Category Archives: JISC

As You Like It Identity at JISC Conference 09

So, we had a great session at the JISC Conference 2009 on identity and both Lawrie and I were exteremely pleased with the audience feedback and involvement we had.  I won’t repeat the notes of what was discussed as the very diligent and accurate roving JISC blogger assigned to our session got those and they are here (many thanks for that).

What I will do is to go through what I got out of the session, a few more resources on identity and some of the material we didn’t get to cover.

So, starting on what I got out of the session:

– People are thinking a lot more about identity issues in academia; when we first started talking about identity in groups  (a good example being in the first blog post I ever did for JISC) , we had a large number of listeners and fewer particpants.  Great to see that more people have gone to find out more and are looking at how they need to deal with identity in their area;

– Universities such as Cardiff (thanks to David Harrison for mentioning this at the session) are starting to educate their students on how they need to deal with identity.  It would be useful to have more examples as one of the points raised in the session is that students are a key group to engage with;

– There are many people out in institutions who have a good grasp on the issues that need to be dealt with and an appreciation of what it means for their areas;

– Working with an audience rather than presenting to them can get the most out of a session for both the people leading the session and those attending.  I must admit I was a bit fearful of how this would work given we had a small room that was packed full (Lawrie even gave up his chair!) and it was quite a large group (70+);

– Identity is a complex subject yet it is one that can be approached simply by working with our peers to understand how it will affect how we work in academia;

– We can control our identity and reputation online, which benefits not only us but also our teams our departments and our institutions.  We need to think at a variety of scales;

In terms of resources, we had a jargon segment to try to explain key terms that are used within identity management.  I’ll stick my hand up to a few admissions:

– These weren’t intended to be ‘absolute’ definitions;

– They aren’t intended to be a comprehensive glossary – there are no doubt omissions but I feel it is best to start small and these are the most common (and often for a new user most confusing) terms that are heard;

– When I wrote them I was writing them for the average learner, teacher or student in an institution – yes they are simplified and lose some of the technical detail;

So, after all the excuses, here are the terms:

Identity credentials – generally a username and password but anything that identifies you as a user.  Also known more commonly as an ‘identity’.

Registration – ensuring that the person who you are issuing a set of identity credentials to is who they say they are.  When we talked about the birth of an identity in the session, registration is when this happens.

Authn – Authentication – re-verifying that the user is who they say they are before they are allowed to carry out an action.

Auths or authz – Authorisation – the process of verifying that someone who is trying to access a resource (be that a paper, journal article, some data or something else) is entitled to do so.

PII – Personally Identifiable Information – anything that can personally identify you or another person. This could be your name or a piece of information about you that could only apply to you.  This is what we most need to protect and ensure is up to date as it can affect our academic reputation.

User-centric identity – the concept of the user being able to control what information (PII or otherwise) they release about themselves and thus control their identity.

OpenID – a technology that came out of the social software world (think blogs and wikis) that allows you to control what information you release about yourself. One of the most popular user-centric identity systems.

OAuth – a new technology that allows applications or sites to carry out an action for a user without handing over user names and password details to another site. The best example is the recent talk over software like Tweetdeck being able to post comments to Twitter on behalf of users.

Federated identity – is where a series of bodies that provide identity credentials and a series of bodies that control access to resources get together to agree a common set of rules so someone who has identity credentials from any of the bodies that issue them can access resources from any of the bodies that control access to them.

UK federation – the body in the UK that provides federated identity for UK further and higher education.

Finally, here are a few further resources:

– The presentation and notes can be found here;

– allows you to see what information is held about you.  You can equally use Google to do a similar search for yourself;

– tells you more aboutOpenID and how to get one;

– more information on OAuth and how it works;

– Andy Powell is running a symposium on access and identity management in e-research; more details can be found here;

– JISC’s latest project is producing an identity management toolkit for institutions.  More details on what it is doing can be found here;

I’d welcome comments on this blog, the events blog or tweets tagged with either #jisc09 or #jisc09_id.  We need to keep this discussion going and build on the good work done in the session.  If you have any direct questions on what JISC is doing in access and identity management going forward then please talk with Chris Brown, who is taking over this area from me.


