Summary
The University of California's operation and academic mission depend upon ready access to an increasingly complex array of electronic information resources. If the University is to realize the full potential that these resources can offer, support services must be built that will allow members of the University community to navigate easily and securely throughout this boundless new Information Environment.It is clear that the location and management of electronic information resources will be far more distributed than have been the traditional stores of information, both within campuses and across the University. Members of the University community will seek access to these distributed resources from a wide variety of places and at any time of day or night. Coordinated and consistent access control and other support services must be defined in order to avoid a daunting variety of application specific mechanisms. The purpose of information infrastructure support services is to enable appropriate, safe and ready access to information resources for all members of our community from wherever they are working. This will allow us to leverage our investment in technology as well as share important resources.
There are many "building blocks" that must be provided. These include a secure and reliable way to affirm that users of our resources are who they purport to be and that they are authorized to use the resources to which they seek access. There must be a source of definitive information regarding their affiliation with the University and other business related data. There must be directory services to help them find the resources they need. There must be standards and supporting services for encryption to secure data transmission and create the digital equivalent of a personal signature. There must be efficient mechanisms to support accounting for the use of a wide variety network-based resources as well as services that can be supported by network communications. If properly designed, these building blocks can be combined and extended to enable a wide variety of complex services that appear to the end-user easy to use.
The availability and use of these and other building blocks also can form the basis for appropriate management of institutional resources. Well designed and reliable support services can help the University protect intellectual property as well as institutional data. Data encryption standards and services will enable the use of electronic commerce within the institution and with external partners.
Figure 1: Existing applications too often develop independent solutions to the same set of problems.
The Office of the President looks forward to working closely with the
campuses to catalyze the definition and development of these essential services
throughout the University. The challenges are great but the need is urgent.
Applications that should be able to take advantage of these services are
being implemented now. It is imperative that partnership be activated among
the campuses and OP to ensure that these services are carefully designed
and put in place as quickly and cost effectively as possible.
Perspective
University of California campuses have made great strides towards developing robust and ubiquitous communications network infrastructures. However, the rich information environment envisioned in "Sustaining Excellence in the 21st Century[1]" will not be realized unless equally robust and ubiquitous enabling services exist, both within the infrastructure of our campuses as well across the University.The University in the next century will be judged not only by its faculty and programs but by the wealth of its electronic Information Environment. We define the electronic Information Environment as that set of electronic information services, other on-line resources, communications services, and applications software and workstations that enable us to teach and learn and work more effectively and without the constraints of time or place. Over the last decade the breadth of these resources has expanded many fold. Today a member of the UC community can access from anywhere on the network not only the on-line library catalog but a growing part of the actual holdings; not only the schedule of classes but the entire course catalog; not only administrative reports but up-to-date administrative data in many forms and from many sources; not only the campus directory but an interactive multi-media tour of the University's academic programs.
As this Information Environment grows and expands, it becomes necessary to acknowledge and implement certain constraints on users of these resources - the "network citizens" that navigate the Information Environment. A growing body of information is licensed to the University for exclusive use by the UC community. People in particular positions within the University must have the ability to access or update information resources when necessary to fulfill their job responsibilities, while others may only view such information resources. Some information is confidential in nature and must be restricted to authorized users. All these constraints will be implemented much more easily if appropriate supporting services exist.
Within the digital Information Environment we must develop analogs of the administrative controls with which we are familiar. These enabling services will support easy and secure access to information resources, support authorized and verifiable transactions over the network, and make possible appropriate management of licensed materials and other intellectual property. Without a coordinated approach to developing and deploying these enabling services across the University, we will not realize the full potential of our investment in new information resources. With a coordinated approach we will be able to leverage investments in applications being made already on each campus.
Today we are quite familiar with the consequences of a myriad of solutions to problems such as access control and resource location. Some of us must use as many as 5 or 6 "passwords" and different "accounts" in order to gain access to the various services we need routinely such as electronic mail, licensed databases, restricted institutional data, computing platforms, and common calendar servers. Often we must reconfigure manually our workstation software when a server location changes or a new service becomes available.
