginning of the events log got me thinking aobut what are the “Don’t Miss Events” as it relates to Identity & Transaction Management.

For those looking to draw additional value from your identity management initiatives, college campuses are a great place to look. Unlike most corporate organizations, higher education often leverages their identity for value added services while neglecting security. Add that solution set to a corporate or government security stance and you have a recipe for a broad identity.

NACCU just passed and Card Tech/Secure Tech is just around the corner. IDWorld is emerging as a strong fall conference for identity. ISCWest is the premier spring physical security event. ASIS takes the physical security lead for the fall. I’ve always enjoyed the RSA conferecne, especially with my PKI experience. Moving to the straight transaction side, NAMA (vending) and FSTech (food service), NACUFS (more food), and IPI (parking) are all good shows. NACAS, NACUBO and ACUHO all offer oppotunities to learn about how higher ed draws additional value from what they traditionally call “card programs.” Educause in the fall offers another really good chance to look at hgher ed identity, this time from the IT perspective.

Wow, I know that seems like a lot, but I barely touched on the information security opportunities and left out the government conferences entirely. Please drop us a comment or email, to let us know which events you get the most out of. Check our events calendar and feel free to submit any we missed.

CTST, ISCWest and NAMA almost overlap in the coming weeks in Vegas. I however, will be attending an Infosec conference in Orlando and then heading down to Ft. Lauderdale for the International Parking Institute conference. Don’t laugh, there’s a lot of money in parking and we always want security around our cars.

The Harvard Crimson Online :: News This article highlights that new methods of distributing information shift ethical boundaries. Harvard is revoking the admission of 119 applicants who “peeked” at acceptance letters residing on the servers of their online application partner, ApplyYourself. An anonymous hacker posted the information on how to access the letters in the Business Week B-Schools forum.

At the very least, these students were guilty of trespassing and poor judgement, justifying Harvard’s actions. Other schools, such as MIT have taken stands in support of Harvard. While the applicants are responsible for their own actions, both Harvard and ApplyYourself exhibited sloppiness, if not negligence.

University associations and identities are some of the most valuable. As the reach of learning institutions extends with online teaching, recruiting, seminars, episodes like this show that universities need to take a broader approach to managing their identities. Traditionally, universities have been at the cutting edge of identity management, but only within the ivy walls. As the categories of recruit, applicant, alumni, resident, seminar participant, etc…, become more a part of the university community their identity and association needs to be managed, too. In this case schools could take a sheet from the corporate playbook with federated identity and extranet access control. We’ll be watching to see how much is learned from the crushed hopes of Harvard’s B-School applicants.

Relevant Links

http://www.applyyourself.com/

http://forums.businessweek.com/bw-bschools/start

http://www.reuters.com/printerFriendlyPopup.jhtml?type=oddlyEnoughNews&storyID=7841543