I visited Paul Walk over at UKOLN recently to talk about Shared Infrastructure Services (SIS), amongst other things, and one idea that came out of that discussion was the 30-5-10 idea.I’ll set a bit of background before ploughing into the idea itself.  Most projects at JISC do some really useful stuff that researchers, educationalists, developers and a whole range of other audiences can take and use for themselves  (in response to the cynics, we also do really useful stuff for the other projects that can’t necessarily be used straight away but it helps get us along the process to things that can be used ;-)).  The problem we often face is that the stuff we produce isn’t used because it might not be communicated in quite the right way  or the target audience may well not be aware of it.  As a programme manager that can get very frustrating because sometimes you see an alternative widget that isn’t as good that is being used simply because the project staff or organisation they are working for are better at promoting it. So, we come to 30-5-10.  It’s intended for software or services that can be quite easily demonstrated.  So, good core candidates are some of the SIS projects and projects like NaCTeM.   The idea is this:

  •  30 seconds to get across what your project or the service(s) within your project do.  This could be used at a JISC meeting, when you’re at a conference or wherever you meet other people that might be interested in what you are doing.  The reason for 30 seconds is that within that time you should be able to get across what your project or service does in a sufficiently compelling way that it piques the interest of those who may want to use it so they want to know more.  So, if we take NaCTeM’s Termine service, the 30 seconds could go something like ‘Termine is a service supplied by the National Centre for Text Mining in Manchester to extract meaningful terms from a piece of text or a corpus of texts that are submitted to it.  It uses advanced text mining techniques to ensure that those terms are very accurate relative to the area that the body of text was submitted from.  Termine also ranks the occurrence of terms.  Possible uses include automated metadata extraction to tag the articles submitted.’.  I’m sure that if someone from NaCTeM sees this they will have a few corrections but it gives you an idea of what you would say;
  • 5  minutes to outline how to solve a problem your audience have. So you have the person or audience’s interest.  What next?   You have a dialogue with them to understand how your widget could solve a problem they have, which makes what you have done relevant to them.  This involves actively listening to what they say so they spend more time talking than you do?  There’s  a lot on active listening on the web so I won’t try to cover it here but if you’re asking open questions like ‘What kind of things that you’re doing do you think my widget would be useful for?’ as opposed to ‘Do you think this is useful?’ then you’re onto a good start; try to ensure you’re not asking questions that have yes or no answers.  In my text mining example above, I’m a stressed new programme manager who hasn’t much time to understand the background to committee papers so term extraction helps me by pulling out the key terms that I can then research on the web, making me seem knowledgeable (well, more so than Sarah Palin 😉 );
  • 10 minutes to set up a quick demo that produces results.  Even if your service or project is quite complex and has lots of configuration options, you need to be able to have something a developer can integrate pretty quickly and 10 minutes is a good target.  My term extraction example above is to some extent a bit unfair in some ways; I can submit text online and get answers in substantially less than 10 minutes but it would be good if I could do that in a RESTful way, which I can’t currently;

So there it is.  I’d welcome comments from projects or others about how do’able or sane this is but please bear in mind that the whole premise behind this is to quickly get potential users to a point where they have experienced your solution and are interested in taking it further.  They are then likely to have the patience to get to grips with that SOAP interface or spend a little more time discovering the nuances of what you’ve put together.

TERENA NRENs and Grids Meeting, September 2008


I recently attended the NRENs and Grids Meeting in Dublin, kindly hosted by Trinity College.  It gathered together a European audience of those involved in providing national education networks (hence the NRENs bit) and those involved in developing grid software and hardware.  The JISC interest in this event was that we are currently working on a number of projects and programmes with a grid related element (such as the e-Infrastructure programme and new work that we are currently formulating under the capital programme).