Our ability to gain access to University resources is too often dependent on where we happen to be at the moment rather than on what responsibilities we have. Access control based on network node address is used today because it is relatively easy to implement. However, it does not guarantee that the actual user is authorized to use campus information. Equally important, legitimate users are denied access when working from non-campus locations. Thus, while on campus we may have access to site licensed information and a wide variety of services, from off campus many of these same services and information resources may be inaccessible simply because there is no way currently to identify users, as opposed to the location from which they are working.
Differences among the campuses in their Information Environment enabling services tend to inhibit sharing of resources. This tendency will become exacerbated as shared resources such as virtual digital libraries begin to emerge. Currently, a faculty member or student at one campus visiting another campus must make special arrangements in order to make use of many of the services at the second campus. If the services require access control, the individual must acquire yet another password and account name. Coordinated enabling services can allow the identity and affiliations of any member of the UC community to serve them throughout the UC system.
Beyond basic identity and access control services, standards and supporting services for distributed authorization, encryption and digital signatures will enable a wide range of institutional business to be conducted over our information networks. The administrative framework as well as the technology for these services must be defined and carefully constructed to serve the University broadly.
Existing access control and authentication mechanisms are largely a legacy of older centralized technology. Lack of better solutions for authentication, authorization and encryption will impede development of a broad range of information resources from client/server financial systems to digital libraries. The University must work now, as rapidly as possible, to create and manage the critical support services that will enable members of the UC community to become true "University-wide network citizens" and roam freely and securely, "without undue let or hindrance," throughout the emerging electronic Information Environment.
We will use the metaphor of a "network citizen" visiting the University electronic Information Environment to illustrate the basic support services building blocks.
The Terrain: the Electronic Information Environment
The electronic Information Environment is an increasingly complex territory in which great riches can be found but which is foreign to our usual senses. Many of the familiar problems and processes are found here but take a different form. What is our identity? What can we do here? How do we find resources? How do we traverse the environment with safety? How do we account for what we use? Do we share a common reference for time or place?The foundation of the electronic Information Environment is the complex of interconnected networks, including our campus networks, that we know as the global Internet. Accessible from desktops both within our campuses and via the Internet are an ever growing variety of databases, information servers, and compute servers and a panoply of applications programs from electronic mail to desktop video conferencing. Electronic commerce is developing in many forms and will enable reliable transaction of institutional business as well as new opportunities for the individual.
Client programs interact with electronic services by means of well defined protocols. This allows successful interoperation among differing platforms. The World Wide Web (WWW) is an excellent example of this concept: the same set of complex text, graphics, audio and video can be found and viewed on almost any modern computer. One great advantage of this layered approach to complex systems is that individual pieces of the environment can be built or replaced without affecting the rest of the infrastructure. Another advantage is that end user platforms can be tailored to different user communities and application needs. This layered approach must guide us in development of essential Information Environment support services within the University.
With a wide range of new services via the Internet now on the horizon, reliable recognition of end users and what they are authorized to do, auditability and non-repudiation of transactions, and the safe exchange of objects of value over the network are the first of many problems that have become critical to solve. It is with the goal of catalyzing the development and implementation of the best technologies to solve these problems within the University that we offer this "management tour" of the electronic Information Environment.
Passports: The Authentication Service
The fundamental support service that will empower the network citizen is a universal, distributed, reliable, and strong [2] authentication system. Just as travelers must present their passports at the border when entering a country, network citizens should be able to present identifying tokens when entering the electronic Information Environment. Once inside the border, travelers can move relatively freely. So too should network citizens be able to visit various sites and resources without having to resort to site-specific identification. Once verified "at the border" the electronic identities of our network citizens should follow them automatically wherever they go, even as they seek to gain access to services in another administrative domain, or "realm [3]."The concept of a single "electronic identity" (e-ID) is very powerful because it can enable easy access to resources for the traveler. It also is fraught with potential for abuse if it is mishandled. Since e-IDs will let travelers into many places, they must be carefully guarded and given out only with strong assurance that individuals are who they claim to be.
