You wouldn’t serve someone alcohol without appropriate ID. Nor would you buy a car without airbags, or leave your phone unlocked in a busy pub. Federated access is the equivalent safety check for students and staff accessing your online resources. So if you’re not using federated access, how secure is your access management set-up?
This post answers this question and explores the benefits of federated access.
Why is federated access so important?
Multiple data sharing agreements, clunky user experiences, clogged IT helpdesks, and complex password management policies are just a few of the challenges consistently faced by education institutions. Fortunately, federated access presents a solution to these issues and more.
Federated access is a mechanism that allows users at different institutions to use the same authorisation protocols for granting access to applications, information, and other resources.
With federated access, each institution maintains its own identity management system but are interlinked through a third party that acts as a trust mechanism.
The UK Access Management Federation (UKAMF) offers a single best practice solution trust framework and the benchmark for safe resources access. UKAMF is endorsed by Jisc as the gold standard for access management in UK research and education.
The benefits of joining the UKAMF include:
- UKAMF utilises Security Assertion Markup Language (SAML) encryption – offering an extra level of security
- Your users authenticate only at your institution’s identity provider – single sign-on means your users do not need to manage a password for every service
- Personal data is tightly controlled by the institution – saving you headaches about GDPR and DPA
- It uses a non-IP based framework – so your users can access resources anytime, anywhere
- It provides a single best practice solution for the sector – so you don’t have to manage multiple protocols with multiple partners
Protecting Personal Data
Privacy is particularly key when considering your access management protocols. Increasing regulations over the management of personal data puts your organisation at risk of being non-compliant.
If you use non-federated access – do you understand user privacy policies? Some identity providers will send attributes including personal information by default. For example, many release the student’s first name, last name, and email address.
With UKAMF’s trust framework and standards, release of personally identifiable data is minimized and tightly controlled by the institution. We consider there to be very little personally identifying information in the following two attributes:
- eduPersonTargetedID – a pseudonymous identifier
- eduPersonScopedAffiliation – specifies a user’s affiliation to the institution, whether you are ‘staff’ or ‘student’
If extra attributes are requested – consider why. Why does that service need more information about the user? What will it reveal? How will this impact your data management protocols?
In some instances there may be a valid reason to pass more information about the user. In most cases it’s probably not necessary. Consider your set-up. Do you preserve privacy for your end-users? Are you saving yourself governance headaches where you can?
Raising the standards of encryption
UKAMF enables SAML encryption as an extra layer of security. It uses this when passing information between identity and service providers. This is key to offering you a secure access management framework and standards.
Without SAML encryption, user information passing through the browser can be seen any third-party. This puts your organisation and end-users at risk.
Although Transport Layer Security (TLS) offers a level of protection, this information is visible. Visible to browsers. Visible to plug-ins, or devices performing Secure Socket Layer (SSL) interceptions… And then there’s the bad guys!
This being the case, should you trust SSL/TLS protection alone? We don’t, which is why UKAMF enables SAML encryption to keep your organisation and users safe.
Otherwise, it’s a security incident waiting to happen.
Providing a single best practice solution
There are a wealth of other benefits to using federated access. Aside from the security aspects, UKAMF can exclusively provide access to:
- Over 100 Jisc Collections resources (subject to licence of course)
- Free Jisc eBooks for further education (FE)
- Free access to student discounts and rewards through VerifID
- Access to over 300 UKAMF service providers
- Access to thousands more via the UKAMF’s participation in eduGAIN*
*eduGAIN provides federated access throughout Europe and the rest of the world!
What’s more UKAMF is leveraged by over 95% of UK higher education (HE) Institutions and over 90% of further education institutions. So you’re in good company!
There’s also a free, dedicated UKAMF helpdesk included in your membership. This means you have our team of knowledgeable experts on hand. They can help you leverage these resources and ensure you’ve got the most secure access management set-up in town.
If you’re not using federated access and would like more information about UKAMF and how federated access can improve your cyber security, please feel free to get in touch with the team: firstname.lastname@example.org