The programme for the event can be found here and the slides from the presentations at the event can be found in links next to the programme item.  I’ll not repeat what is on the slides in this blog entry; I’ll just point to the presentations of particular interest and comment on why I found that particular presentation interesting.

Day One – Grids

The first day focused on developments in grids.  The session on eduGAIN was particularly useful in covering how eduGAIN works; it’s quite a complex system but very effective so I’d recommend using the presentation as a 101 if you’re new to it.  Items of interest were that eduGAIN are going to be reviewing using Shib 2.0 and future developments also include non-web-based apps.  Both of these are areas that JISC is actively involved in so it would be worth following what is being done in eduGAIN.

The next presentation looked at easing access to grids via identity federations.  This was of special interest as we are currently involved in doing the same thing through the SARoNGS project.  This meant we had quite a lot to share with the group and after the coffee break Jens Jensen and I did a short presentation on what we were doing under SARoNGS, receiving some useful feedback and some good contacts to share software resources and use cases.  My feeling is that this is a useful area to link up with other European countries on as there are common problems that can be more quickly and effectively addressed through mutliple groups rather than one group on its own.  For example, we have an issue that the SARoNGS solution is constrained by UK Federation policy on passing a unique user name and sharing information between service providers, meaning it cannot be IGTF compliant and is a little less secure.  Norway has similar issues and we resolved to review what could be done in terms of a possible future change to policy that would allow a better technical solution and that would still meet the original goals of that particular aspect of the policy.  I also talked with Christoph Witzig of SWITCH and there is potential to work with them on aspects of MyProxy to make interoperability easier.

Authorisation developments in grids proved to be an interesting presntation by David Kelsey as it gave an insight into future work under EGEE.  The main messages were that there was a scaling back of funding for EGEE that has led to a great deal more focus on specific elements of the infrastructure that need to be tuned and that there was now an expectation from the EC of member states funding grid work.  The reduction in funding has meant that the technical work on middleware has been reduced and there has been a shift to focusing on the authorisation framework and an analysis of how authorisation could be more effective.  There is a broader desire to have a common policy for VOs, which would then mean that trust in them could be brokered in a similar way to the way it is in IGTF.

To wrap up the day, there was a discussion session on what we all felt would be important to address around grids.  The overwhelming part of the discussion focused on levels of assurance, something we have already looked at under the ES-LoA and FAME-PERMIS projects at JISC.   The overall agreement was that this is an area that needs to be addressed to allow new users onto the grid using a lower level of assurance, such as those with a federated ID as opposed to a digital certificate.  It’s going to be interesting to see what happens over the next year or so as members of the group grapple with this issue.  There was also some discussion on attracting more users and new users to grids.  It was generally agreed that we need to lower the bar slightly for those outside the traditional disciplines that use the grid (such as particle physicists and computational chemists).  Current initiatives in Europe would suggest that many have joined JISC in looking at how this could be done and have been succesful, SWITCH being one of the early ones with its IGTF compliant VASH and SLCS solution.

Day Two – Virtualisation

Virtualisation is something we have looked at previously under the NGS but the time was not quite right.  Day Two showed plenty of evidence that maybe it is time to go back to this area under the new round of capital funding to see what we can do.

Cloud Computing for On Demand Resource Provisioning looked at one potential method of providing virtualised resources in a grid environment.  The concept was to have  a virtualised layer to separate the virtual machine from the physical location.  Ignacio Martin Lorente explained how the University of Madrid was trialling using OpenNEbula to be able to do this and hence bring into use machines that had previously not been on the grid as well as allowing for burst traffic by using resources such as Amazon EC2.   I won’t try to explain how the whole thing works; it’s much better explained in Ignacio’s slides.  Setting up VOs on these virtualised resources can take as little as 20 seconds for a standard setup, meaning that environments can be set up and maintained easily without having to rely on being on a physical server.  Ignacio finished his presentation with a look at the RESERVOIR project under the EU Framework Programme , which is a 3 year 17m euro project to get a Next Generation Infrastructure for Service Delivery.  I think both of these projects have  interest for JISC and it was useful to have examples of how virtualisation could work within an institution and a broader initiative to get cloud computing working across Europe.