Even with strong authentication, in many cases it will be desirable for a given individual to have several e-ID's to be used for different purposes. All individuals and their organizations must consider the potential impact of a compromise of the security of any e-ID. For example, the manager of a general use computing system might have an e-ID that carries with it special privileges. That e-ID should be used sparingly and only in conjunction with that particular system. The system manager, when doing routine work such as checking e-mail or writing, would use a less powerful e-ID. Thus compromise of the more powerful e-ID would have consequences of a more limited scope and could be dealt with more readily.
It is important to note that a given e-ID represents an assertion on the part of a registration authority that a known individual is represented by that e-ID. If the registration authority is well designed and reliable, services in cooperating "realms" can be comfortable accepting those externally registered e-ID's. Thus in the general case the e-ID must indicate not only the individual but also the registration authority that issued the e-ID[4]. Ultimately this concept could be extended to non-UC registration authorities so that, for example, high school students registered with Netcom might be able to use their Netcom e-IDs in conjunction with electronic applications for admission to UC.
Once a campus has a set of strong authentication servers in place with robust operational support, all of the important campus server applications should be adapted to use it. Parts of this process could take a long time since many applications are vendor supported. However, until there is a well established generalized authentication service, each server or application has little choice but to implement its own idiosyncratic method of authentication and our network citizen must deal individually with each one encountered.
Technical Notes: - Authentication
Tickets and Passes: Authorization and Affiliation Databases
Authorization, as distinct from authentication, is a particularly important but often overlooked Information Environment support service. While authentication warrants the identity of a particular user, authorization helps define what users may do or that to which they may gain access. Authorization may be based on a person's identity (authentication) or on a person's affiliation with or within the University, or any combination of these and other things. It often is desirable to separate authentication service from most authorization functions and it may be desirable to support them on different servers.In the historical model of mainframe computing, authentication, often referred to as "access control," and authorization were often closely linked. Authorization usually was determined by loose association of attributes with the user account identifier (e.g. "root" or "user, group, and other" in Unix systems) or by tables of "authorized users." Since each system kept its own set of authorization data, management of this data in a consistent way across a large number of servers and client platforms was problematic. Little thought was given to generalized mechanisms until the number of different systems and services began to grow dramatically.
Today we need a generalized and scaleable network-based mechanism for both authentication and authorization. For example, a Kerberos authentication server might be deployed to validate the identity of any potential network citizen. A network citizen might then request access to a restricted database. The database server can simply query a specified authorization server, supplying the network citizen's identity, and receive a set of attributes defined for that individual. The database server then can decide, based on a prescribed algorithm, whether the particular network citizen is to be allowed access to the restricted data.
Suppose our network citizen's affiliation with the University is "full professor and Dean of the College." This will imply authorization to view College budgetary data, approve spending plans and personnel actions, as well as gain access to academic records and information. The same person might also be appointed to a systemwide taskforce on student diversity and because of that affiliation be authorized to retrieve sensitive student ethnicity and gender data. A database server that returned affiliations for any given University e-ID would make management of this type of generalized authorization much easier.
Such authorization or affiliation data might be useful in transactions external to the University as well. Appropriate individuals in any department could have authorization to submit EDI purchase orders over the network, for example. A different set of individuals would have authorization to approve payment of EDI-based invoices electronically.
Whereas administration of an authentication service should be hierarchical and coordinated centrally, responsibility for authorization services should be distributed to conform with campus management structure. This is primarily an administrative rather than a technical issue. Suffice it to say that developing and managing a database service that combines all important attributes and allows them to be managed by the office of record would provide generality while maintaining the University's established administrative structure.