The presentation on the Challenges of Deploying Virtualisation in a Production Grid covered pretty much what it said on the tin.  Stephen Childs went through how Grid-Ireland had worked on having virtualised environments in their grid environment through open-source software called Xen.  He also covered the results of a survey he carried out to look at virtualisation.  The key points to come out were:

  • It is important to treat a virtualised environment in a production grid in exactly the same way that you would any other production environment.  Some of the virtual machines are going to be up for a long time so need patches, etc in the same way as any other physical server;
  • Virtualisation is gradually gaining ground and now there is a choice of VM software from commercial to open source, it is starting to become an activity that is being engaged in across European academic institutions.  However;
  • This activity is currently on a trial basis as people get used to what is involved in provisioning VMs as opposed to physical servers;
  • There has to be an awareness of where I/O is critical as Xen is especially weak on this at the moment, meaning a virtualised server may not be the best solution;
  • There need to be solid use cases for implementing virtualisation and it must be used appropriately.  The two main reasons for not using virtualisation in the survey were management issues and  performance;
  • A VM host does not behave in the same way as a physical host in all cases – there may be issues with compatibility even if the setup is exactly the same;
  • Monitoring is still quite flaky;

Finally, Stephen outlined how Grid-Ireland has used Xen to install, effectively, ‘grid in a box’, where institutions simply needed to host the box they were given and management was carried out by Grid-Ireland.  This was a neat solution for the institution but involved quite a lot of overhead for Grid-Ireland on management.

I thought this was a good presentation and Stephen is a useful person to talk with further about virtualisation (as further discussions over coffee proved).  He is going to look at putting the survey into a PDF format so that the results can be shared with others.

The remaining presentations covered physical infrastructure so, whilst interesting, were not quite as relevant to what we are doing in Innovation Group.

The final discussion covered future topics and certainly one that we raised was accessing data on the grid, which we are doing quite a lot of work on under the e-Infrastructure programme .

All in all, I think this is a useful group to keep in touch with as the topics they are addressing are ones that we are either currently working on or are interested in for the future.  The event provided a good opportunity to meet with others working in the same areas and share experience as well as get pointers to resources that we could use at JISC.

My thanks go to our hosts at Trinity College in Dublin, who worked very hard to make sure the event ran smoothly, with particular thanks to John Walsh for booking an excellent venue for dinner and being on hand to offer local knowledge (he even guided us back to the hotel from the restaurant!).

First Look at Facebook Connect App

Facebook have published their first site that uses Facebook Connect.  Called RunAround, it allows runners to track their runs and involve their friends without having to add them manually to the site or fill out registration details.  It’s great to see a practical application for Connect and to also see some good privacy principals operating there as well.  A user has the option to register for the site and go down the site’s registration process or use their Facebook details.  A user then actively consents to release information (in this case one line stories) and brings the friends that they have on Facebook who have already registered with Run Around with them.  It’s early days yet so I’m watching for other applications of Connect to see how it all pans out and see how sites such as RunAround fair but this all looks promising for limited disclosure of information to third parties to help the user but not then breach their privacy.

Another related development is Twitter definitely adopting OAuth and Firefox likely to do so too (but straight into the browser).  With Twitter it will mean a much better way of allowing third party apps based on Twitter to carry out action on the user’s behalf without them having to hand over their username and password.  With Firefox it will allow browser apps to carry out actions on a user’s behalf, which opens up what we’ve wanted to look at in JISC for a while, which is n-tier authentication and authorisation (even if at this stage it looks like being at one level).