Who's There? The Demographics Database Service
One particularly vexing problem is the maintenance of accurate personal data such as home address, campus mail address or preferred e-mail address. Today there are far too many different databases wherein the same data is entered, usually by different individuals, from separate forms that must be filled out repetitively by the person who actually "owns" the information. For example, in many cases the same individual is both a student and an employee which means that today the same personal data is maintained by entirely separate offices. Clearly it would be desirable to have a single comprehensive "database of record" that would include all members of the campus community and in which personal data could be maintainable by the relevant individual or appropriately designated staff.With strong authentication and a well designed authorization service, it would be possible to build such a demographics database system. It might well be combined with a basic authorization service so that a single database system supports both. Fields within a record would have associated authorizations for access or updating. All institutional applications that require use of personal data would use this comprehensive demographics database, either by periodic downloading or by direct relational reference. In particular, on-line directory services used to locate campus community members would use this authoritative database as their data source.
UC network citizens would be responsible for maintaining all of their own personal data and also could check on the completeness of other attribute data such as payroll title or salary, status towards a degree, or the amount of any outstanding debts.
Maps and Guidebooks: Directory Services
Information services abound on campuses and beyond. The community of users changes and moves about. The topology of the data network changes periodically. How does our network citizen find anyone else or any particular service or information?The Domain Name Service[6] was the first widespread directory service in support of the Information Environment. Other common directories exist today including directories of people and searchable databases of information resources. Many more kinds of maps and guidebooks are needed to serve the new and complex information resources we are deploying. New resource location services must support more complex data and search strategies.
By developing a well managed set of directory servers and search engines for information objects, our network citizen will be able to discover resources and navigate easily throughout the electronic Information Environment.
Technical Notes - Directories
Safe Passage: Encryption and Digital Signatures
Authentication and access control alone are not sufficient to guarantee safe passage throughout the Information Environment. Passwords can be guessed or stolen, data can be monitored in transit, and identities can be forged. The strongest defense against these challenges involves use of modern encryption methods to ensure privacy of data transmission and to create the equivalent of a pen-and-ink signature in the digital realm.Our networks are truly "open systems" which is one of their strengths as well as a source of many vulnerabilities. As managers and users of this resource, we must assume that any transmission might be intercepted and any data received might be questionable. Attacking computers on the Internet has become a rampant obsession among certain curious and occasionally antisocial groups. Fortunately modern encryption technology offers potential solutions for most of these concerns.
Encryption of data while in transit can protect both privacy and the integrity of data. Technology to implement this is becoming commonplace and should be considered for all administrative or other institutional business applications. Encryption alone does not guarantee authenticity however.
A "digital signature" must be some unforgeable set of data that relates the identity of an individual to the contents of a digital document. It must be something that only the identified "network citizen" could have created. It must be verifiable by anyone in the electronic Information Environment. Standards now exist for creating this type of digital signature using Public Key Cryptography (PKC). Clearly digital signatures of this sort would enable a wide variety of institutional business to be transacted over the network with at least as reliable verification as we have now with paper forms and manual signatures[8].
A public key encryption Key Management System is critical to enabling this set of services. Such a system consists of a Public Key Generator (making use of the strong e-ID authentication services described above) and a Key Directory Server (KDS). The key generator produces pairs of encryption keys for authenticated client users. The KDS provides the public key for any registered user to any application that requests it.
In addition to support of the local community, a KDS must have a way to find other trusted KDS's on other campuses or anywhere else in the electronic Information Environment. This so-called "web of trust" must be scaleable to millions of users in thousands of locations. This can be achieved with a hierarchical model, wherein a more central "certificate authority" registers KDS's after verifying their viability. The Office of the President, for example, could operate such a Certificate Authority and the associated server on behalf of all the campuses. UCOP could, in turn, register its certificate authority with national and international certificate authorities to allow fully general access to verifiable public key directory servers anywhere in the world.
Traveler's Advisory: Until and unless encryption mechanisms and support services are in use, do not send anything of value or of a sensitive nature such as a credit card number over the data network.
Technical Notes - Encryption
Sharing Limited Resources: License Servers
Our network citizen has now discovered the basic tools for verifying identity, invoking authority, and concluding transactions safely. These capabilities enable easy and appropriate access to a wide variety of resources within our electronic Information Environment. Unfortunately not all of those resources are without significant cost to the University.In a traditional library, one might find 5 copies of a popular book or journal. Ideally this would be enough to meet the peak demand at any one time for this resource. It would not be economical to purchase one copy for every registered patron. Yet we often provide software and other resources in this cost-inefficient way[9].
It is quite possible for software or other digital resources to be purchased by subscription, much like printed documents today. The cost of such a subscription would be based at least in part by the size of the simultaneous user community. For example, a physics department might purchase a subscription for 20 simultaneous "users" of a Virtual Physics Laboratory software package. During laboratory classes, the students make use of the software on computers located in the facility. In the evening, when doing homework, students could make use of the same "subscription" to run the software on their own personal computers.
What will enable this type of sharing of expensive resources is a Network-based License Server (NLS). The NLS serves as a clearing house to ensure conformance with the terms of the institution's subscription. An early implementation of the NLS concept was available with the Apollo Domain computers. Macintosh and PC versions of "license servers" offer similar capabilities. Standardizing on an openly available NLS technology would enable software publishers to develop products that would fit readily into our electronic Information Environment.
Paying the Bills: Automated Debit and Unified Invoicing
Much of the electronic Information Environment today is accessible without direct cost to the user. However, as the real costs become significant, the University will need to find efficient ways to at least account for the usage of expensive resources, and possibly pass some of the acquisition and support costs back towards the end users. One enabling element towards achieving this is an efficient set of Network Accounting Servers.Ultimately every member of the campus community, as defined in the campus's demographics database and corresponding authorization servers could have one or more "virtual accounts." Transactions for services would be posted to a designated Network Accounting Server using encrypted data flows. A wide variety of end user services from "print on demand" syllabus services to lunches and storehouse items could be purchased in this way.
Our network citizen should expect a single statement each month describing all services used and all costs incurred anywhere within the campus, or even within the University. Eventually this monthly accounting could result in automated debit against an external financial service, much like debit cards are used today.
Technical Notes - Accounting
What Time Is It? The Network Time Server
It may not seem obvious but many of the services we are developing need to have a common frame of reference for time. Billing information, for example, must show accurately the date and approximate time of the transaction. Network management information often needs time stamps to be accurate to within a few milliseconds. Electronic postmark or notary services must have an auditable date and time guaranteed to be within a known degree of accuracy. Thus an important element in the set of enabling services within our information environment is the Network Time Server.Technologies in support of Network Time Services exist today and are deployed on most campuses. However, not all of these are synchronized with each other or with a universal time standard such as the National Bureau of Standards broadcast standard time service.
Even where synchronized Network Time Servers exist, not all essential end systems can yet take advantage of them. Campus information technology managers must understand the importance of this element of distributed systems and take appropriate steps to ensure integration of this service.
Our network citizens may wish to set their own "electronic watches" from this service as well. Most modern workstations can be configured with automatic utilities to accomplish this.
Putting the Pieces Together: Some Examples
We have discussed a number of useful building blocks but what complete structures might our network citizen encounter in traveling within the electronic Information Environment? Several examples might help to illustrate the importance of the building block approach.Distributed printing services will become increasingly important as electronic libraries and digital course materials become prevalent and administrative systems move to a "distribute, then print" model for report generation. One of the basic impediments for the University in providing this service is the cost of printers and printing supplies. Attempting to recover costs through manual operation of distributed printing services would present a very large management problem as well as a large potential cost. Instead, University community members should be able to use their e-ID and virtual account to "purchase" printing services as needed. Print servers would validate users by means of the authentication and authorization services. When printing is complete, the server would file transaction reports with the Network Accounting Server. At any time users could get statements of the charges reported against their accounts. Users could set debt limits on their virtual accounts if they wished.
Digital "notary services" also will become increasingly important as more institutional business is transacted electronically. The simplest example of a digital notary service is one designed to validate the existence of a particular electronic document, such as a set of laboratory notes, at a given point in time. The notary service would receive the document with the author's electronic signature attached. It would verify the signature and then return a copy of the complete document with the notary service's digital signature, including a guaranteed date and time at which the verification took place. This equivalent of a "digital postmark" would be authoritative in case of conflicting claims regarding research results.