A more interesting question is around how people deal with these new capabilities.  We’ve already seen through the Identity Project and FLAME how identity is dealt with in FE and HE and how users’ attitudes to releasing personal information differs as well as their awareness of what they’re doing.  DPIE 2 revealed that most users would like to have useful tasks done on their behalf with their personal information, such as registration details being filled in for them.  In a world with technologies such as Facebook Connect and OAuth, whilst we have the technology to alllow users to retain their own personal information, do they necessarily know how to control this?  I think we need apps such as RunAround so users can get to grips with the technology on a fairly simple level and then do more as they feel more comfortable.  Hopefully we’ll then be in a world where the user doesn’t have to give up the crown jewels of identity and cede their username and password details to be able to do simple tasks such as registration.

LHC Computing Grid

Computing reported today that, after much work, the Grid behind the Large Hadron Collider(LHC) is due to start work in earnest tomorrow.  I think this is pretty significant because whilst we have been warning of the data deluge for a while now and looking at ways to address it, the LHC and the grid being used to provide compute and data storage resources give good examples of exactly what  we are talking about.  It’s estimated that the LHC will produce around 40,000 GB of data every day or around 12 to 14 petabytes in the average year.  What isn’t mentioned in the Computing article (understandably) are the other demands being placed on grid resources by instruments similar to the LHC, which require equallly formidable grid resources.  All of that data ultimately has to make its way around the academic grids to the researchers who use it and collaborate with others to make new discoveries and carry out increasingly innovative research; some idea of the challenge faced can be seen in this article on the UK portion of GridPP at RAL.  That’s a lot of traffic and a lot of storage, as whilst facilities such as CERN have quite stunning data storage facilities (around 5m GB of disk and 16m GB of tape storage), the data can’t stay there forever given the rate at which it is produced.

JISC has been working hard in all areas to help provide appropriate resources to  facilitate this data both getting from the instruments to the scientists involved and allowing them to then have the tools to share it.  JANET  provides the core physical network for academic institutions, having completed SuperJANET5.  On top of that we have been working with the National Grid Service (NGS) to ensure there are appropriate grid facilities for researchers in the UK.  Through programmes such as e-Infrastructure and VREs we have been working to make the tools needed for researchers to collaborate and share experimental results.  Finally, the repositories and information environment work has been reviewing how the data produced can be curated and archived so researchers can find it and re-use it.  Future work is going to be on continuing to develop these tools but also looking at new ideas and new software to help researchers take data from the LHC and other instruments and sources and carry out their research more efficiently.

It’s all about the Process and Training

If you haven’t read the recent reports on the root causes of government data loss and you deal with personal data at your institution then you really should.  They highlight that whilst the technology was adequate for the job both the training, culture and process were far from adequate.  If you only read one report, though, then this should be it.  The data handling review gives some good pointers on how process, training and cultural adptation are vital to ensure that personal data is handled sensitively and appropriately.  It’s a message we relayed through the Identity Project and as we store more and more personal data about staff and students then we need to have measures in place to ensure that everyone who deals with it knows how they should be handling the data so that the end user gets the experience they deserve and can be secure in the knowledge that their identity is safe.

RSC Eastern Technical Managers Forum Meeting

I was fortunate enough to be invited to the above by Thomas Rochford and it was great to see how much interest there is amongst FE colleges on the subject of identity management.  We had a lively debate on the findings of the Identity Project and specific identity challenges within FE.  There were certainly intakes of breath over some of the findings and particularly those that related to how much money and how many staff there were estimated to be to deal with identity in HE institutions.  All in all, I think we have a good deal more work to do in FE on identity but it’s also potentially an area where we could quickly learn lessons that have more general applicability to other areas.  As I said at the event I would welcome comments on this blog about topics that would be of interest to explore and my colleague Nicole Harris’s blog entry on the future of access and identity management is also now open ahead of the event on 30th June that will look at future development areas.

Key topics from the conversations were:

– Outsourced identity management and how that could work with existing institutional processes and systems;

– OpenID – what could it be used for?

– Guidance on best practice;

– How you determine and prove that a member of an institution is that member;

– The balance of risk and reward in identity management – how do I determine whether the risk I take on releasing additional functionality is worth the reward that my users get?

Slides from the event are due to be published soon so I’ll link through to those or pop them up on Slideshare.

Too OpenID?

I had a recent conversation with David Chadwick from Kent, who got an OpenID from a major provider of OpenIDs that also provides services. Now that he’s withdrawn from using their services he can no longer use his OpenID and he thinks it will probably be recycled (as per the OpenID 2.0 spec), raising a few issues over security. Others are equally concerned. All of this raises the very good question of what happens when you get a set of identity credentials from a provider and what your contract with them is not to use those credentials when you finish using their services. OpenID’s response to this problem is to now have a globally unique ID that you can have that is separate to your OpenID but how secure are you in the knowledge that that won’t be recycled too? Personally, I use MyOpenID and I’ve had no problems but all they do is provide OpenIDs and I have fairly limited use of it anyway.

This also raised the question of what you would use OpenID for if you knew that your OpenID could be recycled. I suspect each person would have their own answer for that.

From the JISC perspective, OpenID is a topic of interest as we start exploring user-centric identity and try to get to the bottom of the eternal question of what people in education would use OpenID for (see here for the review, which will be out early next month). It seems to be one that is coming to a head overall as the identity community start asking who is going to provide services and not just IDs. Some of this is being resolved as sites such as SourceForge quietly sign up and I’ve seen that you can now add comments on Blogger blogs with an OpenID. Let’s hope that there is sufficient trust in OpenID to ensure that as we’re starting to get useful services, users have the confidence in their OpenID to use them.

Software Usability

We’re currently in the process of sorting out a new intranet at JISC so that programme managers, amongst others, can very easily access information about the ever-increasing portfolio of projects that we deal with every day.  For those who have dealt with JISC for a while, you’ll know that this is massively long overdue and should provide what we need to help cope with our own data deluge ;-).

So, it was with a great deal of happiness that I saw one of the first areas that was covered was usability.  Again, for those of you who know me it’s a subject that I regularly get up onto my soapbox about as I think it’s absolutely critical for good quality software.  Even the best written code can be let down by a shonky user interface that hasn’t involved the user but is ‘functionally perfect’; it’s not the greatest of starts and often leads to a system being dropped before it even gets off the ground.  We’re now into the second round of providing input into the usability of the system and I’m really hoping that what I’ve seen so far makes it through to the final system and we get an intranet that is both usable and useful.

This brings me onto usability and JISC-funded projects.  Whilst we are always going to cover bleeding edge software that’s going to be sub-Alpha, never mind perpetual Beta, we’re increasingly funding projects to deliver software for use by users rather than proof of concept.  That means usability is really, crucially important and that the user has to be involved.  If I had one piece of advice to give to new projects producing software to be consumed by users (and some of my own projects are doing this as we speak) then it would be to get the usability right and adoption by any community will be a lot easier.  It’s a lesson a good deal of successful open source products such as Firefox have learnt and thrived on; I’m hoping it’s one that my own and  several other projects within e-Research learn too.

JISC Report on Keeping Research Data Safe

An area that we’re doing more and more work on in JISC is around research data. This latest HEFCE-funded report investigated the medium to long term costs to Higher Education Institutions (HEIs) of the preservation of research data and developed guidance to HEFCE and institutions on these issues. It has provided an essential methodological foundation on research data costs for the forthcoming HEFCE-sponsored feasibility study for a UK Research Data Service. It will also assist HEIs and funding bodies wishing to establish strategies and TRAC costings for longterm data management and archiving.

The report is available on the JISC web